ERROR 0x8007051a : One or more of the packages found failed to update for Microsoft Forefront Endpoint Protection 2010.

It's now a long time that I have a problem updating my FEP 2010, I had almost the same problem months ago and the "solutions" was remove/reinstall it...

This time the remove/reinstall didn't solve the problem so I have looked deeper into the logs.

I have tracked down the problem to a failing NISFULL.VDM update but I didn't found anything searching the web. I have already tried to reset the definitios running: "%ProgramFiles%\Microsoft Security Client\Antimalware\mpcmdrun" -RemoveDefinitions -All

The pc is running Seven Enterprise with SP1, FEP info (in italian but understandably... :-) are:

Forefront Endpoint Protection versione: 2.0.657.0
Versione client antimalware: 3.0.8107.0
Versione motore: 1.1.8502.0
Definizione antivirus: 1.129.167.0
Definizione antispyware: 1.129.167.0
Nome criterio: PRG - Default Desktop Policy - Admin privilege
Criterio applicato: 15/06/2012 a 08:44

Basically the Windows Update service keeps proposing the same update for ever... 

I have followed http://support.microsoft.com/kb/935934 for manually updating FEP, here you are my current MpSigStub.log hoping that someone will help me sorting out my problems! (the FEP updates are managed by SCCM, but updating from Microsoft Update has the same error), in bold the line I believe containing the error...

----------------------------------------------------------------------------------
Command:    e:\f030968fe480989a51\MPSigStub.exe
Start time: 21/06/2012 09:28 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

                 Microsoft Windows Defender (Windows 7):  Microsoft Forefront Endpoint Protection 2010:
         Status: Disabled                                 Active                                      
        Product: 6.1.7600.16385                           3.0.8107.0                                  
         Engine: 1.1.6603.0                               1.1.8502.0                                  
     Signatures: 1.99.1602.0                              1.129.167.0                                 
     NIS Engine:                                          2.0.8001.0                                  
 NIS Signatures:                                          11.0.0.0                                    

================================ PackageDiscovery ================================

Package files discovered:
e:\f030968fe480989a51\mpasbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpasdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpavbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpavdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpengine.dll (1.1.8502.0)

               AM FE:    
       Engine: 1.1.8502.0
  AS base VDM: 1.129.0.0 
  AV base VDM: 1.129.0.0 
 AS delta VDM: 1.129.195.0
 AV delta VDM: 1.129.195.0

================================= MpUpdateEngine =================================

Package files for the engine update:
e:\f030968fe480989a51\mpasbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpasdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpavbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpavdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpengine.dll (1.1.8502.0)

Updated from e:\f030968fe480989a51 (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Forefront Endpoint Protection 2010 using the AM FE package.

               Original:    Updated to:
       Engine: 1.1.8502.0   1.1.8502.0
  AS base VDM: 1.129.0.0    1.129.0.0 
  AV base VDM: 1.129.0.0    1.129.0.0 
 AS delta VDM: 1.129.167.0  1.129.195.0
 AV delta VDM: 1.129.167.0  1.129.195.0

Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted e:\f030968fe480989a51\mpasbase.vdm
Deleted e:\f030968fe480989a51\mpasdlta.vdm
Deleted e:\f030968fe480989a51\mpavbase.vdm
Deleted e:\f030968fe480989a51\mpavdlta.vdm
Deleted e:\f030968fe480989a51\mpengine.dll
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\11.0.0.0_TO_11.137.0.0_NISFULL.VDM_SOURCE_NISBASE.VDM._P
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\NISBASE.VDM
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\GAPAENGINE.DLL
End time: 21/06/2012 09:28
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
Command:    e:\6866fdcd562814e427\mpsigstub.exe
Start time: 21/06/2012 09:32 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

                 Microsoft Windows Defender (Windows 7):  Microsoft Forefront Endpoint Protection 2010:
         Status: Disabled                                 Active                                      
        Product: 6.1.7600.16385                           3.0.8107.0                                  
         Engine: 1.1.6603.0                               1.1.8502.0                                  
     Signatures: 1.99.1602.0                              1.129.195.0                                 
     NIS Engine:                                          2.0.8001.0                                  
 NIS Signatures:                                          11.0.0.0                                    

================================ PackageDiscovery ================================

Package files discovered:
e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\6866fdcd562814e427\nisbase.vdm (11.0.0.0)
e:\6866fdcd562814e427\gapaengine.dll (2.0.8001.0)

