Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: Burl on July 13, 2004, 07:34:27 PM
-
Hello again,
I am seeing an Application Event Log error once every hour that appears to associated with an Avast .dll file as follows:
Source: Microsoft ISA Server Control
Event ID: 14146
Description: ISA Server failed to load Web Filter DLL C:\Program Files\Microsoft ISA Server\avpxyftr.dll.
Please provide some guidance in the cause and resolution to eliminating this error.
Best regards,
Burl
-
So you have avast! for ISA installed? You've always had?
And does the file "C:\Program Files\Microsoft ISA Server\avpxyftr.dll" exist, then?
BTW what OS/ISA version are you using?
Thanx
Vlk
-
Ah, the details. I always seem to forget that you need to see them.
The server is running Microsoft Small Business Server 2003 Premium edition with ISA Server 2000 SP1.
ISA was installed at the very beginning.
The C:\Program Files\Microsoft ISA Server\avpxyftr.dll file does exist and is version 4.1.357.0 with a date of April 21, 2004.
Thanks,
Burl
-
So this started to happen just like that? With no obvious reason / update / config change etc.?
Also, do you have the program called Depends.exe? http://www.dependencywalker.com/
It would be useful to check if it is reporting any problems when run on the file "C:\Program Files\Microsoft ISA Server\avpxyftr.dll".
Also, the event log is otherwise clean?
Thanks
Vlk
-
This started on the evening of July 7th and has been continuing once an hour ever since.
There are no other entries in any of the event logs on or about that time that would indicate a problem.
There were not and known configuration changes or updates done on the server at that time.
I ran the Dependency Walker against that DLL and found no errors.
Thanks,
Burl
-
Isn't there any additional binary info in the data field of the log entry?
-
Yes, as follows:
0000: 5a 04 07 80
-
Hmm, thanks, that didn't help much.
BTW haven't you added the /3GB switch to boot.ini recently?
Thanks
-
I have not added the 3GB switch setting.
-
Can you turn on verbose logging of the ISA plugin?
Double click avast tray icon -> double click MS/Proxy/ISA -> last tab -> Maximum logging.
Then see if it logs at least something, to the Antivirus category of the event log.
Thx.
Vlk
-
I have elevated the logging to maximum. I will monitor for the next few hours and send you feedback on the results.
Thanks
-
I am alredy seeing multiple event log ID 26195 entires with a message of "Avast proxy filter: preprocessing request headers."
They are occuring in groups of three, with a frequency of four or five times a minute.
-
Well that would indicate that the filter is in fact loaded...!
What does the avast MS/Proxy provider say as status: "Active" or "Waiting for a subsystem to start"?
-
The status says "The provider is currently running"
-
Over the past several hours the Antivirus event log has been filling with Information type events with ID #'s of 26128, 26135, 26195, 26196, and 26197. There have been no error messages and the Application event log is still showing the same ISA server error event about ever hour.
I would like to reset the Avast! logging level for the Proxy Server back to a lower setting if that is OK with you.
Thanks,
Burl
-
That is perfectly OK, but is very misleading...
All this means that the filter is loaded (and probably functioning) and yet, ISA thinks something's wrong.
One more thing to try: check if there are not duplicate registerings for the filter. MS ISA console -> Web filters.
Thanks
Vlk
-
There is only the one entry in the ISA server web filters.
Burl
-
In the past few days nothing has changed. I am still getting the ISA Server errors and monitoring of the AntiVirus event log show no abnormal entries.
Burl
-
What you could try is to disable the filter for a while - and see if the messages quit being generated.
The most misleading thing is that the filter seems to be working so the erro code 'Cannot load DLL' just doesn't make any sense.
I've tried searching the Internet for similar incidents but didn't find anything.. :-\
-
What is the primary funtion of the filter and what risks will I be creating by disabling the filter?
Thanks,
Burl
-
Well it's the MS Proxy/ISA provider.
It filters HTTP/FTP stuff going through the ISA server.
Like this link (benign): http://www.eicar.org/download/eicar.com
(you shouldn't be able to access this location if the filter is active).
Thanks
Vlk