I have my antimalware policy set up as below. I've been looking a web traffic reports on our firewalls and I can see that as of mid-December a lot of clients are going to the internet for their EP definition updates. In January alone client machines used up 44 TB of data going to download.windowsupdate.com for updates.

I don't really understand why as my policy says not to even use Microsoft Update as a source at all.

What I've noticed on the firewall reports is that Monday resulted in literally 100 times more traffic than Wednesday which led to me thinking it might having something to do with the "If configuration manager is used as a source for definition updates ...." setting. This setting has a default value of 72 hours so if a client gets an update at 8 am on Friday morning then is turned off on Friday afternoon for the weekend and doesn't get turned on until 9 am on Monday morning this would mean it hasn't had an update in 73 hours.

What happens at this point? I looks like the client goes to download.windowsupdate.com even when the policy says not to. It also looks like it doesn't first check for updates from Config Manager before it does this.

Another thing that doesn't make much sense is that this only started happening mid-December and I had been using SCCM for EP updates for nearly two months by that time.

Any ideas?

Do you have an automatic deployment rule set up to deploy EP definitions? Does it show a current successful status? If, for some reason, it started failing in December, that might explain why your clients are no longer getting definition updates through ConfigMgr.

I have several ADRs set up targeting different collections. They all seem to be working OK.

What I have noted by watching the deployment compliance of my EP ADRs throughout the day is that at the beginning of the day there are quite a high number of PCs reporting errors and as the day goes by those numbers drops to nearly nothing. I'm suspecting that is because the PC can't update at first and then goes off to the internet to update and then reports its compliance as OK.

I'm still utterly confused why the PCs are going to the internet in the first place if my policy has ONLY Config Manager set as the update s

Hi,

Please make sure the FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates is right. And check WUAHandler.log and WindowsUpdate.log to see whether there are any useful information.

Best Regards,

Joyce Li

There is no value in that registry key.

HHowever I have noticed that my ADRs have the below setting. I'm not sure what will happen with this setting enabled when I have no fallback locations configured.

Here are some logs of a typical PC going to the internet for updates - remember not all PCs are doing this.

From the mplogxxxx.log below you can see the EP client starting up at 23:50 UTC with version 1.67.1843.0 signatures installed. This version is out of date.

**************************END RTP Perf Log*************************
 
 
2014-03-16T23:50:33.339Z Verifying license file...
2014-03-16T23:50:33.339Z verified!
2014-03-16T23:50:33.339Z Product supports installmode: 0
2014-03-16T23:50:33.620Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.4.304.0
Service Version: 4.4.304.0
Engine Version: 1.1.10302.0
AS Signature Version: 1.167.1843.0
AV Signature Version: 1.167.1843.0
************************************************************
2014-03-16T23:51:24.971Z Process scan (poststartupscan) started.
2014-03-16T23:51:26.572Z Process scan (poststartupscan) completed.
2014-03-16T23:53:05.128Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2014-03-16T23:53:05.128Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2014-03-16T23:57:58.214Z Task(SpyNetService -RestrictPrivileges -AccessKey 613C3C1F-F85A-BCED-39AF-C0B481FC03E0) launched
2014-03-17T00:00:31.917Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 190246545(ms)
2014-03-17T00:00:31.917Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 1454570(ms)
2014-03-17T00:00:31.918Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 65506808(ms)
2014-03-17T00:00:32.197Z AutoPurgeWorker triggered with dwWork=0x3
2014-03-17T00:00:32.197Z Product supports installmode: 0
==========================================================================

A few minutes later at 23:55 (07:53 local time) the below happens in the WindowsUpdate.log where you can clearly see the client downloading the latest signatures from download.windowsupsate.com (i've removed some of the rows where the WU engine goes through all the updates to get under the 60,000 character limit)

================================================================

2014-03-17    07:53:03:403     452    1398    Misc    ===========  Logging initialized (build: 7.6.7600.256, tz: +0800)  ===========
2014-03-17    07:53:03:465     452    1398    Misc      = Process: C:\windows\system32\svchost.exe
2014-03-17    07:53:03:480     452    1398    Misc      = Module: c:\windows\system32\wuaueng.dll
2014-03-17    07:53:03:403     452    1398    Service    *************
2014-03-17    07:53:03:480     452    1398    Service    ** START **  Service: Service startup
2014-03-17    07:53:03:480     452    1398    Service    *********
2014-03-17    07:53:04:351     452    1398    Agent      * WU client version 7.6.7600.256
2014-03-17    07:53:04:351     452    1398    Agent      * Base directory: C:\windows\SoftwareDistribution
2014-03-17    07:53:04:351     452    1398    Agent      * Access type: No proxy
2014-03-17    07:53:04:366     452    1398    Agent      * Network state: Connected
2014-03-17    07:53:17:688     452    bf4    Report    CWERReporter::Init succeeded
2014-03-17    07:53:17:688     452    bf4    Agent    ***********  Agent: Initializing Windows Update Agent  ***********
2014-03-17    07:53:17:688     452    bf4    Agent    ***********  Agent: Initializing global settings cache  ***********
2014-03-17    07:53:17:688     452    bf4    Agent      * WSUS server: HTTP://mySiteServer.domain.GLOBAL:8530
2014-03-17    07:53:17:688     452    bf4    Agent      * WSUS status server: HTTP://mySiteServer.domain.GLOBAL:8530
2014-03-17    07:53:17:688     452    bf4    Agent      * Target group: (Unassigned Computers)
2014-03-17    07:53:17:688     452    bf4    Agent      * Windows Update access disabled: No
2014-03-17    07:53:17:719     452    bf4    DnldMgr    Download manager restoring 0 downloads
2014-03-17    07:53:18:045     452    1398    Report    ***********  Report: Initializing static reporting data  ***********
2014-03-17    07:53:18:045     452    1398    Report      * OS Version = 6.1.7601.1.0.65792
2014-03-17    07:53:18:045     452    1398    Report      * OS Product Type = 0x00000004
2014-03-17    07:53:18:061     452    1398    Report      * Computer Brand = Hewlett-Packard
2014-03-17    07:53:18:061     452    1398    Report      * Computer Model = HP Z210 Workstation
2014-03-17    07:53:18:061     452    1398    Report      * Bios Revision = J51 v01.20
2014-03-17    07:53:18:061     452    1398    Report      * Bios Name = Default System BIOS
2014-03-17    07:53:18:061     452    1398    Report      * Bios Release Date = 2011-09-16T00:00:00
2014-03-17    07:53:18:061     452    1398    Report      * Locale ID = 3081
2014-03-17    07:53:23:144     452    9fc    Report    CWERReporter finishing event handling. (00000000)
2014-03-17    07:53:23:362    4672    a50    Misc    ===========  Logging initialized (build: 7.6.7600.256, tz: +0800)  ===========
2014-03-17    07:53:23:362    4672    a50    Misc      = Process: C:\windows\CCM\CcmExec.exe
2014-03-17    07:53:23:362    4672    a50    Misc      = Module: C:\Windows\system32\wuapi.dll
2014-03-17    07:53:23:362    4672    a50    COMAPI    -------------
2014-03-17    07:53:23:362    4672    a50    COMAPI    -- START --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:53:23:362    4672    a50    COMAPI    ---------
2014-03-17    07:53:23:470     452    9fc    Agent    *************
2014-03-17    07:53:23:470     452    9fc    Agent    ** START **  Agent: Finding updates [CallerId = CcmExec]
2014-03-17    07:53:23:470     452    9fc    Agent    *********
2014-03-17    07:53:23:470    4672    a50    COMAPI    <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:53:23:470     452    9fc    Agent      * Include potentially superseded updates
2014-03-17    07:53:23:470     452    9fc    Agent      * Online = No; Ignore download priority = Yes
2014-03-17    07:53:23:470     452    9fc    Agent      * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E6CF1350-C01B-414D-A61F-263D14D133B4'))"
2014-03-17    07:53:23:470     452    9fc    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17    07:53:23:470     452    9fc    Agent      * Search Scope = {Machine}
2014-03-17    07:53:50:191     452    1398    AU    ###########  AU: Initializing Automatic Updates  ###########
2014-03-17    07:53:50:378     452    1398    AU    AU setting next sqm report timeout to 2014-03-16 23:53:50
2014-03-17    07:53:50:378     452    1398    AU      # AU disabled through Policy
2014-03-17    07:53:50:378     452    1398    AU      # Will interact with non-admins (Non-admins are elevated (User preference))
2014-03-17    07:53:50:409     452    1398    AU    Initializing featured updates
2014-03-17    07:53:50:409     452    1398    AU    Found 0 cached featured updates
2014-03-17    07:53:50:409     452    1398    AU    Successfully wrote event for AU health state:0
2014-03-17    07:53:50:409     452    1398    AU    Successfully wrote event for AU health state:0
2014-03-17    07:53:50:409     452    1398    AU    AU finished delayed initialization
2014-03-17    07:53:50:409     452    1398    AU    AU setting next sqm report timeout to 2014-03-17 23:53:50

2014-03-17    07:55:40:569     452    9fc    Agent    *************
2014-03-17    07:55:40:591     452    9fc    Report    CWERReporter finishing event handling. (00000000)
2014-03-17    07:55:40:592    4672    e6c    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:55:40:936    4672    e6c    COMAPI      - Updates found = 96
2014-03-17    07:55:40:936    4672    e6c    COMAPI    ---------
2014-03-17    07:55:40:936    4672    e6c    COMAPI    --  END  --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:55:40:936    4672    e6c    COMAPI    -------------
2014-03-17    07:56:38:889    4672    1534    COMAPI    -------------
2014-03-17    07:56:38:889    4672    1534    COMAPI    -- START --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:56:38:889    4672    1534    COMAPI    ---------
2014-03-17    07:56:38:891     452    9fc    Agent    *************
2014-03-17    07:56:38:891     452    9fc    Agent    ** START **  Agent: Finding updates [CallerId = CcmExec]
2014-03-17    07:56:38:891     452    9fc    Agent    *********
2014-03-17    07:56:38:891    4672    1534    COMAPI    <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:56:38:891     452    9fc    Agent      * Include potentially superseded updates
2014-03-17    07:56:38:891     452    9fc    Agent      * Online = No; Ignore download priority = Yes
2014-03-17    07:56:38:891     452    9fc    Agent      * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E6CF1350-C01B-414D-A61F-263D14D133B4'))"
2014-03-17    07:56:38:891     452    9fc    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17    07:56:38:891     452    9fc    Agent      * Search Scope = {Machine}
279C58FA-1C7C-41B2-81F5-F9D92DD1D8E6}.200 to search result
2014-03-17    07:56:46:433     452    9fc    Agent      * Added update {B1D0B8FF-1023-438F-BE07-CD893F229A68}.200 to search result
2014-03-17    07:56:46:462     452    9fc    Agent      * Found 96 updates and 10 categories in search; evaluated appl. rules of 1952 out of 3516 deployed entities
2014-03-17    07:56:46:463     452    9fc    Agent    *********
2014-03-17    07:56:46:463     452    9fc    Agent    **  END  **  Agent: Finding updates [CallerId = CcmExec]
2014-03-17    07:56:46:463     452    9fc    Agent    *************
2014-03-17    07:56:46:488    4672    a34    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:56:46:515    4672    a34    COMAPI      - Updates found = 96
2014-03-17    07:56:46:515    4672    a34    COMAPI    ---------
2014-03-17    07:56:46:515    4672    a34    COMAPI    --  END  --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:56:46:515    4672    a34    COMAPI    -------------
2014-03-17    07:59:28:666    4672    1ba0    COMAPI    -------------
2014-03-17    07:59:28:666    4672    1ba0    COMAPI    -- START --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:59:28:666    4672    1ba0    COMAPI    ---------
2014-03-17    07:59:28:668    4672    1ba0    COMAPI    <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:59:28:668     452    9fc    Agent    *************
2014-03-17    07:59:28:668     452    9fc    Agent    ** START **  Agent: Finding updates [CallerId = CcmExec]
2014-03-17    07:59:28:668     452    9fc    Agent    *********
2014-03-17    07:59:28:668     452    9fc    Agent      * Include potentially superseded updates
2014-03-17    07:59:28:668     452    9fc    Agent      * Online = Yes; Ignore download priority = Yes
2014-03-17    07:59:28:668     452    9fc    Agent      * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'A38C835C-2950-4E87-86CC-6911A52C34A3'))"
2014-03-17    07:59:28:668     452    9fc    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17    07:59:28:668     452    9fc    Agent      * Search Scope = {Machine}
2014-03-17    07:59:28:755     452    9fc    PT    WARNING: Cached cookie has expired or new PID is available
2014-03-17    07:59:28:755     452    9fc    PT    Initializing simple targeting cookie, clientId = 553c311c-66c6-4896-a549-521f549398a5, target group = , DNS name = mySiteServer.domain.global
2014-03-17    07:59:28:755     452    9fc    PT      Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/SimpleAuthWebService/SimpleAuth.asmx
2014-03-17    07:59:29:227     452    9fc    PT    +++++++++++  PT: Starting category scan  +++++++++++
2014-03-17    07:59:29:227     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    07:59:29:406     452    9fc    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2014-03-17    07:59:29:406     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    07:59:30:089     452    9fc    PT    +++++++++++  PT: Synchronizing extended update info  +++++++++++
2014-03-17    07:59:30:089     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    07:59:55:387    4672    1534    COMAPI    ---------
2014-03-17    07:59:55:388    4672    1534    COMAPI    <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    07:59:55:388     452    9fc    Agent    *************
2014-03-17    07:59:55:388     452    9fc    Agent    ** START **  Agent: Finding updates [CallerId = CcmExec]
2014-03-17    07:59:55:388     452    9fc    Agent    *********
2014-03-17    07:59:55:388     452    9fc    Agent      * Include potentially superseded updates
2014-03-17    07:59:55:388     452    9fc    Agent      * Online = Yes; Ignore download priority = Yes
2014-03-17    07:59:55:388     452    9fc    Agent      * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E0789628-CE08-4437-BE74-2495B842F43B'))"
2014-03-17    07:59:55:389     452    9fc    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17    07:59:55:389     452    9fc    Agent      * Search Scope = {Machine}
2014-03-17    07:59:55:433     452    9fc    PT    +++++++++++  PT: Starting category scan  +++++++++++
2014-03-17    07:59:55:433     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    08:00:02:360     452    9fc    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2014-03-17    08:00:02:360     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    08:00:16:100     452    9fc    Agent    WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013
2014-03-17    08:00:18:951     452    9fc    PT    +++++++++++  PT: Synchronizing extended update info  +++++++++++
2014-03-17    08:00:18:951     452    9fc    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17    08:00:19:974     452    1398    AU    Can not perform non-interactive scan if AU is interactive-only

