Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: gadeem0517 on November 06, 2006, 09:23:22 PM
-
Issue with Avast/Exchange in which the solution was to uninstall Avast in order to get mail flowing.
Issue:
Mail was not being delivered in a timely fashion
"Message Pending Submission" queue was backing up on Exchange 2003 server
SMTP Service status was listed as "Starting"
The following event entries repeated over and over
Event Type: Information
Event Source: IISCTLS
Event Category: None
Event ID: 1
Date: 11/6/2006
Time: 1:26:54 PM
User: N/A
Computer: AMCMAIL
Description:
IIS start command received from user NT AUTHORITY\SYSTEM. The logged data is the status code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 1d 04 07 80 ...€
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1069
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service failed to record the proper state '2' and win32error '0' of application pool 'DefaultAppPool' in the metabase. To correct, start/stop the application pool or restart the World Wide Web Publishing Service. The data field contains the error number.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º..€
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1063
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service encountered a failure requesting metabase change notifications. The data field contains the error number.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º..€
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1064
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service encountered a failure requesting metabase change notifications during recovery from inetinfo terminating unexpectedly. While the World Wide Web Publishing Service will continue to run, it is highly probable that it is no longer using current metabase data. Please restart the World Wide Web Publishing Service to correct this condition. The data field contains the error number.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º..€
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The IIS Admin Service service terminated unexpectedly. It has done this 21 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Microsoft Exchange IMAP4 service terminated unexpectedly. It has done this 21 time(s).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Microsoft Exchange Routing Engine service terminated unexpectedly. It has done this 21 time(s).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly. It has done this 21 time(s).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Telephone call to Microsoft in which they had me uninstall Avast. Mail flowed after uninstall.
Thoughts?
Thanks in Advance
-
Hello? Anybody out there....
-
So, the IIS service (inetinfo.exe) is actually crashing??
To analyse the problem, it would be useful to install the following diagnostic utility from the Microsoft website:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en
After installing the program, run it and verify that the page “Rules” shows only one entry - "Crash rule for all IIS related processes"; the "Userdump Count" column should show 0.
Next, simulate the problem. This should be intercepted by the tool and the "Userdump count" value should increase. This means that a dump file has been generated - and you can send it to me.
The dump file will be (by default) placed in the "C:\Program Files\IIS Resources\DebugDiag\Logs\Crash rule for all IIS related processes" folder, and usually has about 80MB in size (may be more or less). Please ZIP this file, and upload it to our ftp site ftp://ftp.avast.com/incoming (please note that you will only have WRITE access to the ftp site, not READ).
When you're done, please let me know and we will have the dump file analysed.
Thanks
Vlk
-
thanks,
I have uploaded the zip file
-
I am having the same sort of problems with my deployment.
I have a 2-node Active/Passive Cluster. The systems are setup the same, hardware and software, except that on server1 we uninstalled Avast completely. When server1 is active exchange runs great, no errors of any kind in the event logs. When we move the cluster to server2 (which has Avast 4.6 installed) we see these same errors in the event log and eventually exchange fails and moves back to server1. We had avast 4.7 installed on server 2, but things got much worse, we couldn't keep that server up for more that a few hours at a time. We rolled back to 4.6 and it will stay up for a day or so, then the cluster group will fail to server1.
Any ideas what is happening here?
Thanks
dan
-
>:( So I would like to know what's going on with this. I work with Dan (Scrimpyd) and the file that was requested was uploaded. I also see that there are other folks that are having the same problem and Gadeem has also uploaded the file on the 10th but nothing has been posted to say that you received any files and they are being analyzed or any sort of update. We need to get this rectified as quickly as possible. If you need more information let us know and at the least put a post up of the status. Thx Tony
-
I'm in contact with Gdeem who submitted the dump files as first. We are actively working on it. I can't tell you more at this moment, sorry (right now I'm in the MS campus in Redmond so I'm just "at the source" and able to consult e.g Exchange source code to debug this, if necessary).
Will get back to you as soon as I know more.
Thanks for your patience.
Vlk
-
Thanks for the quick response. We are only one state over (Idaho), you could take a trip over here and fix it ;D
-
:-\
Let us know if you need any other info.
-
Guys, I have a question. Is the problem easily reproducible on your machine(s)?
That is, if I send you a modified version of one of the avast DLLs (together with instructions on how to install it), do you know a way to verify that it fixes the problem?
Thanks
Vlk
-
We have this problem just from having Avast 4.6 installed. When we uninstall Avast the problem goes away, We install Avast 4.6 again and the problems come back.
Do you want me to install 4.6 or update to 4.7? We know the problem is not related to a cluster environment because our Front-End Exchange 2003 server, which had Avast 4.6 and 4.7 installed & is not a cluster member, would also 'crash' on a regular basis.
Send the files and instructions and we will give it a shot. If you need more contact info from me let me know.
-
OK, thanks a lot for your speedy reply.
Here are the steps:
1. install the latest version of avast Server Edition (build 4.7.676). Do NOT reboot when asked to do so.
2. Download http://public.avast.com/~vlk/avsmtp2k-patch-676.zip and extract its contents to the avast folder (overwriting existing AvSmtp2K.dll). The .dll.sum file will guarantee that the avast auto-updater will not replace the patched version by the official one (which it would normally do as soon as it would detect the change)
3. restart the server
4. use the Server Deployment Wizard (automatically started after log on) to add the SMTP provider to the on-access scanning task.
5. try to simulate the problem
Please let me know if you have any problems, or need further assistance. This is a very strange issue and I have to say that even consulting the Exchange source code didn't help much (it's not a very nice code indeed :))
Thanks
Vlk
-
Thanks Vlk.
I have installed and replaced the files. I moved my exchange cluster to server2 and now I need to wait and watch what happens.
I will post again when I have some news.
If you need anything else let me know.
Heres to hoping things go well for all of us.
:)
dan
-
OK, thanks a lot. BTW how long would it normally take for the problem to happen? Is there a big load on the server?
Thanks
Vlk
-
We would start to see errors in the event logs after a couple hours. The server is not too busy. We have about 640 mailboxes. The server processes about 400 msgs an hour.
One more note. We see this error only when we have Avast installed:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/15/2006
Time: 11:24:13 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{9DA0E106-86CE-11D1-8699-00C04FB98036}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
When we uninstall Avast this error goes away. We have been trying to figure this one out too.
Is this something you can help with also?
-
Sounds like related to this: http://support.microsoft.com/default.aspx?scid=kb;en-us;299046
Try putting the Exchange M: drive (it's M: on your server, too, right?) to the list of Standard Shield's scan exceptions.
I.e. add something like
M:\*
(double-click avast tray icon, select "Details >>", double-click Standard Shield, go to the "Advanced" page and add it to the list).
Cheers
Vlk
-
;D
Thanks.
I added that to the list. I will let you know what happens.
dan
-
OK, thanks.
BTW you (scrimpyd) and twilson are both with the same "company"? That is, you're both refering to the same servers? :)
Thanks
Vlk
-
Yes we are in the same company- The College of Southern Idaho.
We are even in the same office. :)
So far we don't see any errors in our event log on the server running Avast. We will keep an eye on it. The DCOM error I posted we only saw on boot up. When I get a chance I will reboot that server to see if that DCOM error goes away.
dan
-
OK, let's see how it evolves. The change that was made to the modified DLL is quite subtle but may actually be the culprit (let's hope so).
BTW how many messages has the service scanned so far?
-
So far its doing good.
In the last 3.5 hours the 'MS SMTP 200/2003 Provider' has processed 6231 emails.
The 'Exchange 2000/2003 Provider' has precessed 1021821 while it has been scanning the Exchange mail store.
No errors in the event log. We will let it run until something happens.
Everyone here is curious about what the change in the file is.
Thanks
dan
-
Glad to hear that... Fingers xed. :)
As about the change, actually, the modification consisted only in exactly 6 characters in the source code ;D But the strange thing is, a lot of MSDN samples actually use this code (the original version), so if this proves to be the culprit I guess MS will have to update quite a few of its pages...
Cheers
Vlk
-
Any news on the current status? ;)
-
Here are some new stats from our server:
In the last 23 hours the 'MS SMTP 200/2003 Provider' has processed 28500 emails.
The 'Exchange 2000/2003 Provider' has precessed 2872451 emails.
Through the night the server ran with out any problems. There are no errors in the event viewer. So far it seems to be working. - Knock on wood! ;D
We will wait until Monday before we put Avast back on our Front-end OWA Server and the other cluster node. We don't want any issues over the weekend.
dan
-
Great, thanks for that.
