On a single Windows 2008 R2 Forefront TMG 2010 server, I have been experiencing routine problems with malware definition updates failing. This happened for about 2 days a couple months ago but fixed itself. Now it is happening again, for about 3 days. Other TMG servers (all stand-alone and at different sites) in our organization receive updates OK. The updates should check/install every 4 hours, but failed at least a dozen times in a row. NIS updates download/install OK. I found warnings Event ID 62 in the Event Viewer Bits-Client operational log:
"The BITS job named "WU Client Download" belonging to user NT AUTHORITY\SYSTEM received inconsistent data while downloading. The URL was "http://download.windowsupdate.com/msdownload/update/software/defu/2012/03/mpam-fe_9c8ae6133e4c7b7cca85a35b6eba53c7a560968a.exe". The transfer will continue using a different server. If the problem occurs often, an administrator should scan the peer server for viruses or corruption in its hard drive.) "
In the WindowsUpdateClient - operational log I found errors Event ID 31:
"Windows Update failed to download an update."
There does not appear to be any hard drive issues on this server or infections.
I checked WindowsUpdate.log and here is the entry:
2012-03-23 09:02:01:806 6300 1ae8 Misc =========== Logging initialized (build: 7.3.7600.16385, tz: -0400) ===========
2012-03-23 09:02:01:806 6300 1ae8 Misc = Process: C:\Program Files\Microsoft Forefront Threat Management Gateway\UpdateAgent.exe
2012-03-23 09:02:01:806 6300 1ae8 Misc = Module: C:\Windows\system32\wuapi.dll
2012-03-23 09:02:01:805 6300 1ae8 COMAPI -------------
2012-03-23 09:02:01:806 6300 1ae8 COMAPI -- START -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:01:806 6300 1ae8 COMAPI ---------
2012-03-23 09:02:01:810 6300 1ae8 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:01:810 912 1be4 Agent *************
2012-03-23 09:02:01:810 912 1be4 Agent ** START ** Agent: Finding updates [CallerId = Forefront TMG]
2012-03-23 09:02:01:811 912 1be4 Agent *********
2012-03-23 09:02:01:811 912 1be4 Agent * Online = Yes; Ignore download priority = No
2012-03-23 09:02:01:811 912 1be4 Agent * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains '84a54ea9-e574-457a-a750-17164c1d1679' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2012-03-23 09:02:01:811 912 1be4 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2012-03-23 09:02:01:811 912 1be4 Agent * Search Scope = {Machine}
2012-03-23 09:02:01:814 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-03-23 09:02:01:818 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:02:912 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-03-23 09:02:02:916 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:02:924 912 1be4 Agent Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://download.windowsupdate.com/v9...dir/muauth.cab
2012-03-23 09:02:02:924 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab:
2012-03-23 09:02:02:928 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:02:964 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab:
2012-03-23 09:02:02:968 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:03:065 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:03:069 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:03:106 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:03:110 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:03:114 912 1be4 PT WARNING: Cached cookie has expired or new PID is available
2012-03-23 09:02:04:412 912 1be4 PT +++++++++++ PT: Starting category scan +++++++++++
2012-03-23 09:02:04:413 912 1be4 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/...ce/client.asmx
2012-03-23 09:02:04:512 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:04:515 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:04:551 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:04:555 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:04:558 912 1be4 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2012-03-23 09:02:04:558 912 1be4 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/...ce/client.asmx
2012-03-23 09:02:04:708 912 1be4 Agent Update {D9B0EA0D-FA6A-4408-B186-F88C601DD8CA}.100 is pruned out due to potential supersedence
2012-03-23 09:02:04:708 912 1be4 Agent Update {C084F4FB-9A72-43FB-9298-765CA7276390}.100 is pruned out due to potential supersedence
2012-03-23 09:02:04:708 912 1be4 Agent Update {6413E4AF-61A7-48E6-B72E-0C0DCD9FDA95}.100 is pruned out due to potential supersedence
2012-03-23 09:02:04:708 912 1be4 Agent * Added update {F9B987F2-AE1E-4905-B217-897E884E3038}.100 to search result
2012-03-23 09:02:04:708 912 1be4 Agent * Found 1 updates and 4 categories in search; evaluated appl. rules of 21 out of 25 deployed entities
2012-03-23 09:02:04:752 912 1be4 Agent *********
2012-03-23 09:02:04:752 912 1be4 Agent ** END ** Agent: Finding updates [CallerId = Forefront TMG]
2012-03-23 09:02:04:752 912 1be4 Agent *************
2012-03-23 09:02:04:753 6300 1b5c COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:04:755 6300 1b5c COMAPI - Updates found = 1
2012-03-23 09:02:04:755 6300 1b5c COMAPI ---------
2012-03-23 09:02:04:755 6300 1b5c COMAPI -- END -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:04:755 6300 1b5c COMAPI -------------
2012-03-23 09:02:09:751 912 1be4 Report REPORT EVENT: {E9AB83DD-94E9-409A-8AA7-62819E7D21B1} 2012-03-23 09:02:04:752-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Forefront TMG Success Software Synchronization Windows Update Client successfully detected 1 updates.
