共用方式為

NIS & Anti-Malware Info is not updated as expected in Update Center

  • 發行項

Today I would like to describe an easy way to solve a small visualization mismatch related to the Update Center of TMG 2010.

If you are a Forefront Threat Management Gateway administrator in a country where English regional settings are not used, it could be possible that, when entering the TMG Update Center section, you're going to find something like this:

clip_image002

NIS and Malware Inspection are two powerful mechanisms which allow Forefront TMG 2010 to provide full protection against potential network attacks and malicious content.

In case you're experiencing the above info reported, in particular, there are two possibilities:

1. The checking for and download of up-to-date NIS & Malware versions have really failed.

2. The reported info in the Update center is not up-to-date.

In the first case, the following article could be very useful to troubleshoot signature update failures:

http://technet.microsoft.com/en-us/library/ff358608.aspx

In particular, check in the Update Center Properties form if the server is correctly configured to get the updates from the Microsoft Update servers and/or an internal WSUS server:

clip_image004

When you have excluded any kind of connectivity issue, you're pretty sure that the new definitions have been correctly downloaded and installed, but you can't figure out why the info reported in the Update Center section are not correct, you're probably in the kind of situation which can be solved with the hints described in this article.

The pictures below represent two examples of abstracts of the ISA_UpdateAgent.log file (in the %Windir%\Temp folder) in which the installation of NIS and anti-Malware new signatures has been performed correctly:

clip_image006

clip_image008

You can use the above log file in order to check the NIS/Malware signatures’ last installations status.

The TMG Management console reads the status of the “Last Update Status” and “Last updated” fields, for both NIS and Malware Inspection, from the information contained under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\DefinitionUpdates registry key on each TMG node.

Note: this key actually contains two sub-keys: one for Malware inspection, another one for NIS.

The date and time format used here are related to the regional settings defined for the system accounts of the TMG node. This is because the TMG service, which is responsible for writing this information in the registry, runs under a local system account.

The issue described here where a “Never” status appears for “Last Update status” and “Last Updated”, might occur when the regional settings of the user account executing the MMC are different than the regional settings defined for the system accounts of the TMG node.

For instance, the problem will appear if the Format setting of the system accounts on the TMG nodes is Italian, while the Format setting of the user account executing the MMC is English (United States) – as in the example below:

clip_image009

clip_image010

To solve this, you should make sure that there is a match between the Format setting of the user executing the MMC and the Format setting of the system accounts defined on the TMG nodes. In our example above, this could be solved, for instance, by changing the Format setting of both the user account executing the TMG MMC and of the system account -Welcome screen- to English (United States).

In order to do that, follow this procedure:

Open the “Region & Language” settings panel from the server’s Control Panel and select English (United States) in the Format box:

clip_image012

Click APPLY and go in the "Administrative" section:

clip_image013

Click on "COPY SETTINGS"

In the following form, check the "Welcome screen and system accounts" check-box and click OK.

clip_image015

If needed, the above procedure can be implemented considering Italian language – or any other - instead of English, just be sure to apply this to both current user’s and system accounts.

Now reboot the server.

After this procedure, the format of the registry key which is read by the TMG Update Center can be well interpreted.

Coming back to the Update Center, check for new definitions and install them:

clip_image016

clip_image017

The final result should be a correct status, reported in the two columns:

clip_image019

In case you’re running an Array of TMG nodes, and you use the local TMG MMC on EMS machine, you’ll have to change the current user regional settings (Format) of the EMS machine so that they match the system accounts regional settings (Format) of the TMG array members.

In some cases, it's possible that the registry key values related to the NIS update status still fail to converge. This could be due to a persistent "wrong" value set in the above mentioned registry keys.

It's quite easy to manually solve this problem:

From Regedit, open the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\DefinitionUpdates\{464716F5-0BAB-494a-A51A-30400DDF127F}

clip_image021

If the UpdateStatus value is set to "b" (in HEX format) this means an un-correct status.

You should now change this UpdateStatus value to "7" and insert in the UpdateTime word a valid value (for example the same value of the CheckTime field).

Now the info in the Update Center should be perfectly reported as "Up-to-date".

Perform a new check for updated definitions and install them, if needed.

This is for sure not a big problem, and it doesn't impact the functional level of the NIS & Malware mechanisms, but for sure it's always beautiful to see a green "Up-to-date" comment in our Update Center :-)

Hope you enjoyed it and found it useful!

Let's see you back with the next topic !!

Ciao,

Daniele Gaiulli – MS Support Engineer

Reviewer: Eric Detoc – Senior Escalation Engineer

Comments

  • Anonymous
    September 08, 2012
    blogs.mcafee.com/.../mcafee-a-leader-in-2012-gartner-magic-quadrant As per the latest gartner report MS NIS has poor ranking. Is it possible for NIS team to develop tools which can be used to develop snort into the sigature which can be used by NIS.

  • Anonymous
    October 16, 2012
    LOL, this must be a joke I think... why this hasnt been fixed, its an ugly huge bug! But as Forefront has been officially abandoned a couple of days ago, we can put this on the list of never fixed bugs of Microsoft.