Updating Scan Engines in FSE, FSSP, FSOCS and Antigen 9 – what are my options?

Customers often ask us the best way to update their scan engines in their specific environment, so I’m writing this blog to go through the main scenarios that customers face and to discuss how to best choose an update method that suits your individual needs.


Note: This blog targets current, fully released Antigen and Forefront server products (FSE, FSSP, FSOCS and Antigen 9). It does not cover older, legacy Antigen products, or the future Forefront product wave that is code-named ‘Stirling’.


To start with, here’s a table that shows possible and recommended engine update methods for common scenarios:





Direct HTTP



UNC+Manual download

1-2 Antigen/Forefront servers




Last Resort!

Multiple servers, multiple sites



Recommended (1 FSSMC server per site, per 2000 managed servers)

Last Resort!

Antigen for SMTP / Forefront Edge servers in a DMZ



Recommended (install in DMZ)

Last Resort!

Forefront for Office Communications server



Not supported

Last Resort!

Closed environment (no internet/network access)






Let’s now discuss these methods and explain when each is most appropriate to use:

·         A: Direct HTTP Updates from Microsoft Servers

·         B: UNC Hub Updates

·         Combining Direct HTTP Updates and UNC Updates for Redundancy

·         C: Pushing out Updates via FSSMC

·         D: Manual Download of Engine Files with UNC Updates

·         General Notes

·         Abbreviations



A: Direct HTTP Updates from Microsoft Servers

This is the default, enabled update method for our products. A process called GetEngineFiles.exe takes the default HTTP path (from SETTINGSàScanner Updates in the Administrator UI) and adds a bit more to it, in order to download engine files directly from Microsoft update servers.

If you are only using a few Antigen / Forefront servers and do not have a license for FSSMC, then this may be the best option for you.



B: UNC Hub Updates

For this method, at least one server (our update ‘hub’ – not to be confused with an Exchange 2007 Hub Role J) still needs to download engines from a Microsoft HTTP update server. This can be any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product that has internet access. You then share the ‘Engines’ folder within that installation, so that other Antigen / Forefront servers can use a UNC path to update from the hub (rather than from Microsoft HTTP servers):

UNC Engine Share 













This helps to reduce internet bandwidth usage and also to speed up downloads on the local LAN.

Depending on your internal network speed and number of servers dependent on the hub, you might want to setup more than one hub, e.g. one per site.

In order to avoid possible contention for engine folder writes, you must also enable the ‘Redistribution Server’ setting on any hub servers. This is found under SETTINGSàGeneral Options in the Administrator UI.



Combining Direct HTTP Updates and UNC Updates for Redundancy

Antigen 9 or Forefront (FSE/FSSP/FSOCS) products permit up to 2 update locations per scan engine. Use these to your advantage to provide redundancy in your environment. Depending on your specific needs, you might choose any one of these combinations for your Network Update Paths (NUP):

·         Set the Primary NUP to the HTTP default location, but point the Secondary NUP to a share on another server to retrieve updates from another servers (UNC path), should the HTTP path become unavailable;

·         Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to the HTTP default location, should UpdateHub1 not be available;

·         Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to your UpdateHub2 for redundancy.

Note: a Secondary NUP is only used when the Primary NUP is unavailable. If the Primary NUP is available but does not have any new updates, the Secondary NUP is not checked.



C: Pushing out Updates via FSSMC

You can use FSSMC to do the following, with regard to engine updates:

·         Download and cache the latest 5 Update Versions for any engine;

·         Deploy new engines automatically to any Forefront servers that you specify;

·         Poll Forefront servers to see if they have the latest Update Version or not (automatic comparison).

FSSMC is the recommended way to update multiple Antigen 9 and Forefront (FSE/FSSP/FSOCS) servers in a large organisation. It is used in place of HTTP/UNC updates (methods A and B above), as it proactively pushes new updates out to all managed Antigen 9 or Forefront (FSE/FSSP/FSOCS) products. Make sure that you have disabled all local updates on each Antigen and Forefront server before using FSSMC to deploy updates to them.

FSSMC is available through normal MS channels. For more information, please use these links:

·         FSSMC Home

·         FSSMC Forum

Note that FSSMC does not support FSOCS at this time.



D: Manual Download of Engine Files with UNC Updates

You’ll see that this is almost always down as the “Last Resort” in the table above, because it really does take a lot of hassle to set up. Ideally, you’d use a script to frequently check for and download new engines (2 files per engine; manifest.cab and <Engine>_fullpkg.cab).


This method also has the disadvantage of you needing to download the full engine package each time, whereas all of the aforementioned methods do not (they will frequently use incremental update packages). Full updates can comprise of 15-60MB of data, so this method is not only a pain to setup, but is also bandwidth-intensive. Still, it may be your only option in an environment where you have no direct access to the internet or other Antigen 9 or Forefront (FSE/FSSP/FSOCS) product installs.


The idea is to download and present the engine files to a folder structure similar to that of the Engines folder in any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product. Whether you choose to download files manually or write a script to do this, the steps you’ll need to follow to download and house engine files will be the same:


1.       On the download server (machine that does have internet access), create the download folder structure, sharing the top-level folder (if necessary). Use this structure format:

Engine Folder Structure 








You will have one EngineName folder per engine (!) and the UpdateVersion folder name will depend on the currently available engine (see step 3 to retrieve the Update Version per engine).

