DetailPage-MSS-KB

Knowledge Base

Article ID: 953524 - Last Review: August 5, 2013 - Revision: 2.1

INTRODUCTION

This article describes how to deploy Endpoint Protection* definitions by using a file-copy procedure. The Antimalware Service monitors a directory in the file system for new definition files and for new engine files. If valid updates are added to that directory, the Antimalware Service uses the updated versions of these files.

* Endpoint Protection is refered to a Group of the Microsoft Antivirus products and includes:
  • Forefront Client Security
  • Forefront Endpoint Protection 2010
  • System Center Endpoint Protection 2012



More information

If you are an administrator, and you want to update the malware definition files on a client computer, you may want to use a fully updated client computer or extracted installation files as a source. In this situation, you use a file-copy procedure. To support this practice, the Antimalware Service monitors a directory in the file system for new definition files and for new engine files.

If new definition files are added to that directory, the Antimalware Service is notified, and it validates the files to make sure that the following conditions are true:
  • The definition files and the engine files are of the correct architecture. (They are Forefront Client Security-compliant.)
  • The engine matches the definition files.
  • The base definitions match the delta definitions.
  • The currently installed files are not newer than the update files.
If these conditions are true, the Antimalware Service uses the standard update process to install the new files.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
953523  (http://support.microsoft.com/kb/953523/ ) How the Microsoft System Center 2012 Endpoint Protection, Forefront Endpoint Protection 2012, and Forefront Client Security Antimalware Services updates the anti-malware engine files and the anti-malware definition files
The following directory is monitored on the local computer by the Antimalware Service:

Forefront Client Security:
%ALLUSERSPROFILE%\APPLICATION DATA\MICROSOFT\MICROSOFT FOREFRONT\CLIENT SECURITY\CLIENT\ANTIMALWARE\DEFINITION UPDATES\UPDATES
In Windows 2000, in Windows XP, and in Windows Server 2003, this directory typically expands to the following:
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates
In Windows Vista and in Windows Server 2008, this directory typically expands to the following:
C:\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates

Forefront Endpoint Protection 2010 and System Center Endpoint Protection 2012:
%ALLUSERSPROFILE%\MICROSOFT\MICROSOFT ANTIMALWARE\DEFINITION UPDATES\UPDATES
n Windows XP, and in Windows Server 2003, this directory typically expands to the following:

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates
In Windows Vista and in Windows Server 2008, this directory typically expands to the following:

C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates

The Endpoint Protection client supports two kinds of updates.
  • Full update

    A full update includes a new anti-malware engine and copies of the base delta definition files for both antispyware and antivirus functionality.

    These files include the following:
    • Mpasbase.vdm
    • Mpasdlta.vdm
    • Mpavbase.vdm
    • Mpavdlta.vdm
    • Mpengine.dll
  • Delta update

    A delta update includes only those files that are newer on the source computer than the corresponding files on the destination computer. This update may consist of only the antivirus delta files, or it may consist of both the antivirus delta files and the antispyware delta definition files.
A delta update is most easily applied by running a copy command that updates only newer files on the destination computer. For example, you might apply a delta update by running a command that resembles the following:
xcopy /d
Note This method depends on the specific configuration of the destination computer. For example, the Update directory on this computer may not contain any definition files.

The source of the file-copy procedure should be either a downloaded and extracted copy of the definition files or the current active definition files on a fully functional Endpoint Protection client. You can find these files in the following registry subkey:

Forefront Client Security:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0AM\Signature Updates\SignatureLocation
Typically, these files reside in the following directory of this subkey:
%ALLUSERSPROFILE%\APPLICATION DATA\MICROSOFT\MICROSOFT FOREFRONT\CLIENT SECURITY\CLIENT\ANTIMALWARE\DEFINITION UPDATES\{GUID}
Note This path might be slightly different in Windows Vista or in Windows 2008 because on those systems, the system junction points are fully resolved. The {GUID} placeholder represents a generated unique identifier.

Forefront Endpoint Protection 2010 and System Center Endpoint Protection 2012:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\SignatureLocation
Typically, these files reside in the following directory of this subkey:

%ALLUSERSPROFILE%\MICROSOFT\MICROSOFT ANTIMALWARE\DEFINITION UPDATES\{GUID}
Note This path might be slightly different in Windows Vista or in Windows 2008 because on those systems, the system junction points are fully resolved. The {GUID} placeholder represents a generated unique identifier.


You can copy from a local source to a remote destination by running a command that resembles the following:

Forefront Client Security:
xcopy "C:\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{F2D379FD-8365-43FD-9850-05DDAD4C4FE6}" "\\server2\c$\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates" /d


Forefront Endpoint Protection 2010 and System Center Endpoint Protection 2012:
xcopy "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F2D379FD-8365-43FD-9850-05DDAD4C4FE6}" "\\server2\c$\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates" /d



Applies to
  • Microsoft Forefront Client Security
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft System Center 2012 Endpoint Protection
Keywords: 
kbexpertiseinter kbhowto fep2010swept KB953524
Delen
Extra ondersteuningsopties
Microsoft Community Support-forums
Neem rechtstreeks contact met ons op
Een door Microsoft gecertificeerde partner zoeken
Microsoft Store