Let's wait till Monday. :)
-
Good news. Thanks Scrimpyd for testing
-
Just got back home from Redmond.
Any news on this issue (from Idaho)?
Thanks :)
Vlk
-
Vlk, hope you had a good trip.
Well so far the stats are:
In the last 3 days 11 hours the 'MS SMTP 200/2003 Provider' has processed 101419 emails.
The 'Exchange 2000/2003 Provider' has precessed 3009627 emails.
No errors in the event logs from exchange or the cluster services.
dan
-
Very good, thanks for keeping us updated.
Hopefully, it will work flawlessly on the cluster as well...
You said that before applying the patch, it usually crashed after a couple of hours, right?
Thanks
Vlk
-
Still everything OK? knock, knock...
:)
-
So far things are looking good.
In the last 4 days 20 hours the 'MS SMTP 200/2003 Provider' has processed 1386683 emails.
The 'Exchange 2000/2003 Provider' has precessed 3075252 emails.
I did move the Exchange Virtual Servers over to Server1 this morning so I could reboot Server2. Server2 still gives me a DCOM error in the event log when the server boots up. Not sure what is causing it yet. I moved the cluster back to Server2 and it is running again. I am not sure if I should be concerned about the DCOM error or not. I dont see that error on Server1, the only differences in the two is Server1 does not have Avast installed on it, Server2 does. Once Server2 is up everything works as I would expect. So I am still trying to figure out what is causing the error. I will keep looking. I have looked in the DCOM Config and I dont see any process with that ID to give it the permissions that might need.
If you are curious about the error, here are the details it gives:
----------------------------------------
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/20/2006
Time: 7:31:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{9DA0E106-86CE-11D1-8699-00C04FB98036}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------
-
Howdy All-
I solved the DCOM error. Not sure what changed but the CLSID 9DA0E106-86CE-11D1-8699-00C04FB98036 finally showed up in the DCOM config in the Component Services MMC. ??? I checked the Security tab and it was set to 'Customize' But when I clicked on the 'Edit' button there were no users or groups in the 'Launch Permissions' window. I added SYSTEM, INTERACTIVE and Administrators and gave them the correct rights to launch and activate. Rebooted the server and now NO DCOM error.
I just wish I knew what triggered that CLSID to show up in the DCOM config finally. ???
-
So far so good? ;)
-
Server2 ran great over the weekend. I am going to install 4.7 and the fixed dll file on our Exchange Front-End and OWA server, Server3 today. I will let you know how that goes.
dan
-
I thought I would post an update.
I have Avast 4.7 with the .dll file Vlk posted on two servers.
The product is working great. There are no errors in the event logs on either system.
What should I do about the AvSmtp2K.dll.sum file in the program directory?
Will the patched .dll be included in future versions of Avast?
Should I still be doing program updates along with the virus database updates?
Thanks Vlk for all the help.
:)
dan
-
Hey, thanks a lot for the update!
Yes, the fix will be included in the next program update (scheduled just before Xmas). You don't need to worry about anything -- the patched AvSmtp2K.dll file will get replaced by the official (fixed) version when you perform the update (so: yes, I'd recommend to install all program updates in any case as there will be some other fixes/enhancements as well).
Thanks
Vlk
-
Do I need to delete the AvSmtp2K.dll.sum file from the directory? I thought that you had said the this file would prevent the update from overwriting the AvSmtp2K.dll file in the programs directory.
Just want to be clear about this files purpose.
Thanks
dan
-
You don't need to delete it.
If you look inside the AvSmtp2K.dll.sum file, you'll notice the Build= line. That is, the .sum file (which tells the updater to ignore the patched version) is bound to a specific version of avast.
Once the version number increases, the .dll file will get replaced by the new, official version, and the .sum file will be deleted automatically (as it won't be needed anymore).
Hope this explains it. :)
Cheers
Vlk
-
Vlk,
We are also having positive results with the patch. Thanks for your quick response
-
Hi,
Where I can download this patch, I always have this trouble at the restart of my SBS. :(
Thank's in advance.
GG.
-
The latest version of avast! Server (and SBS) Edition has the problem fixed already. Please update to the latest version.
Thanks
Vlk