Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: kwg on December 05, 2008, 10:26:21 PM
-
Ever since installing the 4.8.1049 program update for Avast Server Edition this morning, Exchange Server 2003 has been shutting down on its own. Thereafter, the Avast Exchange 2000/2003 provider shows that it is "waiting for a subsystem to start."
Rebooting the server corrects the problem for a while, but Exchange Server eventually shuts down again, one or two hours after the reboot.
Before the 4.8.1049 program update this morning, I have never experienced a similar problem with Avast or Exchange Server.
-
Hmm. Do you have any dump files that we could use to look into the problem?
Thanks
Vlk
-
Specifically, the problem is with the Exchange Information Store service. The service does not actually stop, but restarting the service corrects the problem for a while.
While mail delivery is halted, an error similar to the following is recorded repeatedly in the Application log:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 348
Date: 12/5/2008
Time: 1:30:51 PM
User: N/A
Computer: SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <...> Error Code 0x0.
-
Can you please check the Antivirus category of the Windows Event Log as well? Does it contain any entries that may be related to this?
Thanks
Vlk
-
BTW couldn't this be related?
http://support.microsoft.com/kb/843545
Thanks
Vlk
-
There are no errors in the Antivirus log; only the usual 26923 warning events whenever a virus is detected.
However, just before the Exchange crash, this information event appears in the Application log, suggesting that Avast may now conflict with IMF:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7513
Date: 12/5/2008
Time: 10:18:39 AM
User: N/A
Computer: SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.
-
BTW couldn't this be related?
http://support.microsoft.com/kb/843545
I think this issue is unlikely to be related. To my knowledge, no one in this particular company would send a digitally signed message.
-
Can you please also check the file <avast>\data\log\selfdef.log? Does it exist? And if so, what does it contain (if it's non-empty)?
-
Contents of selfdef.log:
12/5/2008 7:42:02 AM Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe]
12/5/2008 8:11:09 AM Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe]
The time 7:42:02 AM corresponds to when the 4.8.1049 program update was installed.
The time 8:11:09 AM corresponds to when I rebooted the sever a second time after installation. The second reboot was necessary because the Exchange 2000/2003 provider was not active ("waiting for a subsystem to start") after the initial reboot requested by the program update.
-
Can you please try disabling avast self-defense and see if it makes any difference re Exchange stability?
avast settings -> Troubleshooting page.
Thanks
Vlk
-
Can you please try disabling avast self-defense and see if it makes any difference re Exchange stability?
avast settings -> Troubleshooting page.
Done!
I'll update this thread with a report about Exchange stability over the next few hours.
-
Hi kwg,
do you have any updates for us?
How's it going with the self-defense module disabled?
Thanks
Vlk
-
Unfortunately, the problem has recurred. Again, the problem seems to be associated with IMF.
Here's the first entry in the Application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7513
Date: 12/5/2008
Time: 6:24:47 PM
User: N/A
Computer: SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.
One minute later:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 348
Date: 12/5/2008
Time: 6:25:44 PM
User: N/A
Computer: SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <...>, Error Code 0x0.
Restarting the Microsoft Exchange Information Store service restores mail delivery and causes the Avast Exchange 2000/2003 provider to restart.
-
If you look e.g. in the Antivirus event log, and compare the timestamps, can't the problem be e.g. related to a positive detection?
Thanks
Vlk
-
It gets complicated here.
Ordinarily, Avast detects several viruses each minute. However, Avast seems to have stopped detection completely for 18 hours. Detection was restored only when I restarted the Microsoft Exchange Information Store service this morning.
Here is the last Antivirus log entry before detection stopped:
Event Type: Warning
Event Source: avast!
Event Category: (12)
Event ID: 26923
Date: 12/5/2008
Time: 2:02:56 PM
User: N/A
Computer: SBS2003
Description:
VSAPI: A virus was found in message body part Full_Details.htm. The message will be processed according to the user-defined rules.
Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: ...
Folder: /Junk E-mail
Message: /Junk E-mail/ Earn $250 per day just for clicking your mouse with ClickedCash.EML
From: ClickedCash <clickedcash2@gmail.com>
To: ...
CC: <>
Subject: Earn $250 per day just for clicking your mouse with ClickedCash
Here is the first Antivirus log entry after I restarted the Microsoft Exchange Information Store service today:
Event Type: Warning
Event Source: avast!
Event Category: (12)
Event ID: 26923
Date: 12/6/2008
Time: 10:37:29 AM
User: N/A
Computer: SBS2003
Description:
VSAPI: A virus was found in message body part Update-KB3125-x86.zip. The message will be processed according to the user-defined rules.
Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: ...
Folder: /Inbox
Message: /Inbox/Mail server report.-5.EML
From: serv@logoluso.com <serv@logoluso.com>
To: ...
CC: <>
Subject: Mail server report.
-
The problem continues, and the pattern is the same.
First a refresh of IMF:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7513
Date: 12/6/2008
Time: 12:35:30 PM
User: N/A
Computer: SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.
Then a failure of Avast;
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 348
Date: 12/6/2008
Time: 12:45:28 PM
User: N/A
Computer: SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <...>, Error Code 0x0.
Restarting the Microsoft Exchange Information Store service corrects the problem temporarily.
-
Update: The problem continues exactly as described above.
-
In addition, I sometimes see these messages in the Application log soon before mail delivery stops and the Avast Exchange provider becomes disabled:
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 12/8/2008
Time: 9:14:21 AM
User: N/A
Computer: SBS2003
Description:
Faulting application store.exe, version 6.5.7653.38, faulting module AvExVxx2.dll, version 4.8.1296.0, fault address 0x00005b7e.
Event Type: Information
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 12/8/2008
Time: 12:18:26 PM
User: N/A
Computer: SBS2003
Description:
Reporting queued error: faulting application store.exe, version 6.5.7653.38, faulting module AvExVxx2.dll, version 4.8.1296.0, fault address 0x00005b7e.
-
Update: It is now Day 5 with this problem. Still no resolution.
-
Please check your email. Thanks.
-
I am having exactly the same problem. Does anyone have a fix ?
-
I am having exactly the same problem. Does anyone have a fix ?
Awil has written a fix, which I am currently testing for them. So far, so good.
-
David, are you also getting the "Microsoft Exchange Intelligent Message Filter was refreshed" message just before the problem starts taking place?
Thanks
Vlk
-
Vlk,
Here's a very interesting observation:
1. IMF updates are issued by Microsoft only two times per month.
2. Before the Avast 4.8.1049 upgrade, the ID 7513 events occurred only a few times each month.
3. After the Avast 4.8.1049 upgrade, the ID 7513 events are occurring every two hours almost exactly (plus or minus a few minutes each time).
I suspect, therefore, that Avast 4.8.1049 is somehow causing the ID 7513 events every two hours, perhaps by restarting the SMTP service. In other words, the ID 7513 events are a symptom of a problem in Avast which occurs every two hours, not the cause of the problem.
What does Avast do every two hours, plus or minus a few minutes? Does Avast attempt a VPS update? Is the SMTP service involved?
-
I'm experiencing the same problem. Running a SBS2003. Since the Avast update, Exchange hangs up with error code 348: "A message could not be virus scanned - this operation will be retried later. Internet Message ID <...>"
As kwg wrote, restarting the Exchange Information Store service helps for a while.
But here seems no correlation to event ID 7513. I have no 7513 entries in the logs. But ID 9661 which says "standard filtering level for unrequested commercial e-mail has been updated. The new value is 8." (sorry for translation, I have German language event logs ;))
Is there a fix available, yet?
-
I have the same problem after update from 4.7 to 4.8. Server 2003 with Exchange server 2003 SP2.
I've just deinstalled AVAST and now for 3 hours no problems, otherwise I had to restart Information Store and AVAST engine every 2 hours. I will reinstall when a fix is availlable.
-
Guys,
it would be helpful if you could create a dump of the store.exe process at the moment the problem is simulated.
To do this, please download http://public.avast.com/~vlk/userdump.exe
Once the problem is simulated, run
userdump store.exe c:\store.dmp
This will create a file store.dmp in C:\ (a memory dump of the Exchange IS process). Zip it and upload it to ftp://ftp.avast.com/incoming (please note that you won't have READ access to the ftp site, just WRITE).
Thanks
Vlk
-
I did send Vlk a dump created just 5 seconds after the event occurred. Since the dump is half a gigabyte in size, and the Avast "Incoming" directory is write-only, I don't know yet whether my upload was successful.
-
We are now also seeing this problem on 2 customers' servers. It's very bad. Has anyone tried turning off IMF to see if that helps?
Regards,
Edmund
-
Hello!
This one is a massive problem!!!!
I have got 12 (twelve!!!!) customers out there which cannot receive mails since the update - same error as mentioned above.
What i have already tried:
- restart services: no effect
- uninstall avast scanner & reboot: mails can be received again - but no virus scanning of course
- reinstall avast server edition (SBS & standard versions): works for about 3 hours - then same error again
- deactivated IMF & restarted services: works for 4-5 mails; then crashes again
So currently, only UNINSTALLING avast scanner brings back a functional solution -
we REALLY need a patch on this !!!!
-
I did send Vlk a dump created just 5 seconds after the event occurred. Since the dump is half a gigabyte in size, and the Avast "Incoming" directory is write-only, I don't know yet whether my upload was successful.
Hello,
I don't know if you've communicated with Vlk by e-mail, but the upload on the FTP is only 2 megabytes in size - i.e. it's not complete.
Could you possibly try to upload again? (or, if you have a webspace of your own, put it there for download, probably in a form of a password-protected archive?)
Thanks.
-
I don't know if you've communicated with Vlk by e-mail, but the upload on the FTP is only 2 megabytes in size - i.e. it's not complete. Could you possibly try to upload again? (or, if you have a webspace of your own, put it there for download, probably in a form of a password-protected archive?)
I am currently uploading the file to a different server. I will let Vlk know when the upload is complete and how to retrieve the file.
-
I am currently uploading the file to a different server. I will let Vlk know when the upload is complete and how to retrieve the file.
I have e-mailed Vlk with instructions for retrieving the file from my server.
-
We're experiencing the same, more details:
1) emails are being sent out just fine.
2) incoming emails are sitting on the pending queue and not being delivered to local mailboxes.
3) event log is showing IMF being restarted, which i suspect is due to a restart of the smtp service more than anything.
4) this has happened since avast auto-updated on the windows 2003 sbs on sunday. Monday morning, start of business, was a firefighting session of trying to get ever growing queues to deliver.
5) all this was solved by disabling the local exchange and smtp scanners in avast. queue sizes dropped to nothing almost straight away.
The current result is that we are getting email delivered locally, but not virus scanned however. I've not seen requirement to uninstall avast. Just disabling the exchange and smtp scanner seems to fix it (after the smtp service is restarted).
Note however, that on reboot of the server, avast will be restarted again and delivery will fail once more.
-
Same problem here...
SBS2003 UK SP2.
Quick solution when no mail is deliverd anymore.
disable avast
start=>run=>issreset
then restart the mailstore
then from the Exchange systemmanager go to => servers => {servername} => queues
Right klik Messages pending submission and choose freeze.. Then wait 5 seconds and then klik it again and choose force connection.
Now the messages will be deliverd again......
-
Quick solution when no mail is deliverd anymore.
I find that the following two-step procedure is sufficient to restore delivery:
1. Restart the Microsoft Exchange Information Store service.
2. Force a connection with the Pending queue.
The Avast Exchange provider restarts immediately on its own after Step 1.
-
Quick solution when no mail is deliverd anymore.
I find that the following two-step procedure is sufficient to restore delivery:
1. Restart the Microsoft Exchange Information Store service.
2. Force a connection with the Pending queue.
The Avast Exchange provider restarts immediately on its own after Step 1.
sometimes an ISSRESET is necessary ;)
-
Guys, just a small status update.
We're still investigating the issue. Hopefully, there will be a fix in the upcoming couple of days.
Thanks
Vlk
-
BTW one thing to try:
please go to avast settings, "Update (Basic)" page, click Details, and uncheck the "Enable" box in the "Push iAVS" section. Confirm with OK, and monitor if it makes any difference.
Thanks
Vlk
-
Try this
http://support.microsoft.com/kb/843545
and disable transport level in Avast task->Resident protection ->Exchange2000/2003 Scanning settings.
...maybe
-
BTW one thing to try:
please go to avast settings, "Update (Basic)" page, click Details, and uncheck the "Enable" box in the "Push iAVS" section. Confirm with OK, and monitor if it makes any difference.
Thanks
Vlk
I'm going to try it.. I will report the results in about 4 hours...
-
Okay. I've unchecked the iAVS box. We'll see if it works. If not I'll try the hotfix noted in the MS link above.
-
BTW one thing to try:
please go to avast settings, "Update (Basic)" page, click Details, and uncheck the "Enable" box in the "Push iAVS" section. Confirm with OK, and monitor if it makes any difference.
Thanks
Vlk
this trick didn't work..
-
OK, one more thing to try:
1. disable the MS SMTP 2000/2003 provider in avast ("Terminate" it); keep the Exchange 2000/2003 provider enabled
2. use iisreset to restart the inetinfo.exe process (which hosts the SMTP service).
Thanks
Vlk
-
OK, one more thing to try:
1. disable the MS SMTP 2000/2003 provider in avast ("Terminate" it); keep the Exchange 2000/2003 provider enabled
2. use iisreset to restart the inetinfo.exe process (which hosts the SMTP service).
Thanks
Vlk
I'm going to try it.. I will report the results in about 4 hours...
-
Dear pals,
Same happened over here. Tried the followings, without any positive result:
- checked Disable avast self defense module in troubleshooting
- checked skip checking of digital signature of infected files in troubleshooting
- unchecked enable push iAVS at update(basic)/details
Every time after I restarted the exchange store service, the errors came back within an hour.
At last I disabled transport level in exchange scanning settings. This seems to be working. The email flows by eighty minutes now.
Anyways who knows what exactly does the disable of the transport level scanning...
Since this is a really-really frustrating error (hey, guys at avast! this is really it!>:() now I'm thinking about moving back to a prev. avast version. A working one.
-
I've tried unchecking the box >> didn't work.
I've tried (about a week ago) terminating the smtp scan >> didn't work.
I'm going to apply the MS fix and see if that works and report back.
-
I'm having the exact same issue. It's been going on for about 5 days now. I receive the follow error over and over.
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 348
Date: 12/16/2008
Time: 2:13:49 AM
User: N/A
Computer: SRVSBS01
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <320804502.1085292.1229411625063.JavaMail.app@ech3-cdn09.prod>, Error Code 0x0.
Usually, it is also preceeded by:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7513
Date: 12/14/2008
Time: 3:00:45 AM
User: N/A
Computer: SRVSBS01
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.
As someone else suggested earlier in the thread, I can temporarly resolve it by restarting the Exchange Information store. Then I have to force the connection on any messages pending submission.
I have a few hours to troubleshoot this right now, any ideas?
Edit: This is on a SBS 2003 SP2 server
-
ms patch didn't work. version of exchange is already above that of the patch. so...
-
Try this
http://support.microsoft.com/kb/843545
and disable transport level in Avast task->Resident protection ->Exchange2000/2003 Scanning settings.
...maybe
- checked Disable avast self defense module in troubleshooting
- checked enable push iAVS at update(basic)/details
- unchecked Scan at transport level (Exchange 2003 only)
- restart/reload all stuffs
Its working to me momently - no errors... i put one beer to early celebrate
(SBS 2003 SP2 + Postfix MailGateway)
-
OK, one more thing to try:
1. disable the MS SMTP 2000/2003 provider in avast ("Terminate" it); keep the Exchange 2000/2003 provider enabled
2. use iisreset to restart the inetinfo.exe process (which hosts the SMTP service).
Thanks
Vlk
This seems to work. :)
(SBS 2003 SP2 + GFI MailEssentials )
-
Only disabling transport level scanning is enough. It is working for me since 4pm yesterday.
Don't bother with disabling avast self defense module or disabling push iAVS at update(basic)/details. Only uncheck transport level checkbox in exchange scanning settings.
Anyway, who knows what this option exactly mean?
-
Anyway, who knows what this option exactly mean?
"New for Exchange 2003 is the ability to operate at the transport level - meaning that all items will be properly scanned even if deployed on a gateway/border server that just passes the mails through, without saving them to the information store."
