How to Validate NIS Signature State
Introduction
Unless you’ve been hiding under a rock for the past year or so, you’ve heard of Forefront TMG 2010 and the Network Inspection System (NIS) feature it includes for identifying protocol abuse and detecting evil bits within the protocols.
While I was wandering aimlessly through my Forefront TMG logs and alerts (what; you don’t?!?), I noticed that the Update Center was complaining about not having seen any NIS updates since Feb 9, 2010 (see below):
By default, Forefront TMG only starts complaining about this state after the active signature is 45 days old. This amount of time between updates seemed odd to me, so I decided to see what (if anything) was amiss with my Forefront TMG.
Checking the Update Center
Because the NIS updates are controlled and monitored within the Forefront TMG Update Center, this is a logical first place to check. Interestingly, NIS indicates that the last update was performed on Feb 9, 2010 and the signature version is 4.24.0.0. Also, the license state shows “Never expires” (as it should).
Based on what Forefront TMG is telling me, my NIS signatures are up-to-date at version 4.24, dated 9 Feb 2010. What I can’t tell from the TMG management console is whether or not NIS saignatures were actually updated since then, but Forefront TMG somehow thinks otherwise?
In order to answer this question, we need to use independent validation methodology that should be based on how NIS acquires its updates.
How NIS Gets Updated
NIS updates are delivered to Forefront TMG using Windows Update. As illustrated below, Forefront TMG provides you the means of selecting Microsoft Update (MU), Windows Server Update Services (WSUS) or WSUS with a fallback to MU.
Regardless of which option you choose in the Update Service tab (as long as you choose Use the Microsoft Update service to check for updates in the Microsoft Update tab), the mechanism that Forefront TMG will use is the local computer Windows Update service.
What this all means to you is that because the Update Center acquires NIS signatures and engine updates through Microsoft Updates mechanisms, you have an easy way to verify whether your Forefront TMG is actually using the most current signatures.
Verifying The NIS Signature State
Because the Windows Automatic Update Agent provides a scriptable API set, it is possible for you to write a script that queries Microsoft Updates for the latest NIS signature, but there is a much easier method (aren’t you glad?).
1. Open your browser
2. In the address bar, enter http://catalog.update.microsoft.com/v7/site/Search.aspx?q=NIS (or just click this link)
3. Review the results
In this case, I can see that the NIS signature Forefront TMG indicates (v 4.24, dated 9 Feb 2010) is in fact, the most current signature available.
Summary
Now you know how to independently validate the Forefront TMG NIS signature version and date. Deeper NIS and Update Center troubleshooting is provided in the continuing Forefront TMG Troubleshooting series on TechNet.
Author
Jim Harrison, Program Manager, Forefront TMG
Reviewers
Tanmay Ganacharya, Senior Security Research Lead, MMPC
Scott Lambert, Senior Security Researcher, MMPC
Comments
Anonymous
January 01, 2003
Great post! It's good to know that you can search the MS Update Catalog for NIS Signature Definitions. This post was helpful in resolving an issue with an unapproved update due to the latest signature's release date being prior to the date that an automatic approval was created.Anonymous
August 04, 2010
Excellent article. I have been worrying about my own NIS updates as the last provided was back in early June 2010 and its now August!. Puts my mind at rest and I'll point to this article in my own blog. Thanks!Anonymous
August 25, 2012
blogs.mcafee.com/.../mcafee-a-leader-in-2012-gartner-magic-quadrant as per the gartner rating Microsoft IPS is no where. Have the team build any tools which can be used to convert open source snort to signature which your system can consume, Is it possibel to use forefront client with open source snort.