Our office discovered today that internet usage for the month has skyrocketed when compared to the later months of last year. Sometimes this can be attributed to some overzealous Youtube sessions, or a new product release that requires us to download large ISO files. In this particular case the firewall logs indicated that one of the Exchange servers was the biggest culprit.
The Exchange server has downloaded about five times more traffic than it normally downloads in a month, and alarmingly most of it is HTTP traffic rather than SMTP traffic. A quick investigation reveals that the downloads are primarily coming from IP address 207.46.209.247. This turns out to be the IP address known as forefrontdl.microsoft.com, in other words the server that Forefront connects to for engine updates.
Reviewing the active engines on Forefront reveals that all are up to date except for the Kaspersky engine, which has not updated since late December, even though it is enabled for updates. Furthermore, the Application event log has numerous errors in it for Kaspersky downloads.
Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 6/02/2008
Time: 5:24:45 PM
User: N/A
Computer: SERVER
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5
Proxy Settings: Disabled
Error Code: 0xC0001F58
These errors are appearing every hour, which is the update interval configured in Forefront. You may have guessed by now what is causing our high volume of HTTP downloads.
According to this Microsoft article the root cause of the problem is a change made by Kaspersky to the format of their signature downloads. The Kaspersky engine is one of the engines included with Forefront, and the signatures are downloaded from Microsoft.com. The change has caused a compatibility problem with Forefront due to the way in which Forefront interprets file names that start with a period character.
The result of this incompatibility is that Forefront downloads the latest Kaspersky signature files, tries to move them from a staging area to the correct folder to start using it, fails because it cannot handle a .lock file, and then discards the newly downloaded signature files. Each signature release is about 21mb in size, and Forefront downloads hourly, so it is downloading 21mb every hour (or approximately 500mb per day, or about 15Gb per month).
A hotfix is available but in the meantime I am obviously going to disable Kaspersky updates.
since we are not using exchange 2007 which is prepackaged with SBS. Do you think it will help if we uninstalled the exchange server? I mean will that take care of the download problem.
I installed SBS 2008 on the 15th night, and since then it has downloaded 27 GB and uploaded about 5 GB.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Hi Raj, if Forefront is the cause of your downloads then disabling the engine updates should suffice. You could also look at installing the hotfix for this issue:
http://support.microsoft.com/kb/947187
I can also confirm this. Although for me it downloaded 7Gb in one day. I was running SBS 2008 as a Virtual Machine for testing. I used Process Monitor and Wireshark along with Windows Performance monitor to confirm this.
I can confirm this. Was strange how it was showing as http traffic for me as well. Blocked this IP for the customer… and the excess traffic went away.