We have seen some reported cases when applicationHost.config file is getting corrupted when OneCare or Forefront is running on the same machine. By "corruption" I mean the XML is malformed is you may get an error:
Error: Configuration file is not well-formed XML.
Without going into the technical details, it has to do with how OneCare/Forefront scans the files and the timing between when OneCare/Forefront scans the files and when an application, such as IIS, performs a file operation. The OneCare/Forefront team is currently working on a fix to address this problem, but for now, the following workaround is provided:
-
Create the following key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters” .
-
Add a DWORD value “ScanOnCleanup” and set it to 0.
-
Restart OneCare/Forefront service.
Above registry key setting tells OneCare/Forefront services not to scan the files when they are being written or modified. This is not a security compromise because:
-
Not having above registry key value does not mean that OneCare/Forefront prevents an infected file from being saved. Rather, it is a notification of the infected file. So without the registry key value, you may be notified sooner, but the infected file is still written. This is necessary because anti-virus programs, including OneCare/Forefront, allow the file to be written in its entirety before it can be inspected for virus.
-
All files are still scanned when they are tried to be opened. So if the file is infected, OneCare/Forefront would prevent the file from being opened and the system is still safe.
I will post a follow up when the fix from OneCare/Forefront becomes available. Meanwhile, above workaround is your best alternative.
(Note that in Forefront, there is a way to exclude path to be scanned. Configuring Forefront not to scan applicationHost.config is not a viable workaround. This is because despite this setting, Forefront still scans the file but it omits in reporting. There is a reason for this and this behavior is by design.)
Comments