I am working on a project which involves using Forefront Protection 2010 for Exchange as the antispam / antivirus solution. The customer has an array of TMG 2010 SP1 servers with Forefront 2010 for Exchange and Edge 2010 installed.
One thing I noticed after configuring the platform is that both Cloudmark and Worm List engines rarely update. A quick google highlighted the fact that many are facing the same issue and hence I looked more into the issue. Even when you force an update of all engines, these two has an old date (few months behind) as the “Last Update” date.
An information entry is logged in event viewer saying that Cloudmark engine did not detect any new engine updates.
So, is my engine working fine? The answer is yes. The date that we need to look after an update cycle is in the “Definition Version” column. If that date is up-to-date and you don’t receive any error in event viewer, things are fine. The engine for Cloudmark isn’t updated very often, because it uses online signatures. The engine only need to be updates when there are some changes in it, like a new version.
Few things to note if you do have error while updating the Cloudmark engine. If your server doesn’t have a proxy requirement, uncheck the “Enable Proxy Server” option in Forefront Management Console and save the setting.
If you have forefront running on TMG, make sure that the server can anonymously access the following destinations. Create a rule for the same allowing both port 80 and 443.
- cdn-microupdates.cloudmark.com
- lvc.cloudmark.com
- tracks.cloudmark.com
- pki.cloudmark.com
Check the connection by running telnet from your server. Install telnet client from ServerManager, if you don’t have it already on the system. Run the following commands.
telnet cdn-microupdates.cloudmark.com 80
telnet lvc.cloudmark.com 443
If you have Forefront Protection on TMG 2010 and the TMG HTTPS inspection feature is enabled, you must enable the download of Cloudmark antispam engine definitions updates to the Forefront TMG server. The Cloudmark download site uses a self-signed certificate and TMG HTTPS inspection does not support the inspection of self-signed certificates. Hence, you must exclude the site the from HTTPS inspection. Follow the steps here
Cloudmark engine is the best protection you can have against spam and hence it is important to make sure that you run with the latest micro updates!
Bora Engin January 24, 2012 at 7:45 am
I noticed an increased spam rate and update error on cloudmark database. Upgrading to TMG was caused to this via https inspection. Thanks for this post i managed to solve the issue.
Rajith Enchiparambil January 25, 2012 at 9:14 am
Happy to be of help Bora
Ahmed May 5, 2012 at 7:18 am
we are using FSP for exchange on client-hub server none of the engine are updating, the engine are not updated even for once after there FSP has been deployed but when i see the FSP console on edge server it working fine and engine are updating,
on CAS-HUB server the event log are field with 6012.6020,7004,7007 & 7048 error code, when i using internet explorer to connect to
http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Microsoft
http://forefrontdl.microsoft.com/server/scanengineupdate/amd64/Cloudmark
http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Norman
http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Command
http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky
403 – Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
we are having TMG @ DMZ along with edge server,know should have create any access rule at tmg server or there something that needed to change at the Cas-Hub server
Rajith Enchiparambil May 10, 2012 at 3:47 pm
Do you have internet access on the CAS boxes Ahmed?
Ahmed May 13, 2012 at 6:16 am
i got the engine updating after excluding the IP of Cas-Hub server from proxy server
Rajith Enchiparambil May 16, 2012 at 8:37 am
Thanks Ahmed for the tip.