               NIS Full:
   NIS engine: 2.0.8001.0
 NIS base VDM: 11.0.0.0 
 NIS full VDM: 11.137.0.0

================================ PatchApplication ================================

Patched nisfull.vdm to 11.137.0.0

================================= MpUpdateEngine =================================

Package files for the engine update:
e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\6866fdcd562814e427\nisbase.vdm (11.0.0.0)
e:\6866fdcd562814e427\nisfull.vdm (11.137.0.0)
e:\6866fdcd562814e427\gapaengine.dll (2.0.8001.0)

ERROR 0x80070002 : MpUpdateEngine(e:\6866fdcd562814e427)
ERROR 0x80070002 : IProduct->UpdateEngine

================================= ValidateUpdate =================================

nisfull.vdm version in package is 11.137.0.0, but after update machine has older version 11.0.0.0

                         Watson Report:                                Position:
                HRESULT: 0x80070002                                    P1      
         FailedFunction: MpUpdateEngine                                P2      
              Operation: NIS Full                                      P3      
 SourceComponentVersion: 11.1.3927.0                                   P4      
    SourceComponentName: mpsigstub.exe                                 P5      
         ProductVersion: 3.0.8107.0                                    P6      
            ProductName: Microsoft Forefront Endpoint Protection 2010  P7      

ERROR 0x80070002 : One or more of the packages found failed to update for Microsoft Forefront Endpoint Protection 2010.
ERROR 0x80070002 : One or more of the products found failed to update; returning this error
Deleted e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p
Deleted e:\6866fdcd562814e427\nisbase.vdm
Deleted e:\6866fdcd562814e427\nisfull.vdm
Deleted e:\6866fdcd562814e427\gapaengine.dll
ERROR 0x80070002 : MpSigStubMain
End time: 21/06/2012 09:32
----------------------------------------------------------------------------------

Thank you,

Giangi

June 21st, 2012 3:38pm

Do you get the same error if you download the definition set and install it manually?

http://support.microsoft.com/?id=935934

One troubleshooting option would be to try running Sysinternals Process Monitor during the definition update with a filter set for path contains nisfull.vdm to see if there is any strange file or registry activity taking place that might explain the error.


Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 6:45pm

Do you get the same error if you download the definition set and install it manually?

http://support.microsoft.com/?id=935934

One troubleshooting option would be to try running Sysinternals Process Monitor during the definition update with a filter set for path contains nisfull.vdm to see if there is any strange file or registry activity taking place that might explain the error.


June 21st, 2012 6:45pm

Do you get the same error if you download the definition set and install it manually?

http://support.microsoft.com/?id=935934

Yes, I wrote that I have already done the manual update following that KB...

I've tried PM but to monitor the updating exe... I will try filtering only the nisfull.vdm access!!

Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 7:27am

Hm, somehow I missed that part of your original post. Oh well, hopefully PM will be helpful.
June 22nd, 2012 1:01pm

With PM I have found the place for NISFULL.VDM (C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{70490CE5-753B-4E1B-9D4F-176BB9E9DF9C}), I wasn't able to understand the problem but for sure the update process wasn't able to replace the current with the new one!:-(

First I have renamed the current one, but then executing the stand-alone updater nis_full.exe wasn't even able to recreate it...

In PM I have seen that the new NISFULL.VDM was being created into a temporary folder, but the folder is automatically deleted at the end; with an undelete tool I have recovered the deleted, new nisfull.vdm and placed into the above folder!

I have executed again the updater nis_full.exe and now it ended correctly since the current file was already up-to-date! :-)

I think that there is a bug inside nis_full.exe! :-( Hoping that wil be sorted out and solved before next upgrade... :-)

Here you are the latest log, without errors...

----------------------------------------------------------------------------------
Command:    e:\b21ddb8ccdfe53e20c687d\mpsigstub.exe
Start time: 22/06/2012 15:12 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

                 Microsoft Windows Defender (Windows 7):  Microsoft Forefront Endpoint Protection 2010:
         Status: Disabled                                 Active                                      
        Product: 6.1.7600.16385                           3.0.8107.0                                  
         Engine: 1.1.6603.0                               1.1.8502.0                                  
     Signatures: 1.99.1602.0                              1.129.268.0                                 
     NIS Engine:                                          2.0.8001.0                                  
 NIS Signatures:                                          11.137.0.0                                  

================================ PackageDiscovery ================================

