WSUS FCS Definitions

This is a follow up post to my previous FCS definitions post.  The first one focused on the mpam-fe files and what is contained that you can find on the security portal at www.microsoft.com/security/portal.  This one instead focuses on what is actually downloaded by your WSUS server and what is in turn downloaded by your WSUS clients normally.

Our AV group seems to typically release definitions about 3x per day although they can release more often then that if needed.  From what I have seen the updates usually come out on MU (Microsoft Update this is also where WSUS gets them from) around 2am, 10am, 6pm eastern time ( 7am, 3pm, 11pm GMT).

In WSUS when you approve definitions you are approving definitions for both x86 and x64 versions of the definition set.  The following represents a list of the files that are downloaded as a normal definition sync by your WSUS server with either MU or an upstream WSUS server.  I’ve also added in the sizes of each download (based on this specific definition version) in the table below

 

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86 Full+Engine)  33.5Mb
Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, x86 Delta)  1.11Mb
Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86  Binary Delta +Engine) 21.1Mb
Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Full+Engine)  34.0Mb
Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Delta)  1.15Mb
Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64  Binary Delta +Engine) 21.4Mb

So this amounts to about 112Mb that is synced 3x daily from either MU to your WSUS server or from upstream to downstream WSUS servers.

As you may have noticed these 3 types are a little different then what is available at the Security Portal so lets break that down some more.

Full+Engine = This set is used for a brand new client which is still at rtm versions of definitions/engine, it has the complete base, current deltas to that base and this months engine .dll.

Delta = This is the delta since the last base this is what your client machines are normally downloading throughout the month. It’s an incremental since the last base was applied.

Binary Delta +Engine = This is the one you don’t see on the Security Portal. This is the more interesting file and I had to get my Escalation Engineer (Craig Wiand I told him I would give him mad props here :) ) to explain this one better to me.  We apparently use binary delta patching technology here and this can be used to update a client that had last months base to the current months bases.  Below is a screen shot of the files in this package:

image

The interesting files are the _p files with are the delta patches to last months base.  Basically from what I understand it’s a bitmap level type of differencing file between last months and this months base’s and engine files that saves some size from actually having to download the complet base.  The difference between the normal base and the binary delta is about 13Mb.  So basically if your clients are up to date then every month when a new engine and base definitions are released instead of having to download 33Mb they only need to download approximately 21Mb.

That should cover the sizes/how it works :).  Now taking this knowledge and applying to your distributed branch office/wsus environment with slow wan links is where things get complicated.  Typically you tend to think that having a WSUS server in my small branch office is a good thing, download once then clients download many, however in FCS definition scenarios it gets touchy.  A downstream WSUS server based on these approximate numbers will download about 112Mb 3x a day or 336Mb daily.  If I have a branch office of 30 Systems with FCS that are keeping up to date regularly they should download about 30 x daily delta 1.1Mb x 3 times/day = 90Mb.  As you can see for my normal daily routine I would probably be saving 240Mb downloads by NOT having a WSUS server at this branch.  Of course when the monthly rebasing occurs I would have downloaded 336Mb that day to WSUS and my clients would have downloaded 30x21Mb for the Binary Delta = 630Mb in one day. 

Over the long run in this scenario strictly based on FCS Definitions I would probably be better off not having a local WSUS server.  This is not typically the case though and normally my WSUS server will also be used for all types of other security updates and you would need some calculations based on average past patch sizes vs bandwidth savings etc which I don’t really care to try to go into and actually would vary based on your environment as well.