FSOCS file scanner updating

  • Article

 

Applies to: Forefront Security for Office Communications Server

Microsoft Forefront Security for Office Communications Server (FSOCS) enables you to choose virus scanning engines from multiple vendors. The standard FSOCS license includes several integrated antivirus engines.

During the initial installation, all engines are selected for scanning. You can modify the engine selections through the Forefront Server Security Administrator.

After FSOCS is installed, engine updates automatically begin. The scanner update settings are, by default, set to begin updating your engines five minutes after the FSCController is started. Updates are spaced at five-minute intervals. For more information about configuring scanning options, see IM Scan Job.

Note

If you are using a proxy server in order to access the Internet for scanner updates, these scheduled updates will fail. For information about configuring FSOCS to use a proxy server in order to retrieve updates, see Updating the file scanners through a proxy. After the configuration settings have been entered, use the Update Now button on the Scanner Updates pane in order to perform an immediate scanner update for each engine.

Automatic file scanner updating

Scan engines, signature files, and worm-list updates can be downloaded automatically from the Microsoft HTTP server or from another OCS 2007 or OCS 2007 R2 server running FSOCS. Setting a schedule for checking the HTTP or OCS server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After FSOCS has automatically downloaded an updated scan engine, it automatically puts that engine to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses.

Scheduling an update

You can control when your scan engines update, how often, and the update source.

To schedule updates for scan engines

  1. In the Shuttle Navigator, in the SETTINGS section, select Scanner Updates.

  2. In the Scanner Updates pane, in the list in the top section, select a scan engine to be scheduled. The bottom of the pane contains the Primary and Secondary update paths and the update schedule for the selected engine. Additionally, there is information about that engine. (For more information, see Scanner Information.)

  3. To set the primary update path, click Primary, and then in the Network Update Path box, enter a value. FSOCS uses the primary update path in order to download updates. If the primary path fails for any reason, FSOCS uses the secondary update path, if any.

    The following is the default primary update path: https://forefrontdl.microsoft.com/server/scanengineupdate

    You may change it to point to any other HTTP update site, or if you would prefer to use Universal Naming Convention (UNC) updating, enter the UNC path to another FSOCS server. For more information about UNC updating, see Distributing updates.

    To restore the default server path, right-click the Network Update Path field, and then click Default HTTP Path.

  4. If you want to set the secondary update path, click Secondary, and then in the Network Update Path field, enter a value. If the primary path fails for any reason, FSOCS will use the secondary update path. It is left blank by default.

    The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another FSOCS server. For more information about UNC updating, see Distributing updates.

  5. In the Date section, use the calendar to specify the date to check for updates. Click a particular day in order to select it. (The current date is circled in red; a selected date turns blue.)

  6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons in order to change the current value of each subfield. FSOCS defaults to staggering the update times, leaving an interval of five minutes between engines.

    Note

    Do not use the Windows scheduler in order to set or change scan engine updating times. Changes you make in the operating system are not reflected in FSOCS update scheduling. Use the Scanner Update Settings pane only.

  7. In the Frequency section, specify how often the update occurs. You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily (the default), and then set a Repeat interval in order to update the engine at multiple times during the day.

    If you select Once, the date you indicate is the only time update checking will take place; otherwise, the date represents the first time update checking will take place.

  8. Optionally indicate a repeat interval. Select Repeat, and then enter a time interval. (The minimum time is 15 minutes.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline, and no updating is done. The default is to repeat updating for each engine every hour.

  9. Use the Enable and Disable buttons in order to control whether the update check is performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level.

Note

The Enable and Disable buttons control updating only, and not the use of the engine. For more information about discontinuing use of a scan engine, see IM Scan Job.

Scheduling updates on multiple servers

When scheduling engine updates on multiple servers in your organization, it is recommended that you stagger the updates by at least five minutes in order to prevent servers from timing out during the update process. When scheduling updates for multiple engines, it is also helpful to stagger the updates in five-minute intervals.

Update Now

You can perform an immediate update of a selected scanner.

To perform an immediate update of a selected scanner

  • On the Scanner Updates pane, click the Update Now button. If an update exists, FSOCS downloads the scanner engine and signature updates and starts using them after the download is complete.

    Note

    While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for new scan engine updates between regularly scheduled updates.

Update on load

Forefront Security for Office Communications Server can be configured to update its file scanners when FSCController starts up.

To configure FSOCS to update at startup

  • In the General Options pane, in the Scanner Updates section, select the Perform Updates at Startup check box.

Schedule engine updates by using the scheduler on the Scanner Updates pane. The engines that are to be updated are scheduled in five-minute intervals in order to avoid possible conflicts.

Scanner information

The following is the information that appears on the Scanner Updates pane for a selected scanner:

  • Engine Version—The version, as reported by the third-party scan dynamic-link library (DLL).
  • Signature Version—The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner).
  • Update Version—The value located in the Manifest.cab file.
  • Last Checked—The date and time of the last check made for a new version of a scan engine or definition files.
  • Last Updated—The date and time of the last update made to the scan engine or definition files.