2.       Download the manifest.cab for each engine. This needs to be saved into both the EngineName and the UpdateVersion folders. Here are the links to the various manifest.cab files:

Antigen 9

Forefront (FSE/FSSP/FSOCS)

Anti-Virus Engines

Ahnlab manifest.cab

Ahnlab manifest.cab

Antigen manifest.cab

Antigen manifest.cab

CAVet manifest.cab

CAVet manifest.cab

Command manifest.cab

Command manifest.cab

Kaspersky5 manifest.cab

Kaspersky5 manifest.cab

Microsoft manifest.cab

Microsoft manifest.cab

Norman manifest.cab

Norman manifest.cab

Sophos manifest.cab

Sophos manifest.cab

VBuster manifest.cab

VBuster manifest.cab

Anti-Spam Engines

Spamcure manifest.cab


3.       Open the manifest.cab and parse the manifest.xml file within, looking for the value of the “version” element:

Manifest Excerpt 







4.       You can now complete the download folder structure by creating the UpdateVersion subfolder for each engine, as you now know the update version number from each manifest.xml.

5.       Download the engine package CAB by amending and retrieving the following URL:

 FOREFRONT: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/<Engine>/


 ANTIGEN: http://antigendl.microsoft.com/antigen/x86/<Engine>/Package/<UpdateVersion>/


...where <Engine> is the name of the engine that you are retrieving and <UpdateVersion> is the “version” element’s value from manifest.xml, e.g.

FOREFRONT: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Microsoft/


ANTIGEN: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0904080003/


Each CAB file should be saved to the corresponding UpdateVersion subfolder.

6.       Next, copy the entire engine source folders to the isolated environment (assuming there is no direct access to the machine that you used for downloads). You may even need to copy the files across on a USB stick to do this, maintaining the same folder structure.

7.       Wherever your final engine source folders are located, next share the top level folder. You should end up with a folder structure like this:

Final UNC Structure





















Note that the same manifest.cab appears in 2 places and <Engine>_fullpkg.cab only needs to be in the UpdateVersion subfolder. Check that this is the same for every engine that you need to update.

8.       In the Antigen 9 or Forefront (FSE/FSSP/FSOCS) Administrator UI, go to SETTINGSàScanner Updates and set the Primary Network Update Path for each engine to your UNC share, i.e. \\server1\MyShareName$

9.       For each engine, now either click on the Update Now button to trigger an immediate download of the engine from the engine source folders, or alternatively schedule updates per engine.



General Notes

·         Important: the Manual Download method (D) requires manual intervention on your part; therefore it would only be supported by CSS on a best-effort basis, should you run into any issues. CSS does not provide any scripts to support this method at present.

·         Manifest.cab files expire within a certain time limit for added security (varies per engine; usually within a few days).

·         At the current time of writing, Antigen 9 or Forefront (FSE/FSSP/FSOCS) update files are interchangeable, so you can use Forefront engines for Antigen 9 and vice-versa. This means that you can use one hub to serve both Antigen and Forefront installations via UNC (or only need to download one set of files if you are updating manually).

·         Even if you are running a Forefront (FSE/FSSP/FSOCS) product on a x64 platform, the paths to engines will contain “x86”, since all engines are 32-bit.

·         The name of the Kaspersky engine for manual updates should be ‘Kaspersky5’ (not ‘Kaspersky’).

·         The name of the Virus Buster engine for manual updates should be ‘VBuster’ (not ‘Virus Buster’ or ‘VirusBuster’).




CSS - (Microsoft) Customer Service and Support

FSE - Forefront Server Security for Exchange

FSOCS - Forefront Security for Office Communications Server 2007

FSSMC - Forefront Server Security Management Console

FSSP - Forefront Server Security for Sharepoint

NUP - Network Update Path

UNC - Universal Naming Convention. Example path: \\server1\MyShareName$




Andy Day

Microsoft CSS (Customer Service and Support)

Comments (2)

  1. Showbox apk download strategy is suitable for all Smartphone brands like Sony, HTC, Samsung, Lenovo and Asus and so on. Showbox App is for these mobiles, as well as works for all Android based telephones. This instructional exercise is about, how to download
    Showbox apk record for your Android.


    Showbox App takes a shot at Laptop too. Yes, this (Showbox.apk) document additionally underpins your PC by the utilization of an emulator. I’ll post an alternate instructional exercise for that also, yet for the time being this is for the people who are having
    Smartphones. Here is a brief introduction with respect to Showbox application.


    Showbox is not a standard Android application, it’s a stunning wellspring of stimulation. This announcement is given by me, as well as the general population who are utilizing it. It gives heaps of TV appears and motion pictures to watch at no expense.


    Such a variety of variants were discharged in 2015 and first and foremost of 2016, a large portion of them are working great. Showbox 4.27 apk is one among them and the most recent variant is likewise profit here. Be that as it may, you can watch them in three
    distinct routes as indicated by clarity. They are Low, Medium and High qualities. Take after the strides orchestrated underneath to introduce the application.


Skip to main content