Forefront disappearing from Lab computers

I'm an administrator for Gonzaga University School of Business computer labs. We have had Microsoft Forefront installed on our Windows 7 Enterprise lab machines for several years. We have just noticed that Forefront is disappearing from random computers. Not just one or two but upwards of 100 computers.

The symptoms are:

  1. The Forefront icon is missing from the systray.
  2. The program icons are missing from the Program menu.
  3. If I do a search from the Start button, I find an unresolved icon for Forefront. Clicking on it tells me there is no program associated with it.
  4. In the Programs And Features program list, there is an unresolved icon.  Clicking on it to do an uninstall produces a message to the effect that the program has already been uninstalled, and do I want to remove the icon from the list.

I'm wondering if you know of any legitimate events that could cause this to happen.

Thanks,

Rob Joyce

April 21st, 2015 1:19pm

Have you checked the Event viewer?

Are you seeing any suspicious events?

There is a policy for FEP and other Anti-Malware products which when it is enable, it will uninstall the current Anti-Malware software and install the other one.

You may setup an alert in the event viewer that when there was any events related to FEP application, it notifies you.

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 4:37pm

That kind of sounds like the behavior of a malware infection that is preventing Endpoint Protection from running...

Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry

Has the MSC property been altered? It should be

"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

I've seen cases before where this is altered to something like mssecesx.exe so the EP interface can't launch.

I may be off track in this case, but I've seen this before on systems infected with the Sirefef/ZeroAccess malware. It's worth checking anyway.


April 21st, 2015 6:03pm

Thank you so much for your suggestions.  I'll check the Event viewer.  It's just that I'm not sure what kind of an event to look for.  I'll see if I can set notifications about FEP.

Thanks,

Rob

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 6:19pm

Thank you so much for taking the time help me out.  I really appreciate it.  I searched the registry for the Run key in the location you directed me to above, but in that key, I didn't see any MSC key.  The msseces.exe file is missing from the directory where it's supposed to be.  See my second post to the prior poster too.
April 21st, 2015 6:39pm

ok, I checked the Event log and found that the program was uninstalled on February 11.  There is no reason for that.  I've only checked one machine but I'll check the others to see which date they were uninstalled.  It was uninstalled by Windows installer.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 6:41pm

That kind of sounds like the behavior of a malware infection that is preventing Endpoint Protection from running...

Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry

Has the MSC property been altered? It should be

"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

I've seen cases before where this is altered to something like mssecesx.exe so the EP interface can't launch.

I may be off track in this case, but I've seen this before on systems infected with the Sirefef/ZeroAccess malware. It's worth checking anyway.


April 21st, 2015 10:02pm

That kind of sounds like the behavior of a malware infection that is preventing Endpoint Protection from running...

Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry

Has the MSC property been altered? It should be

"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

I've seen cases before where this is altered to something like mssecesx.exe so the EP interface can't launch.

I may be off track in this case, but I've seen this before on systems infected with the Sirefef/ZeroAccess malware. It's worth checking anyway.


Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 10:02pm

ok, I checked the Event log and found that the program was uninstalled on February 11.  There is no reason for that.  I've only checked one machine but I'll check the others to see which date they were uninstalled.  It was uninstalled by Windows installer.
April 21st, 2015 10:40pm

ok, I checked the Event log and found that the program was uninstalled on February 11.  There is no reason for that.  I've only checked one machine but I'll check the others to see which date they were uninstalled.  It was uninstalled by Windows installer.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 10:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics