1. Make sure the EMF Download Service initialized correctly at system startup. Look in the EMF Event Log for event:

ID : 3005
Event Description : Download Service Initialization
Event Details : The EMF Download Service is running.

2. Is EMF configured to use an FTP proxy? An FTP proxy is a proxy that supports native FTP proxy. Not all HTTP proxies support native FTP proxy. If an FTP proxy is available, enter the correct credentials into the FTP proxy section on the MMS Webadmin Set Up > Virus page. The user name should be in the form "domain/user".

If the browser on that machine is able to access the URL:

ftp://download.tumbleweed.com/antivirus/

ensure that the credentials entered into the FTP proxy section match exactly the credentials used to log into Windows. Make sure the domain/user entered in the FTP proxy section is "domain/user" and the correct password is entered.

3. Make sure the machine on which the Download Service is running has FTP access to the Internet. It must have FTP access to download the latest virus pattern DAT files. For EMF versions 5.6 and later, the virus updates are downloaded directly from Network Associates (NAI, Tumbleweed's antivirus vendor). For EMF versions previous to 5.6, virus updates are downloaded from Tumbleweed. Also, for EMF versions previous to 5.6, ensure that ACTIVE FTP is allowed by your firewall. EMF 5.6 and later can be configured to use PASSIVE FTP: from the EMF Webadmin, open Set Up > Configuration Editor, select table DownloadSvcConfigValues and Key Name Virus Pattern Use Passive FTP, and set the Integer Value to 1.

4. The MMSConfigData filegroup for the MMSMail database may be full or almost full. Please see related article Virus Pattern File Update Failed on the right.

5. Try a manual FTP download. Open a browser on the machine running the Download Service, ensure that the browser is not configured to use a proxy, and attempt to access the following location:

EMF 5.6 and later-- ftp://ftp.nai.com/pub/datfiles/english/
previous to 5.6-- ftp://download.tumbleweed.com/antivirus/

Copy the file dat-dddd.zip, where dddd is the current DAT version. If this is successful, ensure that there is no proxy information entered for the FTP proxy section in EMF Webadmin Set Up > Anti-Virus and Anti-Spam.

If this is unsuccessful, try a command-line ftp download...Open a DOS window on the EMF Download Service box, and:

DOS> ftp download.tumbleweed.com
User: anonymous
Password: your-email-address
ftp> cd antivirus
ftp> dir
ftp> bin
ftp> get dat-dddd.zip

where dddd is the current DAT version.

6. Passive FTP may be required in your environment. If you are able to connect but you cannot see the directory listing, your firewall or proxy server may require Passive FTP. The command line ftp client included with Windows does not support Passive FTP correctly.

Try connecting using IE and browsing to ftp://ftp.nai.com and ftp://ftp.nai.com/pub/datfiles/english. Internet Explorer supports Passive FTP by default. It could be that your FTP proxy or firewall is requiring you to use Passive FTP (see below). If the FTP connection itself is failing, it may be a network or firewall issue, and needs to be further investigated on your side.

If you do find you can browse successfully using IE and you'd like to turn on Passive FTP for EMF, take the following steps:

- in Web Admin, go to Set Up > Configuration Editor
- select the table DownloadSvcConfigValues, type in the following key name, and click Find:
Virus Pattern Use Passive FTP
- Change the Integer Value from 0 to 1 and click Update
- try your Virus Pattern download again

7. If manual updates work, but auto updates do not, check the Download Service account logon to see if it has proper permissions. It requires domain user privileges - domain admin may not work in all cases. It also requires access to the Windows TEMP/TMP directory.

8. Check the EMF Event Log for errors. Filter the EMF event log on component "Virus Manager" (all Event Types and Error Levels), and then on component "Virus Pattern Update" (all Event Types and Error Levels), looking for error conditions in each case (e.g., event 3087 Virus pattern update failed).

The EMF event IDs logged on a successful pattern update are:

ID : 3013
Event Description : Virus Pattern File Update Succeeded
Event Details : The virus update thread has successfully contacted the virus pattern file server and downloaded a new pattern file [version: ].

ID : 3015
Event Description : Virus Pattern File Extra.dat Update Succeeded
Event Details : The virus update thread has successfully updated the extra.dat pattern file [version: ].

9. Your firewall may be blocking the connection. In some high security environments, your firewall may not allow FTP connections to the Internet as a general rule. You can usually configure your firewall to allow certain specific connections. If at all possible, you should configure your firewall to allow connections to the virus pattern server based on the host name (either ftp.nai.com or download.tumbleweed.com). If your firewall requires that you give it the IP address of the FTP server before connections will be allowed, you are at risk of unexpectedly losing your ability to get updates if the FTP server's IP address is ever changed. If your virus pattern updates were working previously and you are suddenly unable to connect to the server, check to see if you have the correct IP address allowed on your FTP server. You can check the IP address that EMF will be connecting to by using the following command on the host where the Download Service is installed:
nslookup ftp.nai.com

10. Run a DebugLogCapture trace on the Download Service. See related article Running a DebugLogCapture trace on the right.

Additional information:

See also related knowledgebase articles on the right.