Forefront Security for Exchange Server Best Practices - Updating engines


Applies to: Forefront Security for Exchange Server

It is recommended that you use the UNC method of updating your scan engines. That is, have one or two servers ("hubs") receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers ("spokes") in your environment, whose network update paths point to those servers. This can save greatly on Internet bandwidth and make your updates quicker and more efficient. By using two hub servers instead of one, you can avoid a single point of failure, should one of the hub servers experience problems.


Both nodes of a CCR cluster server are configured as redistribution servers and must continue to have that configuration option selected.

To use the UNC updating method, see the "File Scanner Updating” chapter of the “Forefront Security for Exchange Server User Guide".

Updates should be staggered across an environment so that the Edge layer updates its engines first, with the back end servers updating their engines later in the hour. Then, if an update causes unexpected behavior, you have whatever time interval you have specified (for example: 30 minutes) to ensure that the problematic update does not get to the back end servers. It is recommended that you stagger updates a minimum of 15 minutes apart.

Be aware of the specifics of the engines you are using. Some virus labs routinely release signatures more frequently than others, although all labs respond to a major outbreak with more frequent updates. The update schedule for any engine that updates more frequently than others should be set accordingly.

Even if you are not using a particular engine, you should update it once a day so that if you need to activate it, the signatures will be up to date.