antimalware updates

I seem to have a problem with anti malware definition updates on Exchange 2013.

As far as I can see, starting 15-1 not one (1) anti malware engine update succeeded.

get-malwarefilteringserver |list results:

RunspaceId                   : e48a8fb6-0117-43e4-9ed3-4d1659c1321e
ForceRescan                  : False
BypassFiltering              : False
PrimaryUpdatePath            : http://forefrontdl.microsoft.com/server/scanengineupdate
SecondaryUpdatePath          :
DeferWaitTime                : 5
DeferAttempts                : 3
UpdateFrequency              : 60
UpdateTimeout                : 150
ScanTimeout                  : 300
ScanErrorAction              : Block
MinimumSuccessfulEngineScans : 1
IsValid                      : True
ExchangeVersion              : 0.1 (8.0.535.0)
Guid                         : a81e67cd-6059-47bd-bf11-f5529cd27c99
WhenChanged                  : 21-1-2013 23:10:41
WhenCreated                  : 15-1-2013 01:29:17
WhenChangedUTC               : 21-1-2013 22:10:41
WhenCreatedUTC               : 15-1-2013 00:29:17
OrganizationId               :
ObjectState                  : Unchanged

identity information removed from above.

The hourly updates and any forced updates from shell, all lead to eventid

MS Filtering Engine Update process was unsuccessful in contacting the Primary Update Path. Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate

I can hit the URL from the server but get an access denied.

January 23rd, 2013 12:10am

Hi sjaak327,

Did it work ago?

Could you please post the full error message in the Event Viewer here?

For more information, please see:

Download Engine and Definition Updates

http://technet.microsoft.com/en-us/library/jj657471.aspx

Free Windows Admin Tool Kit Click here and download it now
January 24th, 2013 9:17am

Hi Frank,

I've got the same Problem, it never worked. Here is the full error message:

Log Name:      Application
Source:        Microsoft-Filtering-FIPFS
Date:          1/24/2013 4:01:26 PM
Event ID:      6029
Task Category: None
Level:         Error
Keywords:     
User:          NETWORK SERVICE
Computer:     xxxxxxx
Description:
MS Filtering Engine Update process was unsuccessful in contacting a Custom Update Path. Update Path: http//forefrontdl.microsoft.com/server/scanengineupdate
Event Xml:
<Event xmlns=http://schemas.microsoft.com/win/2004/08/events/event>
  <System>
    <Provider Name="Microsoft-Filtering-FIPFS" Guid="{1BE3A000-EA09-4AB8-B0A0-30BBB6793D80}" />
    <EventID>6029</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-01-24T15:01:26.840624300Z" />
    <EventRecordID>440991</EventRecordID>
    <Correlation />
    <Execution ProcessID="2032" ThreadID="8036" />
    <Channel>Application</Channel>
    <Computer>xxxxxxxxxx</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <EventData>
    <Data Name="UpdatePath">http://forefrontdl.microsoft.com/server/scanengineupdate</Data>
  </EventData>
</Event>


January 24th, 2013 6:16pm

It never worked on my side either. the event log is the same on my side. I
actually tried the command to update it manually before with the exact same
result and again the same event ID.

However...

I did try to manually setup the anti malware subsystem (which supposedly
should be done during setup, as I have not choosen to disable anti malware
during setup).

 

I ran \scripts\Enable-AntimalwareScanning.ps1, it ran for ages at the
"updating stage", I left it running and disconnected the RDP session, anyway the
next day it actually managed to update the definition files, and since running
this command the procedure seems to be working 100% correct, it has gotten a few
updates or it sends an event that no update was needed.

Edit: I have two live id's, I am the same person that started the thread :)
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2013 12:38am

Good morning ,

I just started Enable-AntimalewareScanning, it loops in updating stage with "Checking for engine updates after 1/18/2013 9:15 AM. Updating Microsoft. Last updated : 1/1/1900 1:00:00 AM."

Hopefully this works for me as well ...

Update: After a few minutes the script came back with error:

Update-AntimalwareEngines : Engines could not be updated. Please investigate.

At ... Scripts\Enable-AntimalewareScanning.ps1:113 char:1

.. CategoryInfo : NotSpedified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId: Microsoft.PowerShell.Commands.WriteErrorException, Update-AntimalwareEngines

Any other ideas?

January 25th, 2013 11:45am

Hi, I also have this problem.

