Overview
Corrupted definitions or a perimeter firewall can cause the Email Exploit Engine to fail to correctly initialize or successfully complete the automatic updates. This article describes how to determine if a manual update for the Email Exploit Engine is necessary and provides the procedure to manually update the module.
Diagnosis
Automatic updates for the Email Exploit Engine will be unsuccessful if they are corrupted by a firewall or the definitions did not get successfully applied to the engines. Improper exclusions for file-based backups and 3rd party anti-virus scanners can also result in corrupt definitions and failed automatic updates.
The administrator can determine if a manual update is necessary by following these steps:
- Open the GFI MailEssentials Configuration
- Expand ‘EmailSecurity’ on the left pane
- Click on the 'Email Exploit Engine' node on the left pane.
- Note: The engine that failed to update is also indicated in the email notification sent to the Administrator email for all failed updates.
- The ‘Updates’ tab will have a ‘Last Update’ date that is not recent. In addition, the Update Status section will have a notification stating that the last update failed.
More details on the reasons for the failed update can be extracted from the debug logs. The debug log for the Email Exploit Engine is located at ...\GFI\MailEssentials\EmailSecurity\DebugLogs\EmailExploit.gfi_log.txt
.
Solution
Third-party antivirus or backup scanning of the GFI MailEssentials folders can result in corrupt definitions which in turn cause update failures. It is recommended that you configure anti-virus and backup exclusions before proceeding. This linked article on the Recommended Antivirus and Backup Exclusions provides details on which directories must be excluded for different installation environments.
Content filter type hardware firewalls can also corrupt the MD5 checksum during the update process please verify the proper exclusions are in your hardware firewall for successful updates. GFI on-premise products connect to the following sites for definition updates. These update sites should be excluded in your firewall rules.
- gfi-downloader-137146314.us-east-1.elb.amazonaws.com
- update.gfi.com
- cdnupdate.gfi.com
The connection uses HTTP and HTTPS for required updates such as the definition files that provide the product with the latest technology or patch updates. If connections are restricted or filtered by your organization's firewall, it is possible that definition updates will fail. Make sure that traffic to the above addresses, on both HTTP and HTTPS, is allowed.
Once the above prerequisite verifications are done, there are two ways to initiate updates for the Email Exploit Engine:
Solution 1
You can attempt to manually initiate the automatic updates by following the steps below:
- Navigate to the following directory <GFI MailEssentials installation path>\GFI\MailEssentials\Updater\eed
and delete the following files:
-
- exploitdb_current_revision.txt
- exploitdb_current_revision.txt.checked
- exploitdb_current_revision.txt.tmp
- Open services.msc and restart the GFI MailEssentials AV Scan Engine and GFI MailEssentials Autoupdater services.
- Open MailEssentials Configuration and navigate to Email Security > Virus Scanning Engines > Email Exploit Engine > Updates.
- Click Download Updates and click Apply.
- Verify that the definitions successfully installed on the Update status.
Solution 2
If the above steps do not update the definitions, a manual update is required in order to clear the possible corrupt definitions from the MailEssentials directories. Follow the steps below in order to complete the manual update process:
- Open a browser and navigate to http://cdnupdate.gfi.com/
- Navigate to the following directory incav2 > exploitdb > c1 folder and click the exploitdb_current_version_c1.zip link to download the latest Email Exploit definitions.
- After the download has completed you will need to launch to services.msc and stop the SMTP or transport service (note this will stop mail flow and queue the messages in exchange until restarted).
- In services.msc console locate and stop all GFI MailEssentials services
- Extract the downloaded zip from step 2 to the following location <GFI MailEssentials installation path>\GFI\MailEssentials\Updater\eed and overwrite when prompted by Windows
- Navigate to the directory where you just extracted the files in the previous step <GFI MailEssentials installation path>\GFI\MailEssentials\Updater\eed and locate the exploitdb.zip file.
- Extract the exploitdb.zip twice to the following locations <GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Engines\eed and <GFI MailEssentials installation path>\GFI\MailEssentials\EmailSecurity\Engines\Backup\EED. Overwrite when prompted.
- Start all services stopped in steps 3 and 4.
- Open MailEssentials configuration and verify that the Email Exploit Engine has been updated successfully with the latest version.
Confirmation
- Open the GFI MailEssentials > EmailSecurity
- Click on the 'Email Exploit Engine' node on the left pane.
- The ‘Updates’ tab should have a recent ‘Last Update’ date. In addition, the Update Status section will have a notification stating that the last update succeeded.
Note: The Email Exploit Engine definitions are not regularly updated.