2014-03-17    08:00:19:979     452    9fc    Agent    *************
2014-03-17    08:00:20:008     452    9fc    Report    REPORT EVENT: {B2A79652-BABC-46DE-B505-B6CB6D5CD9A8}    2014-03-17 08:00:19:978+0800    1    147    101    {00000000-0000-0000-0000-000000000000}    0    0    CcmExec    Success    Software Synchronization    Windows Update Client successfully detected 12 updates.
2014-03-17    08:00:20:008     452    9fc    Report    CWERReporter finishing event handling. (00000000)
2014-03-17    08:00:20:008    4672    1534    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = CcmExec]
2014-03-17    08:00:20:013    4672    1534    COMAPI      - Updates found = 12
2014-03-17    08:00:20:013    4672    1534    COMAPI    ---------
2014-03-17    08:00:20:013    4672    1534    COMAPI    --  END  --  COMAPI: Search [ClientId = CcmExec]
2014-03-17    08:00:20:013    4672    1534    COMAPI    -------------
2014-03-17    08:00:24:973     452    9fc    Report    CWERReporter finishing event handling. (00000000)
2014-03-17    08:24:46:620    5620    1890    Misc    ===========  Logging initialized (build: 7.6.7600.256, tz: +0800)  ===========
2014-03-17    08:24:46:620    5620    1890    Misc      = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe
2014-03-17    08:24:46:620    5620    1890    Misc      = Module: C:\Windows\system32\wuapi.dll
2014-03-17    08:24:46:620    5620    1890    COMAPI    -------------
2014-03-17    08:24:46:620    5620    1890    COMAPI    -- START --  COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:46:620    5620    1890    COMAPI    ---------
2014-03-17    08:24:46:623    5620    1890    COMAPI    <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:46:623     452    1a78    Agent    *************
2014-03-17    08:24:46:623     452    1a78    Agent    ** START **  Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:46:623     452    1a78    Agent    *********
2014-03-17    08:24:46:623     452    1a78    Agent      * Online = Yes; Ignore download priority = No
2014-03-17    08:24:46:623     452    1a78    Agent      * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2014-03-17    08:24:46:623     452    1a78    Agent      * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-03-17    08:24:46:623     452    1a78    Agent      * Search Scope = {Machine}
2014-03-17    08:24:46:657     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-17    08:24:46:706     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:48:018     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-17    08:24:48:025     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:48:073     452    1a78    Agent    Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://ds.download.windowsupdate.com/v10/1/microsoftupdate/redir/muauth.cab
2014-03-17    08:24:48:073     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:
2014-03-17    08:24:48:083     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:48:644     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:
2014-03-17    08:24:48:650     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:48:755     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:48:762     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:49:139     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:49:146     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:49:156     452    1a78    PT    WARNING: Cached cookie has expired or new PID is available
2014-03-17    08:24:51:859     452    1a78    PT    +++++++++++  PT: Starting category scan  +++++++++++
2014-03-17    08:24:51:860     452    1a78    PT      + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17    08:24:52:293     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:52:296     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:52:570     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:52:577     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:52:584     452    1a78    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2014-03-17    08:24:52:584     452    1a78    PT      + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17    08:24:52:584     452    1a78    PT    WARNING: Cached cookie has expired or new PID is available
