How to Validate NIS Signature State

Introduction

Unless you’ve been hiding under a rock for the past year or so, you’ve heard of Forefront TMG 2010 and the Network Inspection System (NIS) feature it includes for identifying protocol abuse and detecting evil bits within the protocols.

While I was wandering aimlessly through my Forefront TMG logs and alerts (what; you don’t?!?), I noticed that the Update Center was complaining about not having seen any NIS updates since Feb 9, 2010 (see below):

NIS Alerts

By default, Forefront TMG only starts complaining about this state after the active signature is 45 days old. This amount of time between updates seemed odd to me, so I decided to see what (if anything) was amiss with my Forefront TMG.

Checking the Update Center

Because the NIS updates are controlled and monitored within the Forefront TMG Update Center, this is a logical first place to check. Interestingly, NIS indicates that the last update was performed on Feb 9, 2010 and the signature version is 4.24.0.0. Also, the license state shows “Never expires” (as it should).

Uudate Center 

Based on what Forefront TMG is telling me, my NIS signatures are up-to-date at version 4.24, dated 9 Feb 2010. What I can’t tell from the TMG management console is whether or not NIS saignatures were actually updated since then, but Forefront TMG somehow thinks otherwise?

In order to answer this question, we need to use independent validation methodology that should be based on how NIS acquires its updates.

How NIS Gets Updated

NIS updates are delivered to Forefront TMG using Windows Update. As illustrated below, Forefront TMG provides you the means of selecting Microsoft Update (MU), Windows Server Update Services (WSUS) or WSUS with a fallback to MU.

Update Center Options

Regardless of which option you choose in the Update Service tab (as long as you choose Use the Microsoft Update service to check for updates in the Microsoft Update tab), the mechanism that Forefront TMG will use is the local computer Windows Update service.

Windows Update Service

What this all means to you is that because the Update Center acquires NIS signatures and engine updates through Microsoft Updates mechanisms, you have an easy way to verify whether your Forefront TMG is actually using the most current signatures.

Verifying The NIS Signature State

Because the Windows Automatic Update Agent provides a scriptable API set, it is possible for you to write a script that queries Microsoft Updates for the latest NIS signature, but there is a much easier method (aren’t you glad?).

1. Open your browser

2. In the address bar, enter http://catalog.update.microsoft.com/v7/site/Search.aspx?q=NIS (or just click this link)

3. Review the results

MU Catalog 

In this case, I can see that the NIS signature Forefront TMG indicates (v 4.24, dated 9 Feb 2010) is in fact, the most current signature available.

Summary

Now you know how to independently validate the Forefront TMG NIS signature version and date. Deeper NIS and Update Center troubleshooting is provided in the continuing Forefront TMG Troubleshooting series on TechNet.

Author

Jim Harrison, Program Manager, Forefront TMG

Reviewers

Tanmay Ganacharya, Senior Security Research Lead, MMPC
Scott Lambert, Senior Security Researcher, MMPC