Cloudmark Update Path?
- For the Cloudmark Authority Engine, what should be the Network Update Path? Any secondary ones?
Answers
Hello there,
You're both right actually. The Cloudmark ENGINE does update from http://antigendl.microsoft.com/antigen in Antigen 9 SP2, however Cloudmark SIGNATURE updates take place in the background, updating directly from cloudmark.com. This is critical to understand. Cloudmark ENGINE updates take place much less frequently than other scan engines (maybe every 9 months), whereas Cloudmark SIGNATURE updates take place every few minutes!
There is a fair bit of information available on this already. Check out these resources:
Description of Antigen 9.0 with Service Pack 2 (see New Feature #2)
Microsoft Antigen for Exchange Release Notes (see New Feature #2)
Antimalware Engine Notifications and Developments (click on the 'Engine Revision Overview and FAQ' doc)
The Cloudmark anti-spam scan engine may not detect spam in Microsoft Antigen version 9 with Service Pack 2 (explains more about Cloudmark ENGINE updates)
Also note that although the Cloudmark SIGNATURE version is not available in the Antigen Administrator client in SP2, Rollup 1 for Antigen 9 SP2 will have a new feature to include this. This will make it much easier for you to tell if Cloudmark SIGNATURE updates are occurring frequently.
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security)- Marked As Answer byryanbj Wednesday, September 16, 2009 12:56 PM
All Replies
Hi,
Thank you for your post.
As far as I know, if the primary path fails for any reason, Antigen uses the secondary update path. The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another SMTP server. When using a UNC path for the primary or secondary update path, you must select the General Option value “Use UNC Credentials” and enter a UNC share user name and password if required.
Regards,
Nick Gu - MSFT- Thanks for reply Nick. But I'm asking specifically what should that update path be? Currently I have set to http://antigendl.microsoft.com, but it's not updating (the Last Updated field never changes, always the date and time I installed SP2 for Antigen for Exchange 9). I've read other places that Cloudmark does not update through Microsoft server, but no where have I seen a different update path listed, just http://antigendl.microsoft.com. Should I continue to use that? Or should I change to something else, and if so, change to what?
Thanks,
Ryan
Hi,
Thank you for your update.
As far as I know, the default primary update path is http://antigendl.microsoft.com/antigen. Please refer to my post before. If you have another Antigen server connect to Internet, you may use the secondary update path and point to that server.
Regards,
Nick Gu - MSFT- Proposed As Answer byAndy S. Day Wednesday, September 16, 2009 11:08 AM
Hello there,
You're both right actually. The Cloudmark ENGINE does update from http://antigendl.microsoft.com/antigen in Antigen 9 SP2, however Cloudmark SIGNATURE updates take place in the background, updating directly from cloudmark.com. This is critical to understand. Cloudmark ENGINE updates take place much less frequently than other scan engines (maybe every 9 months), whereas Cloudmark SIGNATURE updates take place every few minutes!
There is a fair bit of information available on this already. Check out these resources:
Description of Antigen 9.0 with Service Pack 2 (see New Feature #2)
Microsoft Antigen for Exchange Release Notes (see New Feature #2)
Antimalware Engine Notifications and Developments (click on the 'Engine Revision Overview and FAQ' doc)
The Cloudmark anti-spam scan engine may not detect spam in Microsoft Antigen version 9 with Service Pack 2 (explains more about Cloudmark ENGINE updates)
Also note that although the Cloudmark SIGNATURE version is not available in the Antigen Administrator client in SP2, Rollup 1 for Antigen 9 SP2 will have a new feature to include this. This will make it much easier for you to tell if Cloudmark SIGNATURE updates are occurring frequently.
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security)- Marked As Answer byryanbj Wednesday, September 16, 2009 12:56 PM
- Great thanks for the info. Makes sense now. And now that I added the extra "/antigen" to the end of my update path I am correctly getting the message "INFORMATION: There are currently no new scan engine files available for the Cloudmark scan engine at http://antigendl.microsoft.com/antigen/x86/Cloudmark." in my ProgramLog.txt file.
Oh and I guess it's not necessary to have Antigen Administrator check for Cloudmark updates every 15 minutes then, since it's only updating the engine, which doesn't get updated but every few months.
