How to install Microsoft Forefront Client Security Antivirus on Windows Home Server v1

Posted by Paul Braren on Oct 2 2011 (updated on Sep 24 2012) in
  • HomeServer
    • antivirus4whs

    Oct 03 2011 Update: It has come to my attention that my downloadable Forefront version information may be incorrect, I'm working on testing/updating that information now

    Oct 03 2011 Update: Updates to the instructions and screenshots below are now complete.

    Oct 05 2011 Update: Windows Update configuration & procedures updated as well, some screenshots borrowed from similar procedure on WHS2011

    Oct 07 2011 Update: Joe_Miner just located TechNet document walking through client installs is well written and pretty much replaces all the information below:
    http://technet.microsoft.com/en-us/library/bb625083.aspx
    although both install methods seem to have the exact same end result.

    Sep 24 2012 Update: unfortunate news:
    www.zdnet.com/microsoft-axes-many-of-its-forefront-enterprise-security-products-7000004166

    I basically followed all the intructions outlined step-by-step at TinkerTry.com/antivirus4whs2011, which you might also consider reviewing.  But this time, I used the 32 bit installer instead, and it seems to work just fine.  So I re-drafted just the instructions that pertain just to WHSv1 accordingly, read onward.

    I figured it was time for me to see what AV solution I could run, today, Oct 1 2011, as I finalize my new server called vZilla. While I don't surf or really expose my WHSv1 server to the web directly, if I can find a non-intrusive solution, I would find having it running reassuring, even if only for one last full scan before I migrate to 2011.  Even given the offsite backups I keep, I still have a lot of eggs in this precious basket. I can also always add filters to avoid certain folders to reduce overhead.

    Unlike Microsoft Security Essentials, Forefront seems to have heuristics based scanning, although I’m not really sure how important that is.  See also Microsoft's Understanding Anti-Malware Technologies, but I can't seem to find an impartial head-to-head test, I guess time and testing will tell.

    The previously mentioned supported operating system list does include Windows Server 2008 R2, which is what WHS 2011 basically based upon. This is likely part of the reason the installer doesn't die when you go to install this 2007-vintage antivirus product,  which you quickly update once installed.  And the install itself is incredibly easy (double click the MSI, then no questions asked, literally).

    Finding the installer was another matter, but I've documented it for you here. It's buried in a client install MSI file dated from Oct 2007, deep inside the ISO file you download. It's possible some instruction manual somewhere mentions that the client can be installed with this MP_AMBITS.MSI file.  But I couldn't find references, and lost patience, figuring I'd just give it a try on a non-important system, as seen in the video below. Strangely, even microsoft sites don't seem to mention this simple file, here for example, and only after figuring it out through trial and error did I find the file mentioned over here.

    Microsoft Forefront Client Security Download/Install/Update Guide

    Step 1) Download

    login to your MSDN or TechNet, then search for "Forefront Client Security" and you'll get one result, download en_forefront_client_security_x86_x64_cd_x13-62435.iso

    Forefront-Client-Security-download

    Step 2) Extract

    You'll need to use something like UltraISO to get to one file that you need inside the 154MB ISO, or just burn a physical CD and drag and drop, here's the path/filename:
    /en_forefront_client_security_x86_x64_cd_x13-62435.iso/CLIENT/MP_AMBITS.MSI

    Step 3) Double click MP_AMBITS.MSI

    yep, it'll install with no questions asked in about 5-10 seconds, and you'll see the tray icon warning you there's a newer version, ignore the URL offered (which has a service pack that fails) and instead just proceed to Step 4...

    Step 4) Run Windows Update

    A) you will be offered updates to Client Security from the Forefront GUI, ignore that, it won't work.  Instead, run Windows Update and press the button
    (screenshot from WHS2011, but similar process with WHSv1)
    and click the "Get updates for other Microsoft products. Find out more" link

    WindowsUpdateGetupdatesforotherMicrosoftproducts1

    Choose Updates, deselect all updates, then turn on just Forefront for now:

    B) Within a minute or two of the 2 patches getting installed by Windows Update, you'll get a green happy globe icon running in your tray, indicating all is well with Forefront.

    C) Go ahead and put Windows Update back on Automatic Updates, it'll now automatically include Forefront in it's engine/definitions downloads.

    That's it!  As of Oct 1 2011, in Forefront Client Security, you click on Help, About, and it should show Client Version 1.5.1996.0

    Please leave your comments using the Disqus comment system below, or head on over to the active forum thread already underway here, at one of my favorite hangouts:
    http://homeservershow.com/forums

    I have a video (without sound) that shows me installing this, but it was done before the modifications to the Windows Update procedure (thank you Joe_Miner & David!) discussed here

    Sep. 12 2012 Update:
    This seems to be the end of this story:
    arstechnica.com/information-technology/2012/09/microsoft-killing-off-most-of-its-forefront-range

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi