ApplicationHost.config file getting corrupted when OneCare or Forefront is running?
We have seen some reported cases when applicationHost.config file is getting corrupted when OneCare or Forefront is running on the same machine. By "corruption" I mean the XML is malformed is you may get an error:
Error: Configuration file is not well-formed XML.
Without going into the technical details, it has to do with how OneCare/Forefront scans the files and the timing between when OneCare/Forefront scans the files and when an application, such as IIS, performs a file operation. The OneCare/Forefront team is currently working on a fix to address this problem, but for now, the following workaround is provided:
-
Create the following key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters” .
-
Add a DWORD value “ScanOnCleanup” and set it to 0.
-
Restart OneCare/Forefront service.
Above registry key setting tells OneCare/Forefront services not to scan the files when they are being written or modified. This is not a security compromise because:
-
Not having above registry key value does not mean that OneCare/Forefront prevents an infected file from being saved. Rather, it is a notification of the infected file. So without the registry key value, you may be notified sooner, but the infected file is still written. This is necessary because anti-virus programs, including OneCare/Forefront, allow the file to be written in its entirety before it can be inspected for virus.
-
All files are still scanned when they are tried to be opened. So if the file is infected, OneCare/Forefront would prevent the file from being opened and the system is still safe.
I will post a follow up when the fix from OneCare/Forefront becomes available. Meanwhile, above workaround is your best alternative.
(Note that in Forefront, there is a way to exclude path to be scanned. Configuring Forefront not to scan applicationHost.config is not a viable workaround. This is because despite this setting, Forefront still scans the file but it omits in reporting. There is a reason for this and this behavior is by design.)