Exchange crashes after 4.8.1049 program update

[kwg]

Ever since installing the 4.8.1049 program update for Avast Server Edition this morning, Exchange Server 2003 has been shutting down on its own. Thereafter, the Avast Exchange 2000/2003 provider shows that it is "waiting for a subsystem to start."

Rebooting the server corrects the problem for a while, but Exchange Server eventually shuts down again, one or two hours after the reboot.

Before the 4.8.1049 program update this morning, I have never experienced a similar problem with Avast or Exchange Server.

[Vlk]

Hmm. Do you have any dump files that we could use to look into the problem?

Thanks
Vlk

[kwg]

Specifically, the problem is with the Exchange Information Store service. The service does not actually stop, but restarting the service corrects the problem for a while.

While mail delivery is halted, an error similar to the following is recorded repeatedly in the Application log:

Event Type:   Error
Event Source:   MSExchangeTransport
Event Category:   Exchange Store Driver
Event ID:      348
Date:      12/5/2008
Time:      1:30:51 PM
User:      N/A
Computer:   SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID  <...> Error Code 0x0.

[Vlk]

Can you please check the Antivirus category of the Windows Event Log as well? Does it contain any entries that may be related to this?

Thanks
Vlk

[Vlk]

BTW couldn't this be related?
http://support.microsoft.com/kb/843545

Thanks
Vlk

[kwg]

There are no errors in the Antivirus log; only the usual 26923 warning events whenever a virus is detected.

However, just before the Exchange crash, this information event appears in the Application log, suggesting that Avast may now conflict with IMF:

Event Type:   Information
Event Source:   MSExchangeTransport
Event Category:   SMTP Protocol
Event ID:   7513
Date:      12/5/2008
Time:      10:18:39 AM
User:      N/A
Computer:   SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is  restarted or Microsoft Exchange Intelligent Message Filter is updated.

[kwg]

BTW couldn't this be related?
http://support.microsoft.com/kb/843545

I think this issue is unlikely to be related. To my knowledge, no one in this particular company would send a digitally signed message.

[Vlk]

Can you please also check the file <avast>\data\log\selfdef.log? Does it exist? And if so, what does it contain (if it's non-empty)?

[kwg]

Contents of selfdef.log:

12/5/2008 7:42:02 AM   Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe]
12/5/2008 8:11:09 AM   Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe]

The time 7:42:02 AM corresponds to when the 4.8.1049 program update was installed.

The time 8:11:09 AM corresponds to when I rebooted the sever a second time after installation. The second reboot was necessary because the Exchange 2000/2003 provider was not active ("waiting for a subsystem to start") after the initial reboot requested by the program update.

[Vlk]

Can you please try disabling avast self-defense and see if it makes any difference re Exchange stability?

avast settings -> Troubleshooting page.

Thanks
Vlk

[kwg]

Can you please try disabling avast self-defense and see if it makes any difference re Exchange stability?

avast settings -> Troubleshooting page.

Done!

I'll update this thread with a report about Exchange stability over the next few hours.

[Vlk]

Hi kwg,

do you have any updates for us?
How's it going with the self-defense module disabled?

Thanks
Vlk

[kwg]

Unfortunately, the problem has recurred. Again, the problem seems to be associated with IMF.

Here's the first entry in the Application log:

Event Type:   Information
Event Source:   MSExchangeTransport
Event Category:   SMTP Protocol
Event ID:   7513
