How the Microsoft System Center 2012 Endpoint Protection, Forefront Endpoint Protection 2012, and Forefront Client Security Antimalware Services updates the anti-malware engine files and the anti-malware definition files

To stay current with malware threats, the System Center 2012 Endpoint Protection, Forefront Endpoint Protection 2010, and Forefront Client Security Antimalware Services must be updated with new engine files and with new definition update files as they become available. You can perform this update process by using the following methods:

• Microsoft Update or Windows Server Update Services (WSUS) through Automatic Updates
• The stand-alone installer package
• File-copy deployment

When you use Automatic Update or the stand-alone installer, the package is extracted to a temporary directory, and the installer (MpSigStub.exe) is used. The installer verifies that Forefront Client Security, Forefront Endpoint Protection 2010, or System Center 2012 Endpoint Protection is installed, and then the installer signals the service to update itself by using the extracted files.  

When you use the file-copy deployment method, the anti-malware service is notified when the new files are copied into the update folder, and then the service begins the update process.

The update process consists of the following steps:

1. Makes sure that there is only one update occurring at a time.
2. Creates a new update folder that has a unique identifier (GUID) name in the following directory:
   %AllUsersProfile%\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates
3. Copies the new files to this location.
4. Copies files from the current configuration that are newer than the corresponding files in the new location or that are not present in the new location. This enables the delta update scenario.
   
5. Verifies consistency between the engine and the definition files. Also verifies that the new versions are later or equal to the current versions.
6. Copies the current engine and definition files to the following Backup directory:
   
   %AllUsersProfile%\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup
7. Updates the definition information in the registry. This includes the new location timestamps and the version information.
8. Starts the new engine and begins routing scan requests.
   
9. Unloads the old engine when all active requests for the old engine are completed.
10. Removes the GUID-named directory for the old engine.