By the way, i newer put out MS servers (like exchange) directly to the net, so i using mail gateway with spam and virus filtering. If you using exchange/IMF directly, turn off transport level is not too safe.
-
Hi all
i am having this same problem since the update was released.
i have tried the method stated below, but am still having the issue.
"Disable transport level in Avast task->Resident protection ->Exchange2000/2003 Scanning settings."
any news when this problem will be resolved?
Dale
-
Hello all,
unfortunately I have the same problem :'( :'( with several customers running exchange 2003, reading through the posts the only thing that would probably work is the previous version of avast but then you'll probably receive the " your product requires update" msg.
also with reference to an earlier post (if i've understood) its not really a good thing to stop scanning at transport level afterall you ideally want to stop the 'bad stuff' before it hits your database 'edb'. If you get a lot of mail this could probably cause performance and user related issues...Any thoughts?? any news on a fix??
-
Hmmz the problem is back again......
nothing changed here.. and sudden there was no incomming mail annymore... :(
-
I finally had to uninstall and go back to version 4.7. It works just fine. I have it set to only update the virus definitions. At this point there was not another solution. After two weeks of email issues this was the only viable alternative. I'll turn on the program update feature as soon as this is fixed.
-
ToddU, did you get my email (that I sent to you about 6 hours ago)?
Thanks
Vlk
-
Sorry no I hadn't checked email yet. I've responded to your email. I'll give it a shot.
-
Vlk,
Please check your e-mail. The solution you proposed is working very well indeed!
kwg
-
Any chance that I could get this solution as well.
I'm experiencing similar issues.
-
Hi, could you share the solution as I have a few SBS servers with the same issue and the Client is getting a little hacked off!!
Thanks
-
Dear All,
We have the same problem, please give us a solution.
We have to restart the services everytime about few hours, otherwise the mail is not deliverd!
Thank you.
Best regards,
Paul
-
Yes, if a solution has been found, please post it. We are still having the same issue daily.
-
Yes, if a solution has been found, please post it.
I imagine that Avast are putting the finishing touches on a new public release. Vlk had me test an unfinished build yesterday, and it does seem to have corrected the major problems.
In the meantime, you might try the following workaround:
1. Turn off Avast self-defense.
2. Disable auto-updates. Alternatively, set the auto-update interval to a much longer period than the default 120 minutes. For example, if you set the auto-update interval to 1440, an auto-update will take place once per day, and the Exchange crashes will occur at most once per day. In any case, you can still perform manual updates at any time without crashing Exchange.
3. Restart the avast! Antivirus service.
4. If Avast crashes while the service is being restarted (a problem corrected with the test build), restart the server.
5. Turn on Avast self-defense.
kwg
-
The new program update (solving the issue) will be released in approx. three hours.
Thanks for your patience,
Vlk
-
Vlk,
tried to use the update, unfortunately the first time i tried it wouldn't run, second attempt it hung on the finish window. when i checked the log it said that it changed nothing? so on that note i am unable to help!
I am also receiving reports from clients that they are also having connectivity problems with RDP,only resolve is to reboot or restart services and same as with exchange a few hours later kaputt! until I get to check the event viewer i don't know for sure if they are connected, thanks for your help,
I look forward to the update i cant tell you, them few hours can't tick by soon enough! :)
-
Avast Server Edition v4.8.1059 is now out, and it is supposed to solve the issue for good.
To install it, simply invoke the Program update feature from within the avast GUI.
Thanks
Vlk
-
Avast Server Edition v4.8.1059 is now out
Thanks Vlk... Seems you're working late tonight ;)
-
Thanks Vlk,
All things back to normal now including RDP conns so i guess they where connected! :) :) :)
-
Thanks Vlk,
All things back to normal now
Everything is back to normal here, too!
Avast deserve a lot of praise for their dedication to the diagnosis and eventual resolution of this problem. In particular, Vlk has been most professional as he worked with me by e-mail to test hypotheses and intermediate builds.
Thank you, Avast and Vlk!
kwg
-
kwg, the pleasure is all mine.
Maybe you didn't realize it, but your help was key in finding the cause of the problem and eventually creating a fix!
Thanks again,
Vlk
-
I'm working again. Thank you.