Redirecting Microsoft ForeFront Endpoint Protection AV Pattern Files

One of the best practices that Citrix recommends for XenApp or XenDesktop provisioned machines is redirecting the anti-virus pattern files to a persistent drive. This blog post describes the required steps for redirecting the Microsoft ForeFront Endpoint Protection (MSFEP) AV Pattern Files to a different location.

Background

When a machine, which is provisioned by Citrix Provisioning Services and the provisioned vDisk uses the Standard Image Mode and the option write cache on device’s hard disk or
server’s hard disk, is rebooted it loses its changes that were written to the write cache file. That means that changes to the C:-drive are lost after a reboot of the machine.

MSFEP, by default, writes the AV pattern files to C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates.

That means that AV pattern files that are downloaded in this folder are lost after a reboot and need to be re-downloaded. To preserve the downloaded AV pattern files we are going to redirect the location of the downloaded AV pattern files to the write cache disk. I say write cache disk, not write cache file!

Steps for Redirecting the AV Pattern Files

IMPORTANT: Redirecting the AV pattern files involves changing settings in the Windows Registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

In this example we are going to redirect the AV pattern files to D:\FEP.

Stop the service Microsoft Antimalware Service
Create the folder D:\FEP
Open the Registry Editor and browse to HKLM\Software\Microsoft\Microsoft Antimalware
Change ProductAppDataPath
to D:\FEP
You’ll notice the error that you can’t change the value. This is because only the SYSTEM account has enough permission to change settings in the Microsoft Antimalwareregistry key and sub keys.There are two options. 

1) Change ownership of the Microsoft Antimalware registry key and continue.

 

2) Perform the changes using the SYSTEM account. (Recommended)

 

In this example we use the recommended method by using the SYSTEM account. We do this by using the utility PsExec.exe.

 

Therefore we continue from the command line.

Type the command psexec /accepteula –s reg add “HKLM\Software\Microsoft\Microsoft Antimalware” /v ProductAppDataPath /t REG_SZ /d “D:\FEP” /fThis changes the path where the AV pattern files are stored to D:\FEP

The –s is used for PsExec to execute under the SYSTEM account.

Type the command psexec /accepteula -s reg.exe add “HKLM\System\CurrentControlSet\
Control\WMI\Autologger\Microsoft Security Client” /v FileName /t REG_SZ /d “D:\FEP\Support\Application.etl” /fThis changes the location of the first file for the Event Viewer. Events that are logged to the Event Viewer are redirected to the write cache disk and saved after a reboot.
Type the command psexec /accepteula -s reg.exe add “HKLM\System\CurrentControlSet\
Control\WMI\Autologger\Microsoft Security Client WMI Providers” /v FileName /t REG_SZ /d “%FEPLocation%\Support\Providers.etl” /f
This changes the location of the second file for the Event Viewer.
Reboot the server
Type the command psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Antimalware”This removes the left over from the initial FEP configuration.
Type the command psexec /accepteula -s cmd.exe /c rd /s /q “C:\ProgramData\Microsoft\Microsoft Security Client”This removes the left over from the initial configuration.
The AV pattern files are now automatically downloaded to D:\FEP.

 

Example Scripts (CMD)

::Redirect AV Pattern Files
 
net stop "Microsoft Antimalware Service"
 
cmd /c md "D:\FEP"
 
psexec /accepteula -s reg.exe add "HKLM\Software\Microsoft\Microsoft Antimalware" /v ProductAppDataPath /t REG_SZ /d "D:\FEP" /f
 
psexec /accepteula -s reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft Security Client" /v FileName /t REG_SZ /d "D:\FEP\Support\Application.etl" /f
 
psexec /accepteula -s reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Microsoft Security Client WMI Providers" /v FileName /t REG_SZ /d "D:\FEP\Support\Providers.etl" /f
 
shutdown /r /t 0
::Remove Left Over Initial Configuration
 
psexec /accepteula -s cmd.exe /c rd /s /q "C:\ProgramData\Microsoft\Microsoft Antimalware"
 
psexec /accepteula -s cmd.exe /c rd /s /q "C:\ProgramData\Microsoft\Microsoft Security Client"

You may also like...

8 Responses

  1. Sunil Modhvadia says:

    Hi,

    Tried this, redirection works fine but the signatures still seem to get updated on every reboot, i have quite a few update folders in D:\FEP\Definition Updates. On further investigation, i can see that even though there is a folder with the latest definition update, e.g. D:\FEP\Definition Updates\{37216C36-7078-40CA-B604-D926E3F4ABDD}, it will still show as Out of Date Update and force a redownload which creates a new folder with the same updates. Is this something you have seen?

    regards

    Sunil

    • Ivan says:

      Hi Sunil,

      I haven’t seen this issue. We only have one GUID folder with the latest update, one Backup folder and one Updates folder. Also the status of FEP is “Up to date”. Normally, when a new update is available, the current GUID folder should be replaced with a new GUID folder. There should not be a long list with GUID folders.

      Also, in the registry, SignatureLocation (in HKLM\Software\Microsoft\Microsoft Antimalware\Signature Updates) should point to the correct GUID folder. So when a new update is downloaded/installed and a new GUID folder is created with the latest update, this registry value should automatically be adjusted to this new GUID folder. You can check this process with the command C:\Program Files\Microsoft Security Client\Antimalware\mpcmdrun.exe -signatureupdate -mmpc

      • Paul says:

        Hi Ivan,

        Like Sunil we have some machines that show more than 1 GUID folders under the Definition Updates. On these machines the Backup folders is not present
        If we try the command line chack it turns out OK en the rekeys are also pointing to existing folders on the persistant disk
        I tried stopping the service and deleting all GUID folders but no result
        Any idea how to solve this?
        I will delete 1 of the VM’s and create a new one to see what happens

        • Ivan says:

          Hi Paul,

          Did you use the above manual steps or did you use the example scripts? I wonder if there is a difference in behavior between those two. I used the scripts, and haven’t seen the issues that you and Sunil described. And I still use the scripted method in production when creating new versions of PVS images without problems.

      • James says:

        Been struggling with a similar setup using scep2012.. Seems to me that the signature location registry entries are getting reset when the write cache resets on reboot. Given the use of these keys I’m having a hard time understanding how this can actually work across reboots.

        • Ivan says:

          Hi James,

          I have no experience with SCEP2012, but you could try exporting the location registry entries at system shutdown and importing the location registry entries at startup using a script and trigger exporting and importing using the startup/shutdown option in a GPO.

  2. Nawir says:

    Hi Ivan,

    Is that possible to store Definition update in FileServer so that I don’t have to create cache disk for each user.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>