2012-03-23 09:02:09:751 912 1be4 Report CWERReporter finishing event handling. (00000000)
2012-03-23 09:02:38:384 6608 db8 Misc =========== Logging initialized (build: 7.3.7600.16385, tz: -0400) ===========
2012-03-23 09:02:38:384 6608 db8 Misc = Process: C:\Program Files\Microsoft Forefront Threat Management Gateway\UpdateAgent.exe
2012-03-23 09:02:38:384 6608 db8 Misc = Module: C:\Windows\system32\wuapi.dll
2012-03-23 09:02:38:384 6608 db8 COMAPI -------------
2012-03-23 09:02:38:384 6608 db8 COMAPI -- START -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:38:384 6608 db8 COMAPI ---------
2012-03-23 09:02:38:388 912 1be4 Agent *************
2012-03-23 09:02:38:388 6608 db8 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:38:388 912 1be4 Agent ** START ** Agent: Finding updates [CallerId = Forefront TMG]
2012-03-23 09:02:38:388 912 1be4 Agent *********
2012-03-23 09:02:38:388 912 1be4 Agent * Online = Yes; Ignore download priority = No
2012-03-23 09:02:38:389 912 1be4 Agent * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains '84a54ea9-e574-457a-a750-17164c1d1679' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b') or (IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'ae4483f4-f3ce-4956-ae80-93c18d8886a6' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2012-03-23 09:02:38:389 912 1be4 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2012-03-23 09:02:38:389 912 1be4 Agent * Search Scope = {Machine}
2012-03-23 09:02:38:391 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-03-23 09:02:38:396 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:435 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-03-23 09:02:38:439 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:449 912 1be4 Agent Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://download.windowsupdate.com/v9...dir/muauth.cab
2012-03-23 09:02:38:449 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab:
2012-03-23 09:02:38:453 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:489 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab:
2012-03-23 09:02:38:493 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:590 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:38:594 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:630 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:38:634 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:638 912 1be4 PT +++++++++++ PT: Starting category scan +++++++++++
2012-03-23 09:02:38:638 912 1be4 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/...ce/client.asmx
2012-03-23 09:02:38:702 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:38:706 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:742 912 1be4 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-03-23 09:02:38:747 912 1be4 Misc Microsoft signed: Yes
2012-03-23 09:02:38:750 912 1be4 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2012-03-23 09:02:38:750 912 1be4 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/...ce/client.asmx
2012-03-23 09:02:38:888 912 1be4 Agent Update {D9B0EA0D-FA6A-4408-B186-F88C601DD8CA}.100 is pruned out due to potential supersedence
2012-03-23 09:02:38:888 912 1be4 Agent Update {C084F4FB-9A72-43FB-9298-765CA7276390}.100 is pruned out due to potential supersedence
2012-03-23 09:02:38:888 912 1be4 Agent Update {6413E4AF-61A7-48E6-B72E-0C0DCD9FDA95}.100 is pruned out due to potential supersedence
2012-03-23 09:02:38:888 912 1be4 Agent * Added update {F9B987F2-AE1E-4905-B217-897E884E3038}.100 to search result
2012-03-23 09:02:38:888 912 1be4 Agent * Found 1 updates and 5 categories in search; evaluated appl. rules of 26 out of 35 deployed entities
2012-03-23 09:02:38:890 912 1be4 Agent *********
2012-03-23 09:02:38:890 912 1be4 Agent ** END ** Agent: Finding updates [CallerId = Forefront TMG]
2012-03-23 09:02:38:890 912 1be4 Agent *************
2012-03-23 09:02:38:891 6608 18b0 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:38:893 6608 18b0 COMAPI - Updates found = 1
2012-03-23 09:02:38:893 6608 18b0 COMAPI ---------
2012-03-23 09:02:38:893 6608 18b0 COMAPI -- END -- COMAPI: Search [ClientId = Forefront TMG]
2012-03-23 09:02:38:893 6608 18b0 COMAPI -------------
2012-03-23 09:02:38:897 6608 db8 COMAPI -------------
2012-03-23 09:02:38:897 6608 db8 COMAPI -- START -- COMAPI: Download [ClientId = Forefront TMG]
