Forefront Client Security: Description of Forefront Client Security definition updates

SUPPORT SOLUTION:
Microsoft Forefront Client Security regularly downloads updates to the definition files that are used to identify viruses, to identify spyware, and to identify other potentially unwanted software. Forefront Client Security may also periodically download detection engine updates. Microsoft delivers these updates by using Microsoft Update and by using Windows Server Update Service. To manually download the updates, visit the following Microsoft Web site: Microsoft Malware Protection Center Portal
(http://www.microsoft.com/security/portal)
.Definition files

Forefront Client Security uses virus definition modules (VDMs) to store detection information about malicious software or about potentially unwanted software. A Client Security agent uses the following five files during its regular operation.The MpAvBase.vdm file contains the antivirus base definition module. This file is usually updated only one time per month by Microsoft and contains the base virus information that is used to build the delta definitions.
The MpAvDlta.vdm file contains the antivirus delta definition module. This file is usually updated multiple times per day by Microsoft and contains all the changes that have occurred since the last antivirus base was created.
The MpAsBase.vdm file contains the antispyware base definition module. This file is usually updated only one time per month by Microsoft and contains the base spyware software information and other potentially unwanted software information that is used to build the delta definitions.
The MpAsDlta.vdm file contains the antispyware delta definition module. This file is usually updated multiple times per week by Microsoft and contains all the changes that have occurred since the last antispyware base was created.
The MpEngine.dll file contains the Microsoft malware protection engine. The .vdm files that were mentioned earlier are referenced by the malware protection engine that scans the system resources looking for malware. Some examples of the system resources are files, processes, and registry keys. This file is usually updated only one time per month.
.Rebasing definitions

Microsoft currently rebases the Client Security definitions only one time per month. During the rebasing process, the delta definitions are combined with the previous base definition file to form a new base file. The rebasing process occurs on both the antivirus definition files and on the antispyware definition files.Because of the rebasing process, the size of the new base files may increase from the previous month. The new base files contain the delta definitions from the previous month and contain all the changes from the new delta definitions. Immediately after the rebasing process, the sizes of the delta definition files reduce significantly. This behavior occurs because all the information that they previously contained is located in their respective base files. As new malware information is generated, it is added to the delta definition files causing the size of the files to grow until the next rebase. The size of the base definition files remains the same between rebases.Microsoft currently releases updates to the Malware Protection Engine at the same time when Microsoft performs the rebase. This means that when the rebasing process occurs the Client Security agents receive a new version of all five files that were mentioned in the “Definition Contents” section..Definition updates

There are four kinds of definition updates that the Client Security client can perform.Full installation
3,
DescriptionThe full installation files contain the current engine, bases, and delta files. The full installation package is generally used for only new Client Security agents or for agents that have definitions that are not updated for more than a month.PackagesMpam-fe.exe (32-bit operating systems)
Mpam-fe.exe (64-bit operating systems)ContentsMpAvbase.vdm
MpAvdlta.vdm
MpAsbase.vdmMpAsdlta.vdm
Mpengine.dll
SizeGenerally, the size is from 20-60 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.Delta installation
3,
DescriptionThe delta installation files contain only the current delta files. The delta installation package is for the clients that are using the current base files and that are using the current engine files but that have not recently updated their delta definitions. Therefore, these clients cannot use the differential delta definition updates.PackagesMpam-fe.exe (32-bit operating systems)
Mpam-fe.exe (64-bit operating systems)Contents
MpAvdlta.vdmMpAsdlta.vdmSizeGenerally, the size is from 1-8 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.Binary Delta of Engine (BDE)
3,
DescriptionThe binary delta updates of the engine installation package is for the clients that are using the base files and the engine files of the previous month. For more information about the Microsoft binary delta update technology that is used in this package, view the following TechNet article:Delta Compression Application Programming Interface
(http://msdn.microsoft.com/en-us/library/ms811406.aspx)

