Understanding FCS Definitions
A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for the month etc. You can always manually download the latest definitions from https://www.microsoft.com/security/portal with the links on the right. This will get you the mpam-fe.exe and the mpam-fex64.exe files.
So these are both self extracting cab files which you can easily open with your favorite unzipping utility usually. I used 7-zip to dump out a copy shown below.
The first file I’m not so sure on but if you open it appears to tell us the different products that we can update with this .exe which includes FCS, FCS2, ONECARE, ISA, Standalone System Sweeper. Makes sense as they all use the same MSAV engine right :).
The next 4 files are all .vdm files which are all variations of definition sets.
mpasbase.vdm = Last base signature set of AntiSpyware definitions
mpasdlta.vdm = Last delta signature set of AntiSpyware defintions ie if you just installed the client you need to install both mpasbase.vdm and mpasdlta.vdm to be full up to date.
mpavbase.vdm = Last base signature set of AntiVirus definitions
mpavdlta.vdm = Last delta signature set of AntiVirus definitions again you need both mpavbase and mpavdlta for a new client to update it.
The 2 Base files get updated monthly which means every month your client needs to install a new base set so that the deltas are applied to that base.
mpengine.dll is the actual AV engine :) so if there is an update to how the engine works to handle some new situation this update can actually be provided via the definition set.
mpsigstub.exe from what I know is just the .exe that is used to apply the definitions.
This is the basics :) I’ll try to do another posting soon that dives into how to download individual deltas that you can apply manually as well as how clients working with WSUS handle which exact updates they download.
Comments
- Anonymous
December 13, 2009
The mpam-fex.exe is without digital signatures and where as mpam-fex64.exe is having digital signatures. Any reasons? can we manually protect them by selecting the Read-only attributes?