The mailserver displays EventID 6027

MS Filtering Engine Update process was unsuccessful in contacting the Primary Update Path. Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate

When checking the firewall I see that the mailserver attempted (and was allowed)

Request: GET http://195.159.219.10/server/scanengineupdate/metadata/UniversalManifest.cab

Request: GET http://195.159.219.10/server/scanengineupdate/amd64/Microsoft/Package/manifest.[long number deleted]*.cab

*My edit.

Does this have something to do with Forefront malware scanners being discontinued last year?

Regards

Ola

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2013 11:37pm

Hi Ola,

I don't think so. I installed EX2013 on a clean Windows 2012 machine, there was no previous version of Exchange.

Probably it's due to installation on a virtual machine? Did you install on a physical environment?

Regards

Andreas

February 25th, 2013 12:00pm

I had to reinstall my system and had the exact same problem again :)

I ran the enable-antimalwarescanning script several times without any result.

I then decided to open up the ps1 into the powershell ISE and did the following:

Add-PSSnapin$FipsSnapin-ErrorActionSilentlyContinue

(to get the forefront powershell snapin)

then I was able to submit:

Get-ValidEngines|

which returns two entries, the microsoft engine is the one that is "updatable"

I then ran

start-engineupdate

 and after a while got the message in the event log that update was successfull.

Now, since this is what the script also does, and since I ran powershell elevated at all times, I think it was a stroke of luck or something like it.

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2013 10:39pm

I am experiencing the same issue with the FIPFS event 6027. It is happening for me on two separate systems, one installed as a new Exchange organization on a new domain, and the other installed as Exchange 2013 CU1 into an existing 2010 organization.

None of the above mentioned "fixes" help.

I have disabled and re-enabled the Antimalware scanning. I have run the "start-engineupdate" command manually. 

I suspect that there is a signature/authentication issue with the website that the updates are pulled from. If I browse to the URL in IE, I get the following error:

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

This tells me the site is available from this server and not being blocked by the firewall.

Any insight from an actual MS employee on the exchange team would be welcomed greatly.

Thanks.

PS - I would be interested to know of anyone who has the antimalware enabled that does NOT see these errors in their event logs - And what is special about their deployment.

May 1st, 2013 5:34pm

This is not an isolated problem. Now I have three production systems that cannot get antimalware updates. Is anyone from MS browsing the Exchange 2013 forum?
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2013 4:39pm

Hi Chris, I installed CU1 and that did the trick. However the malware scanner seems not very good imho. It does stop some malware, but I've also seen it let through easy to spot PDF malware only to have it flagged by the client AV. Regards, Ola
May 9th, 2013 5:05pm

@Ola: I wasn't aware that CU1 has been released - thanks for bringing it to my attention.  I'll report back when I've had a chance to deploy it on a server with this issue.

@Chris: It's frustrating that there has been no advice from MS regarding this.  I can't help but think this is a more widespread problem than has affected just the few who have posted here.

Free Windows Admin Tool Kit Click here and download it now
May 9th, 2013 5:10pm

My "additional" server was installed as CU1 from the start and has never updated. Judging from the number of "reads" on this thread, there are MANY others having the same issue.

My server that was originally installed as 2013 RTM has been upgraded to CU1 and is still having this issue. It updated for while after the original install, but has not updated for weeks.

Ola P and sketchanidea - Thanks for your comments. We are trying to decide if it is worth the trouble to install the full Forefront product or to skip it all, as our mail is scanned and cleaned in the cloud before it is delivered to our onsite server. I am leaning towards "skip it" since MS seems so far behind in supporting the recent batch of products they just released before they were fully baked.

May 9th, 2013 9:30pm

This is a bit ridiculous that MS has not acknowledged the issue. I have 3 customers with Exchange 2013, and they all have this error over and over again. It does not appear that the antimalware is being updated on ANY Exchange 2013 systems.

Seriously?

Free Windows Admin Tool Kit Click here and download it now
May 15th, 2013 4:56pm

Installed a exchange 2013 server last week with CU1 integrated and see the same errors, 6027. No resolution yet?
May 30th, 2013 2:52pm

I've tried starting over with a RTM version in the lab - Same issue, no malware updates. But same as before, when I apply CU1 the server starts to update. However it's not 100 %, there are still 5-6 tries out of the 24 in a day that will fail. I'm abit amazed that MS has nothing to say on this issue.. 



Free Windows Admin Tool Kit Click here and download it now
May 30th, 2013 3:07pm

Folks,

I have the same issue with a clean 2012 server with a fresh install of Exchange 2103 CU1 co-existing with our single Exchange 2010 SP3 server.

Has anyone found a resolution to the looping (seemingly never updating) Enable-AntiMalwareSanning problem? This just constantly loops without any updates ever coming down.

July 3rd, 2013 12:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics