Updating Scan Engines in FSE, FSSP, FSOCS and Antigen 9 – what are my options?

Customers often ask us the best way to update their scan engines in their specific environment, so I’m writing this blog to go through the main scenarios that customers face and to discuss how to best choose an update method that suits your individual needs.

Note : This blog targets current, fully released Antigen and Forefront server products ( FSE , FSSP , FSOCS and Antigen 9 ). It does not cover older, legacy Antigen products , or the future Forefront product wave that is code-named ‘ Stirling ’.

To start with, here’s a table that shows possible and recommended engine update methods for common scenarios:

Let’s now discuss these methods and explain when each is most appropriate to use:

· A: Direct HTTP Updates from Microsoft Servers

· B: UNC Hub Updates

· Combining Direct HTTP Updates and UNC Updates for Redundancy

· C: Pushing out Updates via FSSMC

· D: Manual Download of Engine Files with UNC Updates

· General Notes

· Abbreviations

A: Direct HTTP Updates from Microsoft Servers

This is the default, enabled update method for our products. A process called GetEngineFiles.exe takes the default HTTP path (from SETTINGSàScanner Updates in the Administrator UI) and adds a bit more to it, in order to download engine files directly from Microsoft update servers.

If you are only using a few Antigen / Forefront servers and do not have a license for FSSMC, then this may be the best option for you.

B: UNC Hub Updates

For this method, at least one server (our update ‘hub’ – not to be confused with an Exchange 2007 Hub Role J) still needs to download engines from a Microsoft HTTP update server. This can be any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product that has internet access. You then share the ‘Engines’ folder within that installation, so that other Antigen / Forefront servers can use a UNC path to update from the hub (rather than from Microsoft HTTP servers):

This helps to reduce internet bandwidth usage and also to speed up downloads on the local LAN.

Depending on your internal network speed and number of servers dependent on the hub, you might want to setup more than one hub, e.g. one per site.

In order to avoid possible contention for engine folder writes, you must also enable the ‘Redistribution Server’ setting on any hub servers. This is found under SETTINGSàGeneral Options in the Administrator UI.

Combining Direct HTTP Updates and UNC Updates for Redundancy

Antigen 9 or Forefront (FSE/FSSP/FSOCS) products permit up to 2 update locations per scan engine. Use these to your advantage to provide redundancy in your environment. Depending on your specific needs, you might choose any one of these combinations for your Network Update Paths (NUP):

· Set the Primary NUP to the HTTP default location, but point the Secondary NUP to a share on another server to retrieve updates from another servers (UNC path), should the HTTP path become unavailable;

· Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to the HTTP default location, should UpdateHub1 not be available;

· Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to your UpdateHub2 for redundancy.

Note: a Secondary NUP is only used when the Primary NUP is unavailable. If the Primary NUP is available but does not have any new updates, the Secondary NUP is not checked.

C: Pushing out Updates via FSSMC

You can use FSSMC to do the following, with regard to engine updates:

· Download and cache the latest 5 Update Versions for any engine;

· Deploy new engines automatically to any Forefront servers that you specify;

· Poll Forefront servers to see if they have the latest Update Version or not (automatic comparison).

FSSMC is the recommended way to update multiple Antigen 9 and Forefront (FSE/FSSP/FSOCS) servers in a large organisation. It is used in place of HTTP/UNC updates (methods A and B above), as it proactively pushes new updates out to all managed Antigen 9 or Forefront (FSE/FSSP/FSOCS) products. Make sure that you have disabled all local updates on each Antigen and Forefront server before using FSSMC to deploy updates to them.

FSSMC is available through normal MS channels. For more information, please use these links:

· FSSMC Home

· FSSMC Forum

Note that FSSMC does not support FSOCS at this time.

D: Manual Download of Engine Files with UNC Updates

You’ll see that this is almost always down as the “Last Resort” in the table above, because it really does take a lot of hassle to set up. Ideally, you’d use a script to frequently check for and download new engines (2 files per engine; manifest.cab and <Engine> _fullpkg.cab).