2014-03-17    08:24:54:237     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:54:241     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:54:851     452    1a78    Misc    Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17    08:24:54:857     452    1a78    Misc     Microsoft signed: Yes
2014-03-17    08:24:54:864     452    1a78    PT    +++++++++++  PT: Synchronizing extended update info  +++++++++++
2014-03-17    08:24:54:864     452    1a78    PT      + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17    08:24:55:403     452    1398    AU    Can not perform non-interactive scan if AU is interactive-only
2014-03-17    08:24:55:405     452    1a78    Agent    Update {59B2BB4D-839D-4719-8905-48902D4F9E0B}.200 is pruned out due to potential supersedence
2014-03-17    08:24:55:405     452    1a78    Agent    Update {759CD48D-010A-42E7-84DE-AC43603E653D}.200 is pruned out due to potential supersedence
2014-03-17    08:24:55:405     452    1a78    Agent    Update {B31982D9-2558-4A53-8EC7-9FF0E865698C}.200 is pruned out due to potential supersedence
2014-03-17    08:24:55:406     452    1a78    Agent    Update {DB9D9C73-2729-4248-9314-663B427AF113}.200 is pruned out due to potential supersedence
2014-03-17    08:24:55:406     452    1a78    Agent    Update {7AF502C1-C821-414B-9FD3-47F52F3FD523}.200 is pruned out due to potential supersedence
2014-03-17    08:24:55:406     452    1a78    Agent      * Added update {33FBE82E-BE96-48C4-9C34-F6AEC8569DC7}.200 to search result
2014-03-17    08:24:55:406     452    1a78    Agent      * Found 1 updates and 4 categories in search; evaluated appl. rules of 61 out of 76 deployed entities
2014-03-17    08:24:55:413     452    1a78    Agent    *********
2014-03-17    08:24:55:413     452    1a78    Agent    **  END  **  Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:413     452    1a78    Agent    *************
2014-03-17    08:24:55:414    5620    1518    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:416    5620    1518    COMAPI      - Updates found = 1
2014-03-17    08:24:55:416    5620    1518    COMAPI    ---------
2014-03-17    08:24:55:416    5620    1518    COMAPI    --  END  --  COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:416    5620    1518    COMAPI    -------------
2014-03-17    08:24:55:419    5620    b4c    COMAPI    -------------
2014-03-17    08:24:55:419    5620    b4c    COMAPI    -- START --  COMAPI: Download [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:419    5620    b4c    COMAPI    ---------
2014-03-17    08:24:55:419    5620    b4c    COMAPI      - Forced: No; Download priority: 2
2014-03-17    08:24:55:419    5620    b4c    COMAPI      - Updates in request: 1
2014-03-17    08:24:55:419    5620    b4c    COMAPI      - ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-03-17    08:24:55:422    5620    b4c    COMAPI    <<-- SUBMITTED -- COMAPI: Download [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:422     452    1a78    DnldMgr    *************
2014-03-17    08:24:55:422     452    1a78    DnldMgr    ** START **  DnldMgr: Downloading updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:422     452    1a78    DnldMgr    *********
2014-03-17    08:24:55:422     452    1a78    DnldMgr      * Call ID = {E0013492-D13F-43AB-896F-8521DE916FCD}
2014-03-17    08:24:55:422     452    1a78    DnldMgr      * Priority = 2, Interactive = 1, Owner is system = 1, Explicit proxy = 1, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2014-03-17    08:24:55:422     452    1a78    DnldMgr      * Updates to download = 1
2014-03-17    08:24:55:422     452    1a78    Agent      *   Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.167.2113.0)
2014-03-17    08:24:55:422     452    1a78    Agent      *   UpdateId = {33FBE82E-BE96-48C4-9C34-F6AEC8569DC7}.200
2014-03-17    08:24:55:422     452    1a78    Agent      *     Bundles 3 updates:
