A customer can download the Forefront endpoint security definition updates by using any of the following three ways:
- Microsoft Update
- Window Server Update Services
- Manual Download
- File share (Forefront Endpoint Protection only)
Microsoft UpdateMicrosoft publishes definition updates to Microsoft Update. The Forefront endpoint security agent can download these updates directly from Microsoft by using any one of following methods:
- Control Panel item for Windows Update.
In Windows Update applet, make sure it is shows “You receive updates for Windows and other products from Microsoft Updates.”
- The Microsoft Update Web site.
- Automatically by using the antimalware agent.
- Automatically by using the Automatic Updates process.
There is detection logic associated with each update. This detection logic allows Microsoft Update to determine the current definition updates that are applied to the agent. Microsoft Update uses this information to provide only the definition update package that is most suitable for the agent. For example, a agent that has the up-to-date version of the previously published definition update downloads only a binary differential delta package and does not download the full installation package.
New definition update packages are usually published to Microsoft Update three times per day.
Windows Server Update ServicesMicrosoft publishes definition updates to Microsoft Update and makes them available to Windows Server Update Services. Forefront endpoint security customers who have implemented Windows Server Update Services can download these updates from Microsoft by synchronizing the Definition Update classification. Agents that report to that Windows Server Update Services server can download the definitions by using any one of the following methods:
- Control Panel item for Windows Update.
- Automatically by using the antimalware agent.
- Automatically by using the Automatic Updates process.
Similar to Microsoft Update, there is detection logic that is associated with each update. This detection logic allows Windows Server Update Services to provide only the definition update package that is most suitable for the agent.
As described in the Rebase definitions section, the content of the base definitions and the engine do not change between rebases. For this reason, the base definitions and the engine are offered to agents once a month. For Windows Server Updates Service (WSUS), this ensures that less duplicate data is downloaded with every definition update release. When viewing file information in the WSUS administration console the list contains the packages described in the Recent Definitions section below.
New definition update packages are usually published to Windows Server Update Services three times per day. The frequency at which these updates are available to computers depends upon the frequency that the WSUS server synchronizes with Microsoft and how updates are approved for deployment.
Manual DownloadSome definition updates are currently available for a manual download from Microsoft at two locations.
The following knowledge base article describes how to manually download the released definitions. These definitions usually correspond to the versions available by using Microsoft Update and by using Windows Server Update Services. Be aware that currently only the full installation packages are available.
935934 How to manually download the latest antimalware definition updates for Microsoft Forefront Client Security
The following knowledge base article describes how to manually download the beta definitions. These definitions are published more frequently and may not correspond to the versions published to Microsoft Update.
939757 How to download the latest beta malicious software definition update for Forefront Client Security
UNC file shareUpdating from a file share is done by manual or scripting download of definitions from one of the sources above and placing them on a file share.
Definition updates
The type of definition update an agent performs is determined by how up-to-date it is with current definitions published by Microsoft. Agents that have updated recently will download and apply only very small changes whereas new agents will need to download the full definition installation to become up-to-date.
New Agents
DescriptionThe full installation is generally only for new antimalware agents or for agents with definitions that have not been updated for more than a month. After download and installation, if computers are kept up-to-date they should not be required to apply the full installation again.
SizeGenerally, the size is from 40-70 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.
Previous Month
DescriptionAgents that are using files of the previous month will receive a binary delta update of the engine and base definitions. The binary delta updates contain only the parts of the base files and of the engine files that have changed since the previous version. For more information about the Microsoft binary delta update technology used in this package, view the following TechNet article:
Delta Compression Application Programming Interface SizeGenerally, the size of this installation is from 1-15 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase. Generally, the size is from 1-8 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.
Recent Definitions
DescriptionThe vast majority of definition updates should be applied to agents that are using the engine and base files from the current month. In this situation, only the delta files (MpAvDlta.vdm and MpAsDlta.vdm) need to be updated.
Agents that are using very recent versions of the antimalware definitions will receive binary differential delta updates to the delta files. The delta installation packages use the same binary delta update technology described previously. This technology allows the package to contain only the parts of the delta files that have changed since the previous version. This binary delta update technology helps reduce the size of the update file. This occurs because the update file does not redistribute the parts of the base definition and of the engine files that are currently used by the agent. Microsoft may publish several versions of a binary delta update package. Each binary delta update package contains different content. The goal of publishing multiple package versions is to make sure that agents receive an optimized update for their current update level. Agents that are using the engine and base files from the current month, but have not updated recently enough to be eligible for the smaller delta update, will apply the entire delta files (MpAvDlta.vdm and MpAsDlta.vdm).
SizeGenerally, the size ranges of the delta updates are from 50-2048 KB and the entire delta files are from 1-15 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.