Looking forward to Rollup 1!
Ryan
- Hi Andy
Can we use FSSMC to pull Cloudmark SIGNATURE? I user FSSMC Version: 10.5.1241.28, and I can configure it, but the Latest Update Version: 907140001 never changes.
- Hi Tonaco,
No - currently Cloudmark signature updates occur directly from the Cloudmark website only. One of the issues that customer's have seen with spam detection in the past is the time-lag (however small) between general signature availability and actually getting that signature onto their Antigen servers. Direct updates (and now as often as every few minutes) from the Cloudmark website largely avoid this issue and allow for much higher spam detection rates.
You are running Rollup 3 for FSSMC, which now supports the redistribution of Cloudmark engine updates only. Cloudmark engine updates take place very infrequently (maybe every 9-12mths). As stated in the KB article for Rollup 3, Cloudmark signature updates are not supported through FSSMC:
"Note Hotfix Rollup 3 only supports Redistribution Jobs for Cloudmark engine updates and not signature updates. The Cloudmark anti-spam engine receives its signature updates directly from the vendor’s site and not through Microsoft. This means that the signature updates are not distributed through the FSSMC."
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security) - Hi Andy
If I understand correctly, there is no way to update Cloudmark signature with out connect my mailbox server to the internet, so we should only active Cloudmark in the frontend server. - Hi Tonaco,
This is correct. If you have frontend servers anyhow, there is no point scanning the same messages twice with the same engine at two levels. The frontend scan would suffice.
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security) Hi Andy,
If this is the case then why does MS no longer offer two sets of bits, one with the Antigen Spam Manager enabled and one disabled via the license.cfg file as they did with SP1. Much easier implementation for those of us that have frontend servers and don't want the Antispam component on the backends. With Antigen 9 SP2, if we don't want the Antispam component we have to manually disable the antispam component.
This would include stopping and disabling the STAR service for Spamcure right? since Antigen downloads all of the engines 5 minutes after the antigen service starts after install that wouldn't give you time to stop it before it installs an uneeded service for a Engine that is going EOL Dec 1 2009. If you disable Antispam and disable the Scanner engine updates, does Antigen still create the scheduled task called xxOnLoad and attempt to run it? Is this controlled through upduateOnload registry key??? If so, how can you stop it?
These questions are in regards to a new install (after removing Sybari 8SR3).- Hi Emma,
At this stage, all customers are licensed for all components, I believe, so there was no perceived reason to continue providing a product without the ASM component. ASM is provided for both Antigen for Exchange and Antigen for SMTP, as either could be installed on a mail frontend.
I recommend that you disable Spamcure on the SMTP scanjob and then follow this KB to fully disable Spamcure (including future xxOnLoad updates):
The Star Engine service continues to run even when the Cloudmark anti-spam engine is used instead of the SpamCure engine
xxOnLoad updates in general are enabled/disabled through the 'Perform Updates at Startup' option in the Antigen Administrator UI (go to SETTINGS>General Options), but this will only take effect for an engine if it's updates are enabled in general (SETTINGS>Scanner Updates).
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security) - Hi Andy,
Thanks for the reply and great info! I checked an Antigen 9 Installation in our lab environment and it although "Updates at Startup" is not selected, it still appears to have run anyway since te STAR service is now installed even in lieu of the Scanner Update being disabled.
It seems to be sort of a race to finish the line if you will to get the scanner updates disabled or am I missing something here. Ontop of this the Cloudmark Engine starts it's update as well, but it hangs the administrator console in certain situations. We are still waiting for further info on this one. We currently have a case open for this issue, and at this point were told it appears to be a bug in the Antigen 9 SP2 which will require a fix. It's important to note that we encountered the issue with the Cloudmark Engine and Star Service on a server we do not want to run ASM on and we are doing are best to turn it off.
Regards - Hi Emma,
I have tested the steps in the KB before and they should work. I note that you only mention that you have disabled the 'Perform Updates at Startup' option though. Have you tried all of the steps in the KB too...and in the order specified?
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security)- Proposed As Answer byEmma Frost Wednesday, November 25, 2009 7:00 AM
