File scanner updating
Applies to: Forefront Security for Exchange Server
Forefront Security for Exchange Server enables you to choose virus scanning engines from multiple vendors. The standard Forefront Security for Exchange Server license includes all currently integrated antivirus engines. Although all engines are integrated, only five may be enabled at any time. By default, four randomly-selected engines plus the Microsoft Antimalware Engine are chosen. You can modify the four additional engine selections through the Forefront Server Security Administrator.
After Forefront Security for Exchange Server is installed, engine updates automatically begin. The scanner update settings are, by default, set to begin updating your engines five minutes after the FSCController is started. Updates are spaced at five-minute intervals. For more information about configuring scanning options, see Transport Scan Job, Realtime Scan Job, and Manual Scan Job.
If you are using a proxy server to access the Internet for scanner updates, these scheduled updates will fail. For information about configuring Forefront Security for Exchange Server to use a proxy server to retrieve updates, see Updating the file scanners through a proxy. After the configuration settings have been entered, use the Update Now button on the Scanner Updates work pane to perform an immediate scanner update for each engine.
Automatic file scanner updating
Scan engines, signature files, and worm list updates can be downloaded automatically from the Microsoft HTTP server, or from another Exchange server running Forefront Security for Exchange Server. Setting a schedule for checking the HTTP or Exchange server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After Forefront Security for Exchange Server has automatically downloaded an updated scan engine, it automatically puts that engine to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses.
Scheduling an update
You can control when your scanning engines update, how often, and the update source.
If you are using the optional Microsoft Forefront Server Security Management Console to update the scan engines, you should use the Scanner Updates work pane to disable scheduled updates.
To schedule updates for scanning engines
In the SETTINGS section of the Shuttle Navigator, select Scanner Update. The Scanner Updates work pane appears. The top pane shows a list of all supported file scanners and the worm list.
Select a scan engine to be scheduled. The bottom pane contains the Primary and Secondary update paths and the update schedule for the selected engine. Additionally, there is information about that engine. (For more information, see Scanner Information.)
Set the primary update path by clicking Primary in the bottom pane and entering a value in the Network Update Path field. By default, FSE uses the primary update path to download updates. If the primary path fails for any reason, FSE uses the secondary update path, if any.
The default primary update path is https://forefrontdl.microsoft.com/server/scanengineupdate. You may change it to point to another HTTP update site, or if you would prefer to use UNC updating as the primary update path, enter the UNC path to another Exchange server. For more information about UNC updating, see Distributing updates.
To restore the default server path, right-click the Network Update Path field and select Default HTTP Path.
Set the secondary update path, if desired, by clicking Secondary in the bottom pane and entering a value in the Network Update Path field. If the primary path fails for any reason, FSE will use the secondary update path. It is left blank by default.
The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another Exchange server. For more information about UNC updating, see Distributing updates.
Specify the Date to check for updates. If you choose a Frequency of Once, this date is the only time update checking will take place; otherwise, this date represents the first time update checking will take place. Click the left and right arrows on the calendar to change the month. Click a particular day to select it. (The current date is circled in red; a selected date turns blue.)
Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons to change the current value of each subfield. FSE defaults to staggering the update time, leaving an interval of five minutes between engines. It is recommended that you stagger updates a minimum of 15 minutes apart.
Do not use the Windows scheduler to set or change scan engine updating times. Changes you make in the operating system are not reflected in FSE update scheduling. Use the Scanner Update Settings work pane only.
Specify how often the update will occur (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily (the default), and then set a Repeat interval to update the engine at multiple times during the day.
Optionally indicate a repeat interval. Select Repeat, and then choose a time interval. (The minimum time is 15 minutes.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. The default is to repeat updating for each engine every hour.
Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level.
Scheduling updates on multiple servers
When scheduling engine updates on multiple servers in your organization, it is recommended that you stagger the updates by at least five minutes, to prevent servers from timing out during the update process. When scheduling updates for multiple engines, it is also helpful to stagger the updates in five-minute intervals.
To perform an immediate update of a selected scanner, click the Update Now button on the Scanner Updates work pane. If an update exists, Forefront Security for Exchange Server will download the scanner and will start using it after the download is complete. While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for a new scanner between regularly scheduled updates.
Update on load
Forefront Security for Exchange Server can be configured to update its file scanners when FSCController starts up. To configure Forefront Security for Exchange Server to update at startup, select the Perform Updates at Startup option in the Scanner Updates section of the General Options work pane.
Schedule engine updating using the scheduler on the Scanner Updates work pane. The engines that are to be updated are scheduled in five-minute intervals to avoid possible conflicts. This can be observed by typing at a command prompt after the FSCController has been started. This feature was mainly added for clustered Exchange servers where the inactive node will not receive updates while it is offline.
This is the information that appears on the Scanner Updates work pane for a selected scanner:
Engine Version. The version, as reported by the third-party scan DLL.
Signature Version. The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner).
Update Version. The value located in the Manifest.cab file.
Last Checked. The date and time of the last check made for a new scan engine or definition files.
Last Updated. The date and time of the last update made to the scan engine or definition files.
The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update or when Update Now has been invoked, Forefront Security for Exchange Server searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one.
This is the directory structure of the scan engines on a server running Forefront Security for Exchange Server:
other enginename files
Forefront Directory is the top-level directory where all of the FSE files are kept. This was created during the product's installation.
Engine Name is a directory with the name of an engine's vendor. There is an Engine Name directory for each engine.
The Package directory contains the most-recent Manifest.cab file.
The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any particular day, there may be multiple version directories. Each contains the current Manifest.cab, the enginename_fullpkg.cab, and all other required files for the engine.
The most common method of distributing updates is to have one server (the "hub") receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers in your environment (the "spokes"). After the hub receives an engine update, it can share that update with any other server whose network update path points to it.
Configuring servers to distribute and receive updates
You must configure both the hub and spoke servers before distributing updates.
Configuring the redistribution (hub) server and UNC credentials
To prepare a server to act as an update hub, you need to establish a Windows share for its Engines directory (which is, by default, in c:\Program Files\Microsoft Forefront Security\Exchange Server\Data).
Next, enable the Redistribution Server option in the Scanner Updates section of General Options on the chosen hub server. This configures Forefront Security for Exchange Server to save the two most recent engine update packages in the engine package folder instead of the usual single engine package. FSE will also download the full update package rather than perform an incremental update. The multiple engine packages enable the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded.
Finally, enter the UNC credentials.
To configure UNC credentials
In the SETTINGS section of the Shuttle Navigator, select General Options.
In the Scanner Updates section, select Use UNC Credentials.
In the UNC Username field, enter the name of a user with access rights to the UNC path. For more information, see "General Options" in Forefront Server Security Administrator.
In the UNC Password field, enter the password for that user.
Click Save to save your changes.
Configuring the spoke servers
After the hub server has been set up, configure the spoke servers to point to the shared directory by entering the hub's UNC path (\\ServerName\ShareName), in the Primary Network Update Path field of each of the spokes.
The use of static IP addresses within the update path is neither recommended nor supported.
Example: Server Ex1 receives its updates automatically from the Microsoft HTTP server. Ex1 has Forefront Security for Exchange Server installed in C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, Ex2, will get its updates from Ex1, using \\Ex1\AdminShare as its primary network update path.
Notifications following engine updates
Forefront Security for Exchange Server can be configured to send a notification to the Virus Administrator following each engine update. The notifications include:
Subject Line:Successful update of <engine_name> scan engine on server <server_name>
Body:The <engine_name> scan engine has been updated from <update_path>
No update available:
Subject Line:No new update for the <engine_name> scan engine on server <server_name>
Body:There are currently no new scan engine files available for the <engine_name> scan engine at <update_path>
Subject Line:Failed update of <engine_name> scan engine on server <server_name>
Body:An error occurred while updating the <engine_name> scan engine. [There may be an error message included here.] Please see the Program Log for more information.
If the Program Log contains the "could not create mapper object" error, it means that the engine in question did not load properly.
Engine update notifications are controlled in the General Options work pane by selecting Send Update Notification in the Scanner Updates section
Putting the new file scanner to use
After a download has successfully completed, the newly-downloaded file scanner is tested. If the test fails, scan jobs continue to use the current version of the file scanner. Otherwise, all scan jobs are notified that there is a new file scanner. If a scan job is currently scanning a file, it will finish that file, and then load the new file scanner before continuing. If a scan job is currently idle, it will load the new file scanner immediately.
Updating the file scanners through a proxy
In environments where the Exchange server must access the Internet through a proxy server, Forefront Security for Exchange Server can be configured to retrieve engine updates through that server.
To configure proxy server updating
In the SETTINGS section of the Shuttle Navigator, select General Options.
In the Scanner Updates section of General Options, select Use Proxy Settings.
Enter information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see "General Options" in Forefront Server Security Administrator.
After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings using the Microsoft Forefront Server Security Management Console (FSSMC).
Adding and deprecating scan engines
When Forefront Security for Exchange Server (FSE) adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Forefront Server Security Administrator; for more information about how to do this, see E-mail notifications.
Adding new scan engines
When FSE adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.
Deprecating scan engines
When FSE is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete.
Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes.
After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.