Manifest.cab

The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update or when Update Now has been invoked, FSOCS searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one.

Engine directory structure

This is the directory structure of the scan engines on a server running FSOCS:

Forefront Directory\

     Data\

          Engines\

               x86\

                    Engine Name\

                         Package\

                              manifest.cab

                              Version Directory\

                                   manifest.cab

                                   enginename_fullpkg.cab

                                   other enginename files

where the following is true:

  • Forefront Directory is the top-level directory where all of the FSOCS files are kept. This was created during the product's installation.
  • Engine Name is a directory with the name of an engine's vendor (for example: Microsoft). There is an Engine Name directory for each engine.
  • The Package directory contains the most recent Manifest.cab file.
  • The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any particular day, there may be multiple version directories. Each contains the current Manifest.cab, the enginename_fullpkg.cab (for example: microsoft_fullpkg.cab), and all other required files for the engine. Every time you do an engine update, the package folder is recreated. It contains a new version directory for the package that was downloaded.

Distributing updates

The most common method of distributing updates is to have one server (the hub) receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers in your environment (the spokes). After the hub receives an engine update, it can share that update with any other server whose network update path points to it.

Configuring servers to distribute and receive updates

You must configure both the hub and spoke servers before distributing updates.

Configuring the redistribution (hub) server and UNC credentials

Before you can use redistribution updating, you must prepare a server to act as an update hub, and then configure UNC credentials.

To prepare a server to act as an update hub

  1. Establish a Windows share for the server's Engines directory. This is, by default, in the following location:
    C:\Program Files\Microsoft Forefront Security\Office Communications Server\Data

  2. On the chosen hub server, in General Options, in the Scanner Updates section, enable the Redistribution Server check box. This configures FSOCS to save the two most recent engine-update packages in the engine package folder. FSOCS downloads the full update package rather than performing an incremental update. The multiple engine packages enable the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded.

To configure UNC credentials

  1. In the Shuttle Navigator, in the SETTINGS section, select General Options.

  2. In the Scanner Updates section, select the Use UNC Credentials check box.

  3. In the UNC Username field, enter the name of a user with access rights to the UNC path. For more information, see "General Options" in FSOCS Forefront Server Security Administrator.

  4. In the UNC Password field, enter the password for that user, and then click Save.

Configuring the spoke servers

After the hub server has been set up, configure the spoke servers to point to the shared directory.

To configure the spoke servers to point to the shared directory

  • On each of the spoke servers, in the Primary Network Update Path field, enter the hub's UNC path in the following format:
    **\\ServerName\**ShareName

    Note

    The use of static IP addresses within the update path is neither recommended nor supported.

Example: Server Ex1 receives its updates automatically from the Microsoft HTTP server. Ex1 has FSOCS installed in the following location:

C:\Program Files\Microsoft Forefront Security\Office Communications Server

You have created a share, called AdminShare, that begins at the Engines directory. Another server, Ex2, will get its updates from Ex1 by using the following as it's primary network update path:

\\Ex1\AdminShare

Notifications following engine updates

Forefront Security for Office Communications Server can be configured to send a notification to the virus administrator following each engine update. The notifications include the following:

  • Successful update:

    • Subject line—Successful update of <engine_name> scan engine on server <server_name>
    • Body—The <engine_name> scan engine has been updated from <update_path>

  • No update available:

    • Subject line—No new update for the <engine_name> scan engine on server <server_name>
    • Body—There are currently no new scan engine files available for the <engine_name> scan engine at <update_path>

  • Error updating:

    • Subject line—Failed update of <engine_name> scan engine on server <server_name>
    • Body—An error occurred while updating the <engine_name> scan engine. [There may be an error message included here.] Please see the Program Log for more information.

    Note

    If the Program Log contains the "could not create mapper object" error, it means that the engine in question did not load properly.

Engine update notifications are controlled in the General Options pane by selecting Send Update Notification in the Scanner Updates section.

Putting the new file scanner to use

After a download has successfully completed, the newly downloaded file scanner is tested. If the test fails, scan jobs continue to use the current version of the file scanner. Otherwise, all scan jobs are notified that there is a new file scanner. If a scan job is currently scanning a file, it finishes that file and then loads the new file scanner before continuing. If a scan job is currently idle, it loads the new file scanner immediately.

Updating the file scanners through a proxy

In environments where the OCS server must access the Internet through a proxy server, FSOCS can be configured to retrieve engine updates through that server.

To configure proxy server updating

  1. In the Shuttle Navigator, in the SETTINGS section, select General Options.

  2. In General Options, in the Scanner Updates section, select Use Proxy Settings.

  3. In the Scanner Updates section, enter the following information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see "General Options" in FSOCS Forefront Server Security Administrator.

  4. Click Save.

After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings by using the FSCStarter command. For more information about FSCStarter, see "Deploying named templates" in FSOCS templates.