2014-03-17    08:24:55:422     452    1a78    Agent      *       {7E4CD222-2348-4617-A8FD-4608CA0F5D9C}.200
2014-03-17    08:24:55:422     452    1a78    Agent      *       {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200
2014-03-17    08:24:55:422     452    1a78    Agent      *       {F7095866-6910-4D42-B4BE-AA4ECE02D6CA}.200
2014-03-17    08:24:55:441     452    1a78    DnldMgr    ***********  DnldMgr: New download job [UpdateId = {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200]  ***********
2014-03-17    08:24:55:492     452    1a78    DnldMgr      * BITS job initialized, JobId = {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC}
2014-03-17    08:24:55:492     452    1a78    DnldMgr    BITS job {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC} using proxy = nzpr01.domain.co.nz:8080;proxy.domain.co.nz:8080, bypass = <NULL>
2014-03-17    08:24:55:539     452    1a78    DnldMgr      * Downloading from http://download.windowsupdate.com/msdownload/update/software/defu/2014/03/nis_delta_patch_35110c44392d4ed2952852248b7d4e98730d59d7.exe to C:\windows\SoftwareDistribution\Download\5d16f20387cc485e8ab3f76cf00d482d\35110c44392d4ed2952852248b7d4e98730d59d7 (full file).
2014-03-17    08:24:55:617     452    1a78    DnldMgr    ***********  DnldMgr: New download job [UpdateId = {F7095866-6910-4D42-B4BE-AA4ECE02D6CA}.200]  ***********
2014-03-17    08:24:55:676     452    1a78    DnldMgr      * BITS job initialized, JobId = {34C6823B-B255-429F-ABB3-31D850C69994}
2014-03-17    08:24:55:676     452    1a78    DnldMgr    BITS job {34C6823B-B255-429F-ABB3-31D850C69994} using proxy = nzpr01.domain.co.nz:8080;proxy.domain.co.nz:8080, bypass = <NULL>
2014-03-17    08:24:55:792     452    1a78    DnldMgr      * Downloading from http://download.windowsupdate.com/msdownload/update/software/defu/2014/03/am_delta_4561a4006e1295d251371592cbebc2c18adcca43.exe to C:\windows\SoftwareDistribution\Download\8439bb6ce5944930522a2c27c57de50e\4561a4006e1295d251371592cbebc2c18adcca43 (full file).
2014-03-17    08:24:55:943     452    1a78    Agent    *********
2014-03-17    08:24:55:943     452    1a78    Agent    **  END  **  Agent: Downloading updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17    08:24:55:943     452    1a78    Agent    *************
2014-03-17    08:25:00:411     452    1a78    Report    REPORT EVENT: {4215F4AF-AAF5-4BB5-BE2C-BB09A9BA6176}    2014-03-17 08:24:55:412+0800    1    147    101    {00000000-0000-0000-0000-000000000000}    0    0    System Center Endpoint Protecti    Success    Software Synchronization    Windows Update Client successfully detected 1 updates.
2014-03-17    08:25:00:411     452    1a78    Report    CWERReporter finishing event handling. (00000000)
2014-03-17    08:25:17:443     452    134c    DnldMgr    BITS job {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC} completed successfully
2014-03-17    08:25:17:486     452    134c    Misc    Validating signature for C:\windows\SoftwareDistribution\Download\5d16f20387cc485e8ab3f76cf00d482d\35110c44392d4ed2952852248b7d4e98730d59d7:
2014-03-17    08:25:17:496     452    134c    Misc     Microsoft signed: Yes
2014-03-17    08:25:17:499     452    134c    DnldMgr      Download job bytes total = 76056, bytes transferred = 76056
2014-03-17    08:25:17:500     452    134c    DnldMgr    ***********  DnldMgr: New download job [UpdateId = {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200]  ***********
2014-03-17    08:25:17:501     452    134c    DnldMgr      * All files for update were already downloaded and are valid.
2014-03-17    08:25:22:501     452    1a78    Report    CWERReporter finishing event handling. (00000000)

I'm cleaning up old posts, did you figure this out yet, if so how?

It looks very much like there was a bug in the reporting component of our Fortigate firewalls which was showing hugely inflated web traffic. We are waiting for a fix to see what the real figures are.

However, there are some machines still going to get their signatures from the internet. The pattern "seems" to be any machine that has been turned off for a week or more goes straight out.