Increasing timeout values for engine definition updates

  • Article

SUMMARY:

Due to increases in the size of antivirus definitions over time, we suggest that Antigen and Forefront Server customers increase the timeout value for downloading these updates. While the current default value of 5 minutes has worked well, recent changes in one engine highlight the need to monitor and adjust this value.

 

Additionally, we recommend applying the latest hotfix rollups to resolve a specific issue that could cause production outages for customers on slow and/or high-latency links.

 

BACKGROUND:

 

When we released the new version of the Norman engine (https://blogs.technet.com/fss/archive/2009/03/27/norman-engine-5-93-8-released.aspx), the size of the full update package increased by approximately 18MB. Within 24 hours, we had received a small number of reports where one or more of the following symptoms occurred:

 

· Mail queuing as a result of crashes in AntigenRealtime.exe/AntigenInternet.exe (Antigen 9) and FSCRealtimeScanner.exe/FSCTransportScanner.exe (Forefront Server).

· Services failing to start due to crashes in service executables.

 

Our investigation determined that these crashes were a combination of several factors:

 

· The download and install of the full package was timing out before it was completed.

· An issue, resolved in our latest released code, allowed a partial install of the new engine and definitions to take place, leaving the system in a state where it had a combination of old and new files.

 

Working with our affected customers, we determined that this issue could be resolved by increasing the timeout value for the download and successfully updating to the latest version of the engine package.

 

ACTION:

 

The largest takeaway here is that customers should increase the download timeout to a value larger than 5 minutes. This change should be made on all servers that download engine updates from the Internet and any that have slow and/or high-latency links to internal distribution servers. 

 

This value is stored in the registry. Follow these steps to change it:

 

1. Go to HKEYLocalMachine\Software\Sybari Software\Antigen for Exchange

2. Locate the EngineDownloadTimeout key

3. Open it up

4. Change the DECIMAL value to 1500.

 

This will set the timeout to 25 minutes. For more information about this value and making changes to it, refer to KB939411 (https://support.microsoft.com/kb/939411/en-us).

 

Additionally, the latest hotfix rollups for Antigen 9, Forefront Server for Exchange, and Forefront Server for SharePoint include code changes that minimize the possibility of engines being partially installed during a timeout. We recommend that customers obtain and apply the following:

 

Antigen 9.0 with Service Pack 1 Hotfix Rollup 5:  https://support.microsoft.com/kb/957075

Forefront Server for Exchange with Server Service Pack 1 Hotfix Rollup 3:  https://support.microsoft.com/kb/951629

Forefront Server for SharePoint with Service Pack 2 Hotfix Rollup 1: https://support.microsoft.com/kb/955982

Neil Carpenter
Senior Escalation Engineer, CSS Security Support Team