Understanding FEP 2010 Update Rollup 1 Signature Update Policy Settings

In this blog post, I will give more details on the FEP 2010 Update Rollup 1 Signature Update Policy Settings to help you understand what does each setting mean.

The FEP Policy Properties Diagloue, Update Tab:


These settings map to the registry key under: HKEY_LOCAL_MACHINE/Software/Microsoft/Microsoft Antimalware/Signature Updates.

  1. AuGracePeriod: (in minutes) Define the time before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. If not set, this value is default to 14 days.
  2. SignatureUpdateInterval: (in hours) how frequent the FEP client will check for updates and update the virus and spyware definitions. If not set, this value is default to 24 hours.
  3. SignatureUpdateCatchupInterval: (in days) define the number of days after which a catch-up definition update will be required. If not set, the value is default to 1 day.
  4. FallBackOrder: This policy setting allows you to define the order in which different definition update sources should be contacted. If you disable or do not configure this setting, definition update sources will be contacted in the default order: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }. (MicrosoftUpdateServer – Live MU; MMPC - ADL)

2, 3, 4 can also be set by group policy (http://technet.microsoft.com/en-us/library/gg412481.aspx

AuGracePeriod is an attribute only for FEP 2010 Update Rollup 1 and you can only set it through Configuration Manager UI.

The process:

1. Every interval of SignatureUpdateInterval, FEP Client will check for virus definition from the main definition update source.

If there’s new definition update available, it will install it.

If the current definition is older than the time of AuGracePeriod, it will check for alternative definition update source by the order defined in FallBackOrder.

Note: if you didn’t specify MicrosoftUpdateServer in the FallBackOrder, then FEP client will not fallback to live MU to get virus definition. If FEP client failed to get updates for 14 days, it will fall back to MMPC and download full package (~40-70MB). This is not configurable.

2. If it has been interval of SignatureUpdateCatchupInterval since last check for the definition update, FEP Client will check for definition update at once.

This could happen in the following scenarios: FEP is set to check for update at 2:00 am every day. But the computer has been turned off during night time. So it won’t check for updates at the scheduled time. But it can check for update if this value is set.