For the official Microsoft topic on this subject, see Configuring and scheduling updates on the Microsoft TechNet Library.

*********************************************

In FPE, you can configure update settings that are specific for each scan engine, as well as global settings that apply to all engines.

When you set a schedule to automatically check for new engine and definition update, you help protect your environment against new malware without having to check versions or manually update the files. It is recommended that you use the default schedule to update scan engines hourly. However, if you so choose, you can create your own schedules for performing updates.

Cloudmark downloads antispam updates directly from the cloud. This differs from the other scan engines, which receive updates directly from Microsoft. Cloudmark definition update checks are not configurable in the Forefront Protection 2010 for Exchange Server Administrator Console.

To configure and schedule updates for specific engines

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and then under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Intelligent Engine Management section, using the Engine management drop-down list, select Manual.

  3. In the Update scheduling section, select the engine whose update settings you want to change.

    The engines are grouped together by protection technology, for example under Antimalware and Antispam. If you select multiple engines, be sure that you want these engines to have the same update configuration.

  4. Click the Edit Selected Engines button.

  5. In the Edit Selected Engines dialog box, configure the following settings:

    1. Enabled—If you selected only one engine, the Enabled check box appears. If checked (the default), updates are enabled for the selected engine. If cleared, updates are not downloaded. If you selected multiple engines, the Enable or disable engine updates drop-down list appears. If Enabled is selected (the default) from the drop-down list, updates are enabled for the selected engines. If Disabled is selected, updates are not downloaded.

      If you disable updates for an engine, it is recommended that you do not use that engine for scanning. When updates for an engine are disabled, the engine still continues to be used for scanning but as time passes and its definitions become out of date, its effectiveness diminishes. It is strongly recommended that you leave the default of having all engines enabled to update automatically.

    2. Primary update path—Specify the primary update path that is used to download updates. The following is the default primary update path: http://forefrontdl.microsoft.com/server/scanengineupdate

      If you would prefer to use Universal Naming Convention (UNC) updating by means of a redistribution server, see Distributing updates by using UNC updating.

      Unicode update paths are not supported. Also, if the primary update path uses the default Internet path (http://forefrontdl.microsoft.com/server/scanengineupdate) in order to update its antimalware and antispam engines, that URL must be allowed in your firewall settings, even if the mail server generally does not have Internet access. In order to have full protection, your engines need to be updated on a regular basis. If antispam protection is enabled, because the antispam engine definition updates are downloaded directly from the cloud, the following URLs (and any subdomains under them) and the use of http and https must also be allowed through the firewall:

      • cdn-microupdates.cloudmark.com
      • lvc.cloudmark.com
      • tracks.cloudmark.com
      • pki.cloudmark.com
    3. Secondary update path—Optionally, specify the secondary update path. If the primary path fails for any reason, FPE uses the secondary path to download updates. There is no default secondary update path.

      If you are using a redistribution server for the primary update path, you can enter the Microsoft download location in the secondary update path. Then, if updating by means of the redistribution server fails, the latest updates can still be retrieved from Microsoft by using the secondary update path.

      Unicode update paths are not supported. Also, if the secondary update path uses the default Internet path (http://forefrontdl.microsoft.com/server/scanengineupdate) in order to update its antimalware and antispam engines, that URL must be allowed in your firewall settings, even if the mail server generally does not have Internet access. In order to have full protection, your engines need to be updated on a regular basis. If antispam protection is enabled, because the antispam engine definition updates are downloaded directly from the cloud, the following URLs (and any subdomains under them) and the use of http and https must also be allowed through the firewall:

      • cdn-microupdates.cloudmark.com
      • lvc.cloudmark.com
      • tracks.cloudmark.com
      • pki.cloudmark.com
    4. Update start date and time—Specify the start date and start time at which to check for updates. If you subsequently select an Update Frequency of Once, this is the only date and time that update-checking occurs; otherwise, this date and time represents the first time that update-checking occurs.
    5. Update frequency—Specify how often the update occurs. You can select Once (update only once, on the specified date and time), Daily (update every day, at the same time), or Weekly (update each week, on the same day and time). It is recommended that you leave the default value of updating antimalware and antispam engines daily on an hourly basis. However, if you choose to change the default setting, it is recommended that you select Daily and then set a repeat interval in order to update the engine at multiple times during the day. To set a repeat interval, select the Check for updates every (hours: minutes) check box and then specify the hours and minutes using the input box. By default, antimalware and antispam updates are scheduled to occur on an hourly basis.
    6. Click Apply and Close to return to the Global Settings - Advanced Options pane, where you can select another engine to be updated.
  6. After you are done making changes, click Save.

If you are using Windows PowerShell commands to schedule updates, it is recommended that you do not schedule antispam updates with the antimalware updates.

To configure global update settings for all engines

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and then under Global Settings, click Engine Options.

  2. In environments where the Exchange server must access the Internet through a proxy server you must configure FPE to retrieve engine and definition updates through that server by performing the following steps:

    1. In the Global Settings - Engine Options pane, in the Proxy Server section, select the Enable proxy server check box.
    2. Type the Proxy server (name or IP address) and Port.
    3. Optionally, if you need to specify a user name and password, click Edit Proxy Server Credentials in order to open a dialog box where you can specify your credentials for the proxy server. It is recommended that you use credentials with the minimum privileges. These should not be domain credentials, and the user should only be granted access to the proxy server.
  3. To configure FPE to perform updates for enabled engines when the Microsoft Forefront Server Protection Controller Service starts, select Update engines on sever startup. This setting is disabled by default.

  4. To configure the maximum number of seconds that an engine will attempt to download an update before timing out, specify a value, in seconds, in the Engine download timeout (seconds) field. If a timeout occurs, the download is retried at the next scheduled interval. The default value is 300 seconds. The minimum is 60 seconds and the maximum is 86400 seconds (24 hours).

  5. Click Save.

For more information about the UNC Authentication settings and the Enable as an update redistribution server check box, see Distributing updates by using UNC updating.