Downloading antivirus definition updates from a content distribution network

  • Article

Hello –this is Kelly Borndale, a PM from the Forefront Services/Ops Team!

Due to growing threats, the size of files downloaded within the antivirus engine definition update packages has grown over time (previously mentioned here). In order to get definition updates to Antigen and Forefront Server products as efficiently as possible, we have begun to move parts of our definition updates to a content distribution network (CDN). This brings the larger parts of the definition updates to servers located closer to you, in the Internet sense. It also allows your servers to download definition updates faster, during “normal” definition production times, as well as in the event of an outbreak, when definition production would occur more frequently.

Previously, there had been concern about how CDNs would work with our product’s frequent update pattern. CDNs are historically very good at having cached copies of files which don’t change very frequently, but what happens when you have files that change frequently, such as our manifest and metadata files? Internally, we had concerns about our clients getting old update information because of file age and the constant re-writing of our metadata and manifest files. We wanted to make sure that the latest definition updates were always available, but, we also needed to make sure that we could react to surges in definition update size or frequency, on the fly

Working with our Operations team, we came up with a plan to address these concerns. We’ve set up our file cache policies to make sure that all the manifest and metadata requests go directly to our origin servers. These are the servers where our back-end definition processing service publishes definition updates directly to, meaning these files are not served via the CDN. This alleviates any concerns about the CDN’s handling of frequently changing files, as the CDN isn’t the entity providing these files.

This change is largely invisible to anyone using the product line. We’ve worked to come up with a solution that will work with in-market products, as well as upcoming releases. That said, there is one customer scenario that may be affected by this change. If the server that downloads the definition packages from the Internet is behind a firewall that restricts outbound access via port 80 to the Internet, definition updates may fail. To work around this, make sure that your Antigen and Forefront Servers are able to send http traffic to the Internet. If there are security concerns around opening up the outbound traffic for your Antigen or Forefront Servers, redistribution servers can be used as a tool to bring updates from the Internet into your internal network. This set up has a redistribution server accessing the Internet over port 80. The redistribution server then hosts the packages, internally, for the mail servers. This allows you to continue to restrict the mail server’s access to the Internet. For information on configuring distribution servers, please read the following help topics:

For FSE: https://technet.microsoft.com/en-us/library/bb795083.aspx

For Antigen: https://technet.microsoft.com/en-us/library/bb914037.aspx

For FSSMC: https://technet.microsoft.com/en-us/library/bb878182.aspx

 Update path

K.Borndale

IT/Ops Program Manager