The binary delta updates contain only the parts of the base files and of the engine files that have changed since the previous version. This binary delta update technology helps reduce the size of the update file. This behavior occurs because the update file does not redistribute the parts of the base definition and of the engine files that are currently used by the client.PackagesMpam-fe.exe (32-bit operating systems)
Mpam-fe.exe (64-bit operating systems)ContentsMpAvbase.vdm_pMpAvdlta.vdmMpAsbase.vdm_pMpAsdlta.vdmMpengine.dll_pSizeGenerally, the size is from 1-45 MB, depending on several factors. These factors include the duration since the last rebase and include the number of changes since the last rebase.Differential Delta
3,
DescriptionThe binary delta of the delta installation package is for the clients that are using very recent versions of the Client Security definitions. The delta installation packages use the same binary delta update technology that is described earlier. This technology allows the package to contain only the parts of the delta files that have changed since the previous version. This binary delta update technology helps reduce the size of the update file. This behavior occurs because the update file does not redistribute the parts of the base definition and of the engine files that are currently used by the client.Each update is created to change a specific version of a definition to a later version. For example, a BDD update updates the 1.71.438.0 version of the definition to the 1.71.438.5 version of the definition. In this example, the delta update would contain only the parts of the file that changed between the 1.71.438.0 version of the definition and the 1.71.438.5 version of the definition.
Microsoft may publish several versions of a BDD update package. These BDD update package versions contain different BDD updates. The goal of publishing multiple package versions is to make sure that client computers receive an optimized update for their current update level. For example, a client may have to move from the 1.71.438.0 version to the 1.71.438.8 version. In this example, a delta update may contain two delta updates. One of these delta updates contains only the parts of the file that changed between the 1.71.438.0 version and the 1.71.438.5 version. The other delta update contains the parts of the file that changed between 1.71.438.5 and 1.71.438.8 version. When both of the delta updates are applied in sequence the file is updated fully.
Package nameMpam-d_bd1.exe (32-bit operating systems)
Mpam-d_bd1.exe (64-bit operating systems)
Mpam-d_bd2.exe (32-bit operating systems)
Mpam-d_bd2.exe (64-bit operating systems)
…
Mpam-d_bdX.exe (32-bit operating systems)
Mpam-d_bdX.exe (64-bit operating systems)
Contents VersionX_to_VersionY_MpAvdlta.vdm._pVersionX_to_VersionY_MpAsdlta.vdm._d
SizeGenerally, the size is from 50-2048 KB, depending on several factors. These factors include the definition update that was last applied on the client and includes the number of changes since that update..A customer can download the Forefront Client Security definition updates by using any of the following three ways:Microsoft Update Window Server Update ServicesManual Download
Microsoft UpdateMicrosoft publishes Client Security definition updates to Microsoft Update. The Client Security agents can download these updates directly from Microsoft by using any one of following methods:Control Panel item for Windows Update.The Microsoft Update Web site.Automatically by using the Client Security agent.Automatically by using the Automatic Updates process. This is by default.There is detection logic associated with each update. This detection logic allows Microsoft Update to determine the current definition updates that are applied to the client. Microsoft Update uses this information to provide only the definition update package that is most suitable for the client. For example, a client that has the up-to-date version of the previously published definition update downloads only the binary delta in the delta BDD package and does not download the full installation package.
New definition update packages are usually published to Microsoft Update three times per day.
Windows Server Update ServicesMicrosoft publishes the Client Security definition updates to Microsoft Update and makes them available to Windows Server Update Services. The Client Security customers who have implemented Windows Server Update Services can download these updates from Microsoft by synchronizing the Definition Update classification. Clients that report to that Windows Server Update Services server can download the definitions by using any one of the following methods:Control Panel item for Windows Update.Automatically by using the Client Security agent.Automatically by using the Automatic Updates process. This is by default.Similar to Microsoft Update, there is detection logic that is associated with each update. This detection logic allows Windows Server Update Services to provide only the definition update package that is most suitable for the client.
New definition update packages are usually published to Windows Server Update Services three times per day.
Manual DownloadSome definition updates are currently available for a manual download from Microsoft at two locations.
The following knowledge base article describes how to manually download the released definitions. These definitions usually correspond to the versions available by using Microsoft Update and by using Windows Server Update Services. Be aware that currently only the full installation packages are available.
935934 

(http://support.microsoft.com/kb/935934/
)
How to manually download the latest antimalware definition updates for Microsoft Forefront Client Security

The following knowledge base article describes how to manually download the beta definitions. These definitions are published more frequently and may not correspond to the versions published to Microsoft Update.939757 

(http://support.microsoft.com/kb/939757/
)
How to download the latest beta malicious software definition update for Forefront Client Security

.

For File Repair and Data Recovery, visit File Repair / Data Recovery