Chapter 16 - File scanner updating overview
Applies to: Microsoft Antigen
Antigen for SMTP Gateways enables you to choose virus scanning engines from multiple vendors. The standard Antigen license includes four antivirus engines.
After Antigen for SMTP Gateways is installed, engine updates automatically begin. The scanner update settings are, by default, set to begin updating your engines five minutes after AntigenService is started. Updates are spaced at five-minute intervals. All licensed engines are automatically downloaded and installed by the first update. You can also update an engine at any time by clicking the Update Now button on the Scanner Update Settings work pane. For more information about configuring scanning options, see Chapter 6 - Configuring SMTP Scan Jobs.
Note
After an upgrade to Antigen 9, the Microsoft engine will not be scheduled for updates. You must manually set the update schedule for the Microsoft engine after the upgrade is complete.
If you add scan engines after installation by upgrading your license, the new scan engines are not scheduled for updates. You must manually set the update schedule for any new engines that are added.
If you are using a proxy server to access the Internet for scanner updates, these scheduled updates will fail. For information about configuring Antigen for SMTP Gateways to use a proxy server to retrieve updates, see Updating the file scanner through a proxy. After the configuration settings have been entered, click Update Now on the Scanner Update Settings work pane to perform an immediate scanner update for each engine.
It is recommended that you schedule updates or do a manual update before scanning with an engine that you have not used before.
This chapter describes antivirus engine updates. For information about anti-spam engine updates, see Chapter 13 - Antigen Spam Manager overview..
About automatic file scanner updating
Scan engines, signature files, and worm list updates can be downloaded automatically from the Microsoft HTTP server, or from another server running Antigen for SMTP Gateways. Setting a schedule for checking the HTTP or other server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After Antigen for SMTP Gateways has automatically downloaded an updated scan engine, it automatically puts that scan engine to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses.
To set the schedule times for updating the scanning engines, click SETTINGS in the left navigation shuttle and then click the Scanner Updates icon. The Scanner Update Settings work pane appears on the right.
The top portion of the work pane shows the list of supported file scanners and the worm list. The bottom portion of the work pane contains the scheduling features for the selected scanner along with information about that scanner.
Note
If a scan engine becomes locked or it generates an error message when it attempts to load, you may need to rebuild the scan engine. For more information, see "Rebuilding scan engines" in Chapter 17 - Troubleshooting overview.
Scheduling an update
You can control when your scanning engines update, how often, and the update source.
Note
If you are using the optional Microsoft Antigen Enterprise Manager to update the scan engines, you should use the Scanner Updates work pane to disable scheduled updates.
To schedule updates for scanning engines
Select Scanner Updates in the SETTINGS shuttle. The Scanner Update Settings work pane appears. The top of the pane shows a list of all supported file scanners and the worm list.
Select a scan engine to be scheduled. The bottom pane contains the update paths and schedule for a selected engine, along with information about that engine. (For more information, see About scanner information.)
Set the primary update path by clicking Primary in the bottom pane and then entering a value into the Network Update Path field. By default, Antigen for SMTP Gateways uses the primary update path to download updates. If the primary path fails for any reason, Antigen for SMTP Gateways uses the secondary update path.
The default primary update path is https://antigendl.microsoft.com/antigen. You may change it to point to another HTTP update site, or if you prefer to use UNC updating as the primary update path, enter the UNC path to another SMTP server. For more information about UNC updating, see Distributing updates.
To restore the default server path, right-click the Network Update Path field and select Default HTTP Path.
Set the secondary update path, if desired, by clicking Secondary in the bottom pane and entering a value into the Network Update Path field. If the primary path fails for any reason, Antigen for SMTP Gateways uses the secondary update path. It is left blank by default.
The secondary path can be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another SMTP server. For more information about UNC updating, see Distributing updates.
Specify the Date to check for updates. If you choose a Frequency of Once, this date is the only time that update checking will occur; otherwise this date represents the first time update checking will occur. Click the left and the right arrows on the calendar to change the month. Click a particular day to select it. (The current date is circled in red; a selected date turns blue.)
Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons to change the current value of each subfield. Antigen for SMTP Gateways defaults to staggering the update time, leaving an interval of five minutes between engines. It is recommended that you stagger updates a minimum of 15 minutes apart.
Specify how often the update occurs (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily, and then set a Repeat interval to update the engine at multiple times during the day.
Optionally, indicate a repeat interval. Select Repeat, and then choose a time interval. (The minimum time is 15 minutes, which is the default value.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done.
Use the Enable and Disable buttons to control whether the update check is performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level.
Click Save.
Note
The Enable and Disable buttons control updating only, and not the use of the engine. To discontinue using the engine itself, see Chapter 6 - Configuring SMTP Scan Jobs.
Update Now
You can click the Update Now button on the Scanner Updates work pane to perform an immediate update of the selected scanner. If an update exists, Antigen for SMTP Gateways will download the scanner and will start using it after the download is complete. While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for a new scanner between regularly scheduled updates.
Update on load
Antigen for SMTP Gateways can be configured to update its file scanners when AntigenService starts up. To configure Antigen for SMTP Gateways to update at startup, select the Perform Updates at Startup option in the Scanner Updates section of the General Options work pane.