This method also has the disadvantage of you needing to download the full engine package each time, whereas all of the aforementioned methods do not (they will frequently use incremental update packages). Full updates can comprise of 15-60MB of data, so this method is not only a pain to setup, but is also bandwidth-intensive. Still, it may be your only option in an environment where you have no direct access to the internet or other Antigen 9 or Forefront (FSE/FSSP/FSOCS) product installs.

The idea is to download and present the engine files to a folder structure similar to that of the Engines folder in any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product. Whether you choose to download files manually or write a script to do this, the steps you’ll need to follow to download and house engine files will be the same:

1. On the download server (machine that does have internet access), create the download folder structure, sharing the top-level folder (if necessary). Use this structure format:

You will have one EngineName folder per engine (!) and the UpdateVersion folder name will depend on the currently available engine (see step 3 to retrieve the Update Version per engine).

2. Download the manifest.cab for each engine. This needs to be saved into both the EngineName and the UpdateVersion folders. Here are the links to the various manifest.cab files:

3. Open the manifest.cab and parse the manifest.xml file within, looking for the value of the “version” element:

4. You can now complete the download folder structure by creating the UpdateVersion subfolder for each engine, as you now know the update version number from each manifest.xml.

5. Download the engine package CAB by amending and retrieving the following URL:

 FOREFRONT: https://forefrontdl.microsoft.com/server/scanengineupdate/x86/ <Engine> /

Package/ <UpdateVersion> / <Engine> _fullpkg.cab

 ANTIGEN: https://antigendl.microsoft.com/antigen/x86/ <Engine> /Package/ <UpdateVersion> /

<Engine> _fullpkg.cab

...where <Engine> is the name of the engine that you are retrieving and <UpdateVersion> is the “version” element’s value from manifest.xml, e.g.

FOREFRONT: https://forefrontdl.microsoft.com/server/scanengineupdate/x86/Microsoft/

Package/0904080003/Microsoft_fullpkg.cab

ANTIGEN: https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0904080003/

Microsoft_fullpkg.cab

Each CAB file should be saved to the corresponding UpdateVersion subfolder.

6. Next, copy the entire engine source folders to the isolated environment (assuming there is no direct access to the machine that you used for downloads). You may even need to copy the files across on a USB stick to do this, maintaining the same folder structure.

7. Wherever your final engine source folders are located, next share the top level folder. You should end up with a folder structure like this:

Note that the same manifest.cab appears in 2 places and <Engine> _fullpkg.cab only needs to be in the UpdateVersion subfolder. Check that this is the same for every engine that you need to update.

8. In the Antigen 9 or Forefront (FSE/FSSP/FSOCS) Administrator UI, go to SETTINGSàScanner Updates and set the Primary Network Update Path for each engine to your UNC share, i.e. \\server1\MyShareName$

9. For each engine, now either click on the Update Now button to trigger an immediate download of the engine from the engine source folders, or alternatively schedule updates per engine.

General Notes

· Important: the Manual Download method (D) requires manual intervention on your part; therefore it would only be supported by CSS on a best-effort basis, should you run into any issues. CSS does not provide any scripts to support this method at present.

· Manifest.cab files expire within a certain time limit for added security (varies per engine; usually within a few days).

· At the current time of writing, Antigen 9 or Forefront (FSE/FSSP/FSOCS) update files are interchangeable, so you can use Forefront engines for Antigen 9 and vice-versa. This means that you can use one hub to serve both Antigen and Forefront installations via UNC (or only need to download one set of files if you are updating manually).

· Even if you are running a Forefront (FSE/FSSP/FSOCS) product on a x64 platform, the paths to engines will contain “x86”, since all engines are 32-bit.

· The name of the Kaspersky engine for manual updates should be ‘Kaspersky5’ (not ‘Kaspersky’).

· The name of the Virus Buster engine for manual updates should be ‘VBuster’ (not ‘Virus Buster’ or ‘VirusBuster’).

Abbreviations

CSS - (Microsoft) Customer Service and Support

FSE - Forefront Server Security for Exchange

FSOCS - Forefront Security for Office Communications Server 2007

FSSMC - Forefront Server Security Management Console

FSSP - Forefront Server Security for Sharepoint

NUP - Network Update Path

UNC - Universal Naming Convention. Example path: \\server1\MyShareName$

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)