From the Forefront Server Security blog:
Engine and definition updates for the Computer Associates (CA) InoculateIT engine will end on September 29th, 2008.
On January 16th, 2007, the Computer Associates (CA) InoculateIT engine was combined with the Computer Associates VET engine. Since the engines were merged, Microsoft has continued to provide engine updates for the InoculateIT engine as a courtesy to customers using the engine.
If you are still using the InoculateIT engine for antivirus scanning, you should disable it for all scan jobs and discontinue engine and definition updates for the engine. For information about engine updating, please read our documentation on TechNet.
· For Antigen: http://technet.microsoft.com/en-us/library/bb914037.aspx
· For Forefront for Exchange: http://technet.microsoft.com/en-us/library/bb795083.aspx
· For Forefront for SharePoint: http://technet.microsoft.com/en-us/library/bb795192.aspx
Microsoft have released some great new content on a few of the Technet blog sites.
Our office discovered today that internet usage for the month has skyrocketed when compared to the later months of last year. Sometimes this can be attributed to some overzealous Youtube sessions, or a new product release that requires us to download large ISO files. In this particular case the firewall logs indicated that one of the Exchange servers was the biggest culprit.
The Exchange server has downloaded about five times more traffic than it normally downloads in a month, and alarmingly most of it is HTTP traffic rather than SMTP traffic. A quick investigation reveals that the downloads are primarily coming from IP address 207.46.209.247. This turns out to be the IP address known as forefrontdl.microsoft.com, in other words the server that Forefront connects to for engine updates.
Reviewing the active engines on Forefront reveals that all are up to date except for the Kaspersky engine, which has not updated since late December, even though it is enabled for updates. Furthermore, the Application event log has numerous errors in it for Kaspersky downloads.
Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 6/02/2008
Time: 5:24:45 PM
User: N/A
Computer: SERVER
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5
Proxy Settings: Disabled
Error Code: 0xC0001F58
These errors are appearing every hour, which is the update interval configured in Forefront. You may have guessed by now what is causing our high volume of HTTP downloads.
According to this Microsoft article the root cause of the problem is a change made by Kaspersky to the format of their signature downloads. The Kaspersky engine is one of the engines included with Forefront, and the signatures are downloaded from Microsoft.com. The change has caused a compatibility problem with Forefront due to the way in which Forefront interprets file names that start with a period character.
The result of this incompatibility is that Forefront downloads the latest Kaspersky signature files, tries to move them from a staging area to the correct folder to start using it, fails because it cannot handle a .lock file, and then discards the newly downloaded signature files. Each signature release is about 21mb in size, and Forefront downloads hourly, so it is downloading 21mb every hour (or approximately 500mb per day, or about 15Gb per month).
A hotfix is available but in the meantime I am obviously going to disable Kaspersky updates.
