Our office discovered today that internet usage for the month has skyrocketed when compared to the later months of last year. Sometimes this can be attributed to some overzealous Youtube sessions, or a new product release that requires us to download large ISO files. In this particular case the firewall logs indicated that one of the Exchange servers was the biggest culprit.

The Exchange server has downloaded about five times more traffic than it normally downloads in a month, and alarmingly most of it is HTTP traffic rather than SMTP traffic. A quick investigation reveals that the downloads are primarily coming from IP address 207.46.209.247. This turns out to be the IP address known as forefrontdl.microsoft.com, in other words the server that Forefront connects to for engine updates.

Reviewing the active engines on Forefront reveals that all are up to date except for the Kaspersky engine, which has not updated since late December, even though it is enabled for updates. Furthermore, the Application event log has numerous errors in it for Kaspersky downloads.

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 6/02/2008
Time: 5:24:45 PM
User: N/A
Computer: SERVER
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5
Proxy Settings: Disabled
Error Code: 0xC0001F58

These errors are appearing every hour, which is the update interval configured in Forefront. You may have guessed by now what is causing our high volume of HTTP downloads.

According to this Microsoft article the root cause of the problem is a change made by Kaspersky to the format of their signature downloads. The Kaspersky engine is one of the engines included with Forefront, and the signatures are downloaded from Microsoft.com. The change has caused a compatibility problem with Forefront due to the way in which Forefront interprets file names that start with a period character.

The result of this incompatibility is that Forefront downloads the latest Kaspersky signature files, tries to move them from a staging area to the correct folder to start using it, fails because it cannot handle a .lock file, and then discards the newly downloaded signature files. Each signature release is about 21mb in size, and Forefront downloads hourly, so it is downloading 21mb every hour (or approximately 500mb per day, or about 15Gb per month).

A hotfix is available but in the meantime I am obviously going to disable Kaspersky updates.