2012-03-23 09:02:38:897 6608 db8 COMAPI ---------
2012-03-23 09:02:38:897 6608 db8 COMAPI - Forced: No; Download priority: 3
2012-03-23 09:02:38:897 6608 db8 COMAPI - Updates in request: 1
2012-03-23 09:02:38:897 6608 db8 COMAPI - ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2012-03-23 09:02:38:899 6608 db8 COMAPI <<-- SUBMITTED -- COMAPI: Download [ClientId = Forefront TMG]
2012-03-23 09:02:38:901 912 1be4 DnldMgr *************
2012-03-23 09:02:38:901 912 1be4 DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = Forefront TMG]
2012-03-23 09:02:38:901 912 1be4 DnldMgr *********
2012-03-23 09:02:38:901 912 1be4 DnldMgr * Call ID = {8BD558E1-6252-408C-9897-0D526C308469}
2012-03-23 09:02:38:901 912 1be4 DnldMgr * Priority = 3, Interactive = 1, Owner is system = 1, Explicit proxy = 1, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2012-03-23 09:02:38:901 912 1be4 DnldMgr * Updates to download = 1
2012-03-23 09:02:38:901 912 1be4 Agent * Title = HTTP Malware Definition Update for Microsoft Forefront Threat Management Gateway (Antimalware 1.123.212.0)
2012-03-23 09:02:38:901 912 1be4 Agent * UpdateId = {F9B987F2-AE1E-4905-B217-897E884E3038}.100
2012-03-23 09:02:38:901 912 1be4 Agent * Bundles 1 updates:
2012-03-23 09:02:38:901 912 1be4 Agent * {BC2AB1C3-D4F4-4449-976E-0935B97FBB44}.100
2012-03-23 09:02:38:901 912 1be4 DnldMgr *********** DnldMgr: New download job [UpdateId = {BC2AB1C3-D4F4-4449-976E-0935B97FBB44}.100] ***********
2012-03-23 09:02:38:904 912 1be4 DnldMgr * BITS job initialized, JobId = {8887BC28-04F1-46F1-8E14-C90B5B777C80}
2012-03-23 09:02:38:904 912 1be4 DnldMgr BITS job {8887BC28-04F1-46F1-8E14-C90B5B777C80} using proxy = localhost:8080, bypass = <local>
2012-03-23 09:02:38:907 912 1be4 DnldMgr * Downloading from http://download.windowsupdate.com/ms...c7a560968a.exe to C:\Windows\SoftwareDistribution\Download\414b2632d86103cfe5dffe71c7552af7\9c8ae6133e4c7b7cca85a35b6e ba53c7a560968a (full file).
2012-03-23 09:02:38:909 912 1be4 Agent *********
2012-03-23 09:02:38:909 912 1be4 Agent ** END ** Agent: Downloading updates [CallerId = Forefront TMG]
2012-03-23 09:02:38:910 912 1be4 Agent *************
2012-03-23 09:02:43:896 912 1be4 Report REPORT EVENT: {18FA734C-00FF-4BC4-BE1F-BC7B9475C15C} 2012-03-23 09:02:38:890-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Forefront TMG Success Software Synchronization Windows Update Client successfully detected 1 updates.
2012-03-23 09:02:43:896 912 1be4 Report CWERReporter finishing event handling. (00000000)
2012-03-23 09:07:40:460 912 f34 DnldMgr WARNING: BITS job {8887BC28-04F1-46F1-8E14-C90B5B777C80} failed, updateId = {BC2AB1C3-D4F4-4449-976E-0935B97FBB44}.100, hr = 0x80200053, BG_ERROR_CONTEXT = 4
2012-03-23 09:07:40:460 912 f34 DnldMgr Progress failure bytes total = 63753920, bytes transferred = 0
2012-03-23 09:07:40:460 912 f34 DnldMgr Failed job file: URL = http://download.windowsupdate.com/ms...c7a560968a.exe, local path = C:\Windows\SoftwareDistribution\Download\414b2632d86103cfe5dffe71c7552af7\9c8ae6133e4c7b7cca85a35b6e ba53c7a560968a
2012-03-23 09:07:40:482 912 f34 DnldMgr Error 0x80200053 occurred while downloading update; notifying dependent calls.
2012-03-23 09:07:40:490 6608 18b0 COMAPI >>-- RESUMED -- COMAPI: Download [ClientId = Forefront TMG]
2012-03-23 09:07:40:490 6608 18b0 COMAPI - Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, unaccounted = 0)
2012-03-23 09:07:40:491 6608 18b0 COMAPI - WARNING: Exit code = 0x00000000; Call error code = 0x80240022
2012-03-23 09:07:40:491 6608 18b0 COMAPI ---------
2012-03-23 09:07:40:491 6608 18b0 COMAPI -- END -- COMAPI: Download [ClientId = Forefront TMG]
2012-03-23 09:07:40:491 6608 18b0 COMAPI -------------
2012-03-23 09:07:45:490 912 1be4 Report REPORT EVENT: {D4126EAE-C710-4FAD-9501-EF105956BC79} 2012-03-23 09:07:40:490-0400 1 161 101 {F9B987F2-AE1E-4905-B217-897E884E3038} 100 80200053 Forefront TMG Failure Content Download Error: Download failed.
2012-03-23 09:07:45:509 912 1be4 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2012-03-23 09:07:45:509 912 1be4 Report WER Report sent: 7.3.7600.16385 0x80200053 F9B987F2-AE1E-4905-B217-897E884E3038 Download 101 Unmanaged
2012-03-23 09:07:45:509 912 1be4 Report CWERReporter finishing event handling. (00000000)
Bookmarks