How to Manually Update the Malware Engine in Exchange 2013

I had an interesting case where a HTTP proxy server was preventing Exchange 2013 from updating the malware engine. The customer wanted to manually update the malware engine until his network security team could get the needed exceptions in their proxy server. I found several posts that cover this including:

Exchange 2013 Malware Engine Updates Troubleshooting

Anti-malware FAQ

Download engine and definition updates

How to manually update scan engines in Microsoft Forefront Protection for Exchange Server or Microsoft Forefront Protection for SharePoint

All had good information, but I found the procedures to be a little less than clear and ended up pulling parts of procedures out of them and putting them together. I also found some of the procedures overly complicated. Since I had to put instructions together for a customer anyway, I thought I would post them here.

1. Go to any computer that you know you can get to the update site at Attempting to connect to this site in a browser should render a 403 forbidden, that's ok, it confirms the path is accessible and that's all we need.

2. Grab the update script from save it to a local folder. For my purposes, I used c:\script. 

3. Open File Explorer and create the following folder: c:\ScanEngineUpdates

4. Open Windows Powershell, cd to the folder you saved the script to. In my case c:\script , and  Run :

.\Update-Engines.ps1 -EngineDirPath C:\ScanEngineUpdates\ -UpdatePathUrl -Engines Microsoft -Platforms amd64, x86

If you have any trouble executing the script due to restrictions, you can run: set-executionpolicy -unrestricted to allow it. Be sure to set it back to default when you are done: set-executionpolicy -default .

This will download the files with the right folder structure needed to C:\ScanEngineUpdates\

5. Copy the folder structure and files you just created to a server that you can create a share on that is accessible to your Exchange 2013 server. I did a right click and copied the c:\ScanEngineUpdates folder then pasted to c:\ on my file server. Create a share to this folder. For my purposes, I named the share "ScanEngineUpdates".

6. Now you need to make a decision, is this a permanent arrangement where you will manually download the updates or is it temporary? If it is permanent, you need to run the following command in the Exchange Management Shell for all your mailbox servers to set the primary URL for engine updates:

Set-MalwareFilteringServer <serverName> –PrimaryUpdatePath \\<Server>\<ResourceName>

For my purposes, I ran Set-MalwareFilteringServer wingtip-e2k13 –PrimaryUpdatePath \\WINGTIP-E2K13\ScanEngineUpdates.

If this is temporary, we don't want to change the primary. Instead we want to change the secondary. Run this:

Set-MalwareFilteringServer <serverName> –SecondaryUpdatePath \\<Server>\<ResourceName>

I ran: Set-MalwareFilteringServer wingtip-e2k13 –SecondaryUpdatePath \\WINGTIP-E2K13\ScanEngineUpdates.

7. Open Exchange Management Shell and run:


If you have any trouble running Start-EngineUpdate, execute this first: Add-PSSnapin -Name Microsoft.Forefront.Filtering.Management.PowerShell

8. If you updated the PrimaryUpdatePath, you should see an application event log entry for Event ID 6024 showing the path being checked. Shortly thereafter, you will see an Event ID 6031 Stating the update was successful.  If you chose to update the SecondaryUpdatePath, wait for the primary to fail as indicated by an Event ID: 6027  and the secondary will be checked as indicated by a Event ID: 6030 which should show your shared resource as the path being checked. This should be followed by an Event ID: 6031 stating the engine update process has successfully downloaded updates for Microsoft. Another indicator you were successful, would be to execute in the Exchange Management Shell: Get-EngineUpdateInformation . This should display the expected updated version and date updated information.

By the way, welcome to my blog post number 1, I will post more of these soon as I already have post # 2 almost ready to go. Comments are always welcome.

Comments (0)

Skip to main content