Article ID: 977939 - View products that this article applies to.
The Microsoft Forefront endpoint security products listed in the Applies To section contain an antimalware agent that regularly download updates to the definition files it uses to identify viruses, spyware, and other potentially unwanted software. Forefront endpoint security agents may also periodically download detection engine updates. Microsoft delivers these updates using Microsoft Update and also Windows Server Update Service (WSUS) if available. To manually download the updates, visit the following Microsoft Web site:
Microsoft Malware Protection Center Portal
Definition filesThe Microsoft antimalware agent uses virus definition modules (VDMs) to store detection information about malicious software or potentially unwanted software. The antimalware agent uses the following five files during its regular operation
The MpAvBase.vdm file contains the antivirus base definition module. This file is usually updated only one time per month by Microsoft and contains the base virus information that is used to build the delta definitions.
The MpAvDlta.vdm file contains the antivirus delta definition module. This file is usually updated multiple times per day by Microsoft and contains all the changes that have occurred since the last antivirus base was created.
The MpAsBase.vdm file contains the antispyware base definition module. This file is usually updated only one time per month by Microsoft and contains the base spyware software information and other potentially unwanted software information that is used to build the delta definitions.
The MpAsDlta.vdm file contains the antispyware delta definition module. This file is usually updated multiple times per week by Microsoft and contains all the changes that have occurred since the last antispyware base was created.
The MpEngine.dll file contains the Microsoft malware protection engine. The .vdm files that were mentioned earlier are referenced by the malware protection engine that scans the system resources looking for malware. Some examples of the system resources are files, processes, and registry keys. This file is usually updated only one time per month.
Rebase definitionsMicrosoft currently rebases definitions only one time per month. During the rebase process, the delta definitions are combined with the previous base definition file to form a new base file. The rebase process occurs on both the antivirus definition files and on the antispyware definition files.
Because of the rebase process, the size of the new base files typically increases from the previous month. The new base files contain the base definitions from the previous month and contain all the changes from the new delta definitions. Immediately after the rebase process, the sizes of the delta definition files reduce significantly. This behavior occurs because all the information that they previously contained is located in their respective base files.
As new malware information is generated, it is added to the delta definition files causing the size of the files to grow until the next rebase. The size of the base definition files remains the same between rebases.
Microsoft currently releases updates to the malware protection engine at the same time when Microsoft performs the rebase. This means that when the rebase process occurs, the antimalware agent will receive a new version of all five files that are mentioned in the "Definition Contents" section.
Obtaining definition updates
A customer can download the Forefront endpoint security definition updates by using any of the following three ways:
Microsoft publishes definition updates to Microsoft Update. The Forefront endpoint security agent can download these updates directly from Microsoft by using any one of following methods:
New definition update packages are usually published to Microsoft Update three times per day.
Windows Server Update Services
Microsoft publishes definition updates to Microsoft Update and makes them available to Windows Server Update Services. Forefront endpoint security customers who have implemented Windows Server Update Services can download these updates from Microsoft by synchronizing the Definition Update classification. Agents that report to that Windows Server Update Services server can download the definitions by using any one of the following methods:
Similar to Microsoft Update, there is detection logic that is associated with each update. This detection logic allows Windows Server Update Services to provide only the definition update package that is most suitable for the agent.
As described in the Rebase definitions section, the content of the base definitions and the engine do not change between rebases. For this reason, the base definitions and the engine are offered to agents once a month. For Windows Server Updates Service (WSUS), this ensures that less duplicate data is downloaded with every definition update release. When viewing file information in the WSUS administration console the list contains the packages described in the Recent Definitions section below.
New definition update packages are usually published to Windows Server Update Services three times per day. The frequency at which these updates are available to computers depends upon the frequency that the WSUS server synchronizes with Microsoft and how updates are approved for deployment.
Some definition updates are currently available for a manual download from Microsoft at two locations.
The following knowledge base article describes how to manually download the released definitions. These definitions usually correspond to the versions available by using Microsoft Update and by using Windows Server Update Services. Be aware that currently only the full installation packages are available.
935934The following knowledge base article describes how to manually download the beta definitions. These definitions are published more frequently and may not correspond to the versions published to Microsoft Update.
(http://support.microsoft.com/kb/935934/ )How to manually download the latest antimalware definition updates for Microsoft Forefront Client Security
(http://support.microsoft.com/kb/939757/ )How to download the latest beta malicious software definition update for Forefront Client Security
UNC file share
Updating from a file share is done by manual or scripting download of definitions from one of the sources above and placing them on a file share.
The type of definition update an agent performs is determined by how up-to-date it is with current definitions published by Microsoft. Agents that have updated recently will download and apply only very small changes whereas new agents will need to download the full definition installation to become up-to-date.
|kbsurveynew kbexpertiseadvanced kbhowto fep2010swept KB977939|