Definition updates and performance

Applies To: Forefront Client Security

Malware is a constantly evolving set of threats. For this reason, one of the administrator's most important tools is not just an antimalware solution, but an antimalware solution that is kept up to date. Client Security is kept up to date via definition and engine updates.

Performance concerns

Two variables govern how definition updates affect performance:

  • Size of the updates

  • Frequency of the updates

Both of these concerns pertain directly to the network; the size of the updates affects the bandwidth available to the client system, and the frequency of the updates affects the bandwidth available to the distribution server.


Definition updates are published in two varieties: full engine and definition updates, and delta definition updates. These updates naturally vary in size, depending on the threats added and the updates necessary. The size of definition updates is summarized in the "Network performance factors" section of Impact on server system resources.


You can configure definition updates (via Client Security policy) to occur as often as once per hour. To prevent flooding the distribution server with update requests, Client Security agents use the service start time of the Antimalware service as the starting point for client updates. For example, if the administrator has set a policy for Client Security agents to check for updates once every two hours, then each Client Security agent will check for updates two hours after its service start time, and then every two hours after that. Because no two client computers start the Client Security Antimalware service simultaneously, the update-polling schedule acquires a randomness.