Fix for Forefront Update Timeout Errors

Saturday, February 9, 2008

I use Microsoft Forefront Security for Exchange Server on my Exchange 2007 Edge server.

Recently I noticed the following error in the Application Event log:

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path:
Proxy Settings: Disabled
Error Code: 0xC0001F58
Description: The operation timed out.
Followed immediately by:

Event Type: Information
Event Source: GetEngineFiles
Event Category: General
Event ID: 2017
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Forefront Server Security has rolled back a scan engine.
Scan Engine: Kaspersky5
This was happening every 5 minutes after Event ID 2034, which reports that Microsoft Forefront Server Security is attempting a scan engine update of the Kaspersky5 scan engine.

To solve this error make the following change to the registry on the server running Forefront:
  • Open Regedit

  • Navigate to the following key:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server
  • Click New DWORD Value

  • Type EngineDownloadTimeout, and then press ENTER

  • Right-click the new value and select Modify

  • Select Decimal as the base, enter 600 in the Value data box, and then click OK. This setting causes the scan engine download process to time out after 600 seconds (10 minutes, instead of 5 minutes)

  • Exit Regedit

Note: You do not have to restart Forefront Server services or Exchange Server services after you change this registry entry.

Now perform a manual scanner update in Forefront:

  • Open Forefront Server Security Administrator

  • Click Scanner Updates under Settings

  • Select the appropriate scan engine that was previously timing out. In my case, Kaspersky Antivirus Technology

  • Click the Update Now button on the right side of the screen

Check the Application event log to ensure that the scan engine has updated properly (Event ID 2012).