It's now a long time that I have a problem updating my FEP 2010, I had almost the same problem months ago and the "solutions" was remove/reinstall it...
This time the remove/reinstall didn't solve the problem so I have looked deeper into the logs.
I have tracked down the problem to a failing NISFULL.VDM update but I didn't found anything searching the web. I have already tried to reset the definitios running: "%ProgramFiles%\Microsoft Security Client\Antimalware\mpcmdrun" -RemoveDefinitions -All
The pc is running Seven Enterprise with SP1, FEP info (in italian but understandably... :-) are:
Forefront Endpoint Protection versione: 2.0.657.0
Versione client antimalware: 3.0.8107.0
Versione motore: 1.1.8502.0
Definizione antivirus: 1.129.167.0
Definizione antispyware: 1.129.167.0
Nome criterio: PRG - Default Desktop Policy - Admin privilege
Criterio applicato: 15/06/2012 a 08:44
Basically the Windows Update service keeps proposing the same update for ever...
I have followed http://support.microsoft.com/kb/935934 for manually updating FEP, here you are my current MpSigStub.log hoping that someone will help me sorting out my problems! (the FEP updates are managed by SCCM, but updating from Microsoft Update has the same error), in bold the line I believe containing the error...
----------------------------------------------------------------------------------
Command: e:\f030968fe480989a51\MPSigStub.exe
Start time: 21/06/2012 09:28 (version 11.1.3927.0)
================================= CacheMpSigStub =================================
Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe
=================================== ProductSearch ==================================
Microsoft Windows Defender (Windows 7): Microsoft Forefront Endpoint Protection 2010:
Status: Disabled
Active
Product: 6.1.7600.16385 3.0.8107.0
Engine: 1.1.6603.0 1.1.8502.0
Signatures: 1.99.1602.0 1.129.167.0
NIS Engine:
2.0.8001.0
NIS Signatures:
11.0.0.0
================================ PackageDiscovery ================================
Package files discovered:
e:\f030968fe480989a51\mpasbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpasdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpavbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpavdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpengine.dll (1.1.8502.0)
AM FE:
Engine: 1.1.8502.0
AS base VDM: 1.129.0.0
AV base VDM: 1.129.0.0
AS delta VDM: 1.129.195.0
AV delta VDM: 1.129.195.0
================================= MpUpdateEngine =================================
Package files for the engine update:
e:\f030968fe480989a51\mpasbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpasdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpavbase.vdm (1.129.0.0)
e:\f030968fe480989a51\mpavdlta.vdm (1.129.195.0)
e:\f030968fe480989a51\mpengine.dll (1.1.8502.0)
Updated from e:\f030968fe480989a51 (0x0)
================================= ValidateUpdate =================================
MpSigStub successfully updated Microsoft Forefront Endpoint Protection 2010 using the AM FE package.
Original: Updated to:
Engine: 1.1.8502.0 1.1.8502.0
AS base VDM: 1.129.0.0 1.129.0.0
AV base VDM: 1.129.0.0 1.129.0.0
AS delta VDM: 1.129.167.0 1.129.195.0
AV delta VDM: 1.129.167.0 1.129.195.0
Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted e:\f030968fe480989a51\mpasbase.vdm
Deleted e:\f030968fe480989a51\mpasdlta.vdm
Deleted e:\f030968fe480989a51\mpavbase.vdm
Deleted e:\f030968fe480989a51\mpavdlta.vdm
Deleted e:\f030968fe480989a51\mpengine.dll
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\11.0.0.0_TO_11.137.0.0_NISFULL.VDM_SOURCE_NISBASE.VDM._P
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\NISBASE.VDM
Deleted C:\Windows\Temp\24F6176CE3ABBCF48ABE8BD18F0AD4D3-Sigs\GAPAENGINE.DLL
End time: 21/06/2012 09:28
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
Command: e:\6866fdcd562814e427\mpsigstub.exe
Start time: 21/06/2012 09:32 (version 11.1.3927.0)
================================= CacheMpSigStub =================================
Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe
=================================== ProductSearch ==================================
Microsoft Windows Defender (Windows 7): Microsoft Forefront Endpoint Protection 2010:
Status: Disabled
Active
Product: 6.1.7600.16385 3.0.8107.0
Engine: 1.1.6603.0 1.1.8502.0
Signatures: 1.99.1602.0 1.129.195.0
NIS Engine:
2.0.8001.0
NIS Signatures:
11.0.0.0
================================ PackageDiscovery ================================
Package files discovered:
e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\6866fdcd562814e427\nisbase.vdm (11.0.0.0)
e:\6866fdcd562814e427\gapaengine.dll (2.0.8001.0)
NIS Full:
NIS engine: 2.0.8001.0
NIS base VDM: 11.0.0.0
NIS full VDM: 11.137.0.0
================================ PatchApplication ================================
Patched nisfull.vdm to 11.137.0.0
================================= MpUpdateEngine =================================
Package files for the engine update:
e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p (?.?.?.?)
e:\6866fdcd562814e427\nisbase.vdm (11.0.0.0)
e:\6866fdcd562814e427\nisfull.vdm (11.137.0.0)
e:\6866fdcd562814e427\gapaengine.dll (2.0.8001.0)
ERROR 0x80070002 : MpUpdateEngine(e:\6866fdcd562814e427)
ERROR 0x80070002 : IProduct->UpdateEngine
================================= ValidateUpdate =================================
nisfull.vdm version in package is 11.137.0.0, but after update machine has older version 11.0.0.0
Watson Report:
Position:
HRESULT: 0x80070002
P1
FailedFunction: MpUpdateEngine
P2
Operation: NIS Full
P3
SourceComponentVersion: 11.1.3927.0 P4
SourceComponentName: mpsigstub.exe P5
ProductVersion: 3.0.8107.0
P6
ProductName: Microsoft Forefront Endpoint Protection 2010 P7
ERROR 0x80070002 : One or more of the packages found failed to update for Microsoft Forefront Endpoint Protection 2010.
ERROR 0x80070002 : One or more of the products found failed to update; returning this error
Deleted e:\6866fdcd562814e427\11.0.0.0_to_11.137.0.0_nisfull.vdm_source_nisbase.vdm._p
Deleted e:\6866fdcd562814e427\nisbase.vdm
Deleted e:\6866fdcd562814e427\nisfull.vdm
Deleted e:\6866fdcd562814e427\gapaengine.dll
ERROR 0x80070002 : MpSigStubMain
End time: 21/06/2012 09:32
----------------------------------------------------------------------------------
Thank you,
Giangi