The updating of the engines is scheduled using the scheduler on the Scanner Updates work pane. The engines that are to be updated are scheduled in five-minute intervals to avoid possible conflicts.
About scanner information
This is the information that appears on the Scanner Updates work pane for a selected scanner:
- Engine Version **—**The version, as reported by the third-party scan DLL.
- Signature Version **—**The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner).
- Update Version **—**The value located in the manifest.cab file.
- Last Checked **—**The date and time of the last check made for a new scan engine or definition files.
- Last Updated **—**The date and time of the last update made to the scan engine or definition files.
About Manifest.cab
The manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download (each engine has an associated manifest.cab file in its package folder). During a scheduled update or when Update Now has been invoked, Antigen for SMTP Gateways searches the network update path for a new update. To minimize overhead, the manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is downloaded and applied. When the update is finished, the new manifest.cab file overlays the old one.
This is the directory structure of the scan engines on a server running Antigen for SMTP Gateways:
Antigen Directory\
Engines\
x86\
Engine Name\
Package\
manifest.cab
Version Directory\
manifest.cab
enginename_fullpkg.cab
other enginename files
- Antigen Directory is the top-level directory where all of the Antigen for SMTP Gateways files are kept. This was created during the product’s installation.
- Engine Name is a directory with the name of an engine’s vendor. There is an Engine Name directory for each engine.
- The Package directory contains the most recent manifest.cab file.
- The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0512140001). On any specific day, there may be multiple version directories. Each contains the current manifest.cab file, the enginename_fullpkg.cab, and all other required files for the engine.
Distributing updates
The most common method of distributing updates is to have one server receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers (the "spoke" servers) in your environment. After one server receives an engine update, it can share that update with any other server whose network update path points to it.
Configuring servers to distribute and receive updates
You must configure both the hub and the spoke servers before distributing updates.
To prepare a server to act as an update hub, you first need to establish a Windows share for the Engines directory (which is usually in the Antigen for SMTP Gateways installation directory).
Next, enable the Redistribution Server option in the Scanner Updates section of General Options on the chosen hub server. This configures Antigen for SMTP Gateways to save the two most recent engine update packages in the engine package folder instead of the usual single engine package. Antigen for SMTP Gateways also downloads the full update package rather than performing an incremental update. The multiple engine packages allow the spoke servers to continue getting updates from the redistribution server while a new update is being downloaded.
Then, enter the UNC credentials.
To configure UNC credentials
Select General Options from the SETTINGS shuttle.
Select Use UNC Credentials in the Scanner Updates section.
In the UNC Username field, enter the name of a user with access rights to the UNC path. Also enter the UNC Password.
Click Save.
After the hub server has been set up, configure the spoke servers to point to the shared directory by entering the hub's UNC path (\\ServerName\ShareName), into the Primary Network Update Path field of each of the spoke servers.
Note
The use of static IP addresses within the update path is not recommended or supported.
For example, server Ex1 receives its updates automatically from the Microsoft HTTP server. Ex1 has Antigen for SMTP Gateways installed in C:\Program Files\Microsoft Antigen for SMTP, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, Ex2, will get its updates from Ex1, by using \\Ex1\AdminShare as its primary network update path.
Notifications following engine updates
Antigen for SMTP Gateways can be configured to send a notification to the administrator following each engine update. The notifications include the following.
| Notification | Subject line | Body |
|---|---|---|
Successful update: |
Successful update of engine_name scan engine on server server_name. |
The engine_name scan engine has been updated from update_path. |
No update available: |
No new update for the engine_name scan engine on server server_name. |
There are currently no new scan engine files available for the engine_name scan engine at update_path. |
Error updating: |
Failed update of engine_name scan engine on server server_name. |
An error occurred while updating the engine_name scan engine. [There may be an error message included here.] For more information, see the Program Log. |
Engine update notifications are controlled in the General Options work pane by selecting Send Update Notification.
Putting the new file scanner to use
After the download has successfully completed, the new file scanner is immediately put to use. Any currently running scan jobs are temporarily paused while the new file scanners are loaded. The previous file scanner files are then archived in a folder named LastKnownGood. If for any reason the newly downloaded file scanner fails, Antigen for SMTP Gateways returns to the file scanner that was archived in the LastKnownGood folder.
Updating the file scanner through a proxy
In environments where the SMTP server must access the Internet through a proxy server, Antigen for SMTP Gateways can be configured to retrieve engine updates through a proxy server.
To configure Antigen for SMTP Gateways for proxy server updating
Select General Options from the SETTINGS shuttle.
In the Scanner Updates section of General Options, select Use Proxy Settings.
Enter information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see Chapter 4 - Antigen Administrator.
Click Save.
After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings using the Antigen Enterprise Manager.
Adding and deprecating scan engines
When Antigen adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Antigen Administrator; for more information about how to do this, see Chapter 14 - Using e-mail notifications.
Adding new scan engines
When Antigen adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.
Deprecating scan engines
When Antigen is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete.
Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes.
After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.