Package files discovered:
e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\b21ddb8ccdfe53e20c687d\nisbase.vdm (11.0.0.0)
e:\b21ddb8ccdfe53e20c687d\gapaengine.dll (2.0.8001.0)

               NIS Full:
   NIS engine: 2.0.8001.0
 NIS base VDM: 11.0.0.0 
 NIS full VDM: 11.137.0.0

================================ PatchApplication ================================

Patched nisfull.vdm to 11.137.0.0

================================= MpUpdateEngine =================================

Package files for the engine update:
e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\b21ddb8ccdfe53e20c687d\nisbase.vdm (11.0.0.0)
e:\b21ddb8ccdfe53e20c687d\nisfull.vdm (11.137.0.0)
e:\b21ddb8ccdfe53e20c687d\gapaengine.dll (2.0.8001.0)

ERROR 0x80070002 : MpUpdateEngine(e:\b21ddb8ccdfe53e20c687d)
ERROR 0x80070002 : IProduct->UpdateEngine

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Forefront Endpoint Protection 2010 using the NIS Full package.

               Original:   Updated to:
   NIS engine: 2.0.8001.0  2.0.8001.0
 NIS base VDM: 11.0.0.0    11.0.0.0  
 NIS full VDM: 11.137.0.0  11.137.0.0

Set NISDeltaUpdateFailure to 0
Deleted e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p
Deleted e:\b21ddb8ccdfe53e20c687d\nisbase.vdm
Deleted e:\b21ddb8ccdfe53e20c687d\nisfull.vdm
Deleted e:\b21ddb8ccdfe53e20c687d\gapaengine.dll
End time: 22/06/2012 15:12
----------------------------------------------------------------------------------

Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 1:28pm

With PM I have found the place for NISFULL.VDM (C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{70490CE5-753B-4E1B-9D4F-176BB9E9DF9C}), I wasn't able to understand the problem but for sure the update process wasn't able to replace the current with the new one!:-(

First I have renamed the current one, but then executing the stand-alone updater nis_full.exe wasn't even able to recreate it...

In PM I have seen that the new NISFULL.VDM was being created into a temporary folder, but the folder is automatically deleted at the end; with an undelete tool I have recovered the deleted, new nisfull.vdm and placed into the above folder!

I have executed again the updater nis_full.exe and now it ended correctly since the current file was already up-to-date! :-)

I think that there is a bug inside nis_full.exe! :-( Hoping that wil be sorted out and solved before next upgrade... :-)

Here you are the latest log, without errors...

----------------------------------------------------------------------------------
Command:    e:\b21ddb8ccdfe53e20c687d\mpsigstub.exe
Start time: 22/06/2012 15:12 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

                 Microsoft Windows Defender (Windows 7):  Microsoft Forefront Endpoint Protection 2010:
         Status: Disabled                                 Active                                      
        Product: 6.1.7600.16385                           3.0.8107.0                                  
         Engine: 1.1.6603.0                               1.1.8502.0                                  
     Signatures: 1.99.1602.0                              1.129.268.0                                 
     NIS Engine:                                          2.0.8001.0                                  
 NIS Signatures:                                          11.137.0.0                                  

================================ PackageDiscovery ================================

Package files discovered:
e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\b21ddb8ccdfe53e20c687d\nisbase.vdm (11.0.0.0)
e:\b21ddb8ccdfe53e20c687d\gapaengine.dll (2.0.8001.0)

               NIS Full:
   NIS engine: 2.0.8001.0
 NIS base VDM: 11.0.0.0 
 NIS full VDM: 11.137.0.0

================================ PatchApplication ================================

Patched nisfull.vdm to 11.137.0.0

================================= MpUpdateEngine =================================

Package files for the engine update:
e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\b21ddb8ccdfe53e20c687d\nisbase.vdm (11.0.0.0)
e:\b21ddb8ccdfe53e20c687d\nisfull.vdm (11.137.0.0)
e:\b21ddb8ccdfe53e20c687d\gapaengine.dll (2.0.8001.0)

ERROR 0x80070002 : MpUpdateEngine(e:\b21ddb8ccdfe53e20c687d)
ERROR 0x80070002 : IProduct->UpdateEngine

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Forefront Endpoint Protection 2010 using the NIS Full package.

               Original:   Updated to:
   NIS engine: 2.0.8001.0  2.0.8001.0
 NIS base VDM: 11.0.0.0    11.0.0.0  
 NIS full VDM: 11.137.0.0  11.137.0.0

Set NISDeltaUpdateFailure to 0
Deleted e:\b21ddb8ccdfe53e20c687d\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p
Deleted e:\b21ddb8ccdfe53e20c687d\nisbase.vdm
Deleted e:\b21ddb8ccdfe53e20c687d\nisfull.vdm
Deleted e:\b21ddb8ccdfe53e20c687d\gapaengine.dll
End time: 22/06/2012 15:12
----------------------------------------------------------------------------------

June 22nd, 2012 1:28pm

...I can't believe it... MS has released another NISFULL and again the .vdm cannot get updated!!!! :-(

----------------------------------------------------------------------------------
Command:    e:\15b064bc73900de21bad1c160a0c\mpsigstub.exe
Start time: 10/08/2012 15:41 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

                 Microsoft Windows Defender (Windows 7):  Microsoft Forefront Endpoint Protection 2010:
         Status: Disabled                                 Active                                      
        Product: 6.1.7600.16385                           3.0.8107.0                                  
         Engine: 1.1.6603.0                               1.1.8601.0                                  
     Signatures: 1.99.1602.0                              1.131.1768.0                                
     NIS Engine:                                          2.0.8001.0                                  
 NIS Signatures:                                          11.137.0.0                                  

================================ PackageDiscovery ================================

Package files discovered:
e:\15b064bc73900de21bad1c160a0c\11.0.0.0_to_11.159.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\15b064bc73900de21bad1c160a0c\nisbase.vdm (11.0.0.0)
e:\15b064bc73900de21bad1c160a0c\gapaengine.dll (2.0.8001.0)

               NIS Full:
   NIS engine: 2.0.8001.0
 NIS base VDM: 11.0.0.0 
 NIS full VDM: 11.159.0.0

================================ PatchApplication ================================

Patched nisfull.vdm to 11.159.0.0

================================= MpUpdateEngine =================================

Package files for the engine update:
e:\15b064bc73900de21bad1c160a0c\11.0.0.0_to_11.159.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\15b064bc73900de21bad1c160a0c\nisbase.vdm (11.0.0.0)
e:\15b064bc73900de21bad1c160a0c\nisfull.vdm (11.159.0.0)
e:\15b064bc73900de21bad1c160a0c\gapaengine.dll (2.0.8001.0)

ERROR 0x80070002 : MpUpdateEngine(e:\15b064bc73900de21bad1c160a0c)
ERROR 0x80070002 : IProduct->UpdateEngine

================================= ValidateUpdate =================================

nisfull.vdm version in package is 11.159.0.0, but after update machine has older version 11.137.0.0

                         Watson Report:                                Position:
                HRESULT: 0x80070002                                    P1      
         FailedFunction: MpUpdateEngine                                P2      
              Operation: NIS Full                                      P3      
 SourceComponentVersion: 11.1.3927.0                                   P4      
    SourceComponentName: mpsigstub.exe                                 P5      
         ProductVersion: 3.0.8107.0                                    P6      
            ProductName: Microsoft Forefront Endpoint Protection 2010  P7      

ERROR 0x80070002 : One or more of the packages found failed to update for Microsoft Forefront Endpoint Protection 2010.
ERROR 0x80070002 : One or more of the products found failed to update; returning this error
Deleted e:\15b064bc73900de21bad1c160a0c\11.0.0.0_to_11.159.0.0_nisfull.vdm_source_nisbase.vdm._p
Deleted e:\15b064bc73900de21bad1c160a0c\nisbase.vdm
Deleted e:\15b064bc73900de21bad1c160a0c\nisfull.vdm
Deleted e:\15b064bc73900de21bad1c160a0c\gapaengine.dll
ERROR 0x80070002 : MpSigStubMain
End time: 10/08/2012 15:41
----------------------------------------------------------------------------------

 

Free Windows Admin Tool Kit Click here and download it now
August 10th, 2012 1:44pm

Hi Giangi at work (Partner)

From September, 2015 and Windows 10's Windows Defender. Thank You for your work in 2012!!!! When I finally found it, it was my answer toooooo!

https://social.technet.microsoft.com/Forums/en-US/0b537e97-015e-4f09-9df5-16ec7893f8fa/nis-full-engine-update-failure-in-mpsigstubexe-for-windows-defender-on-windows-100-pro-th1-sr1?forum=win10itprosecurity

NIS Full Engine Update Failure in mpsigstub.exe for Windows Defender on Windows 10.0 Pro TH1 SR1 10240 RTM

September 6th, 2015 10:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics