If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;

Look for the file called;

MpCmdRun.exe

On Forefront Client Security this is found in;

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware

If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..

One likely useful command to debug performance issues is;

MpCmdRun.exe -trace

However I have been unable to determine how to decode the .bin file created!?  So if you have any suggestions please let me know!?  However if you look in the .log file in the same directory you will get some historic information which may prove useful.  Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.

All very useful..

Here are the switches for Forefront Client Security;

   -Scan [-ScanType]
        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan
   -Trace [-Grouping] [-Level]
        Begins tracing Microsoft Forefront Client Security's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.
        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions
        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Assertions
   -GetFiles
        Gathers the following log files and packages them together in a
        compressed file in the support directory
        - Any trace files from Microsoft Forefront Client Security
        - The Windows Update history log
        - All FCSAM or FCSAMRtp events from the
          System and Application event log
        - All relevant Microsoft Forefront Client Security registry locations
        - All software information from Software Explorer
   -RemoveDefinitions
        Restores the last set of signature definitions
   -RemoveDefinitions -All
        Rolls the signature definitions back to the default signature set
        and removes any installed signature and engine files.Use this
        option if you have difficulties trying to update signatures.
   -RestoreDefaults
        Resets all configuration options to their default values; this is the
        equivalent of running Microsoft Forefront Client Security setup
        unattended.
   -GetSWE
        Exports the contents of Software Explorer into a file named MPSWE.txt
        in the support directory
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.