Our office discovered today that internet usage for the month has skyrocketed when compared to the later months of last year. Sometimes this can be attributed to some overzealous Youtube sessions, or a new product release that requires us to download large ISO files. In this particular case the firewall logs indicated that one of the Exchange servers was the biggest culprit.

The Exchange server has downloaded about five times more traffic than it normally downloads in a month, and alarmingly most of it is HTTP traffic rather than SMTP traffic. A quick investigation reveals that the downloads are primarily coming from IP address 207.46.209.247. This turns out to be the IP address known as forefrontdl.microsoft.com, in other words the server that Forefront connects to for engine updates.

Reviewing the active engines on Forefront reveals that all are up to date except for the Kaspersky engine, which has not updated since late December, even though it is enabled for updates. Furthermore, the Application event log has numerous errors in it for Kaspersky downloads.

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 6/02/2008
Time: 5:24:45 PM
User: N/A
Computer: SERVER
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5
Proxy Settings: Disabled
Error Code: 0xC0001F58

These errors are appearing every hour, which is the update interval configured in Forefront. You may have guessed by now what is causing our high volume of HTTP downloads.

According to this Microsoft article the root cause of the problem is a change made by Kaspersky to the format of their signature downloads. The Kaspersky engine is one of the engines included with Forefront, and the signatures are downloaded from Microsoft.com. The change has caused a compatibility problem with Forefront due to the way in which Forefront interprets file names that start with a period character.

The result of this incompatibility is that Forefront downloads the latest Kaspersky signature files, tries to move them from a staging area to the correct folder to start using it, fails because it cannot handle a .lock file, and then discards the newly downloaded signature files. Each signature release is about 21mb in size, and Forefront downloads hourly, so it is downloading 21mb every hour (or approximately 500mb per day, or about 15Gb per month).

A hotfix is available but in the meantime I am obviously going to disable Kaspersky updates.

It must be Service Pack 1 Week at Microsoft.

Exchange Server 2007 SP1

Service Pack 1 for Exchange Server 2007 has finally gone RTM.  This release includes support for Windows Server 2008, enhanced functionality for Outlook Web Access, new administrative tools for Public Folders, and the new Standby Continuous Replication feature for HA/DR.

A full list of what is new is available here.  Make sure you read the release notes before you deploy as there are some important known issues to consider.

Forefront Security for Exchange Server SP1

This is an important update for Forefront that is primarily delivering compatiblity with Windows Server 2008 and Exchange Server 2007 SP1, and a rollup of current hotfixes.  One of the great new features is the ability to enter proxy details to download antivirus engine updates during setup.  The Forefront team blog has a full writeup here.

If you are currently running FSE on your Exchange 2007 servers and considering upgrading Exchange to SP1, be sure to upgrade FSE first.

MOSS 2007 and WSS 3.0 SP1 Preview

Not to be outdone, the SharePoint team has released a preview into WSS 3.0 SP1 and SharePoint 2007 SP1.  Again this update will provide Windows Server 2008 compatibility, as well as new AJAX enhancements, STSAdm command options, and a rollup of over 60 hotfixes for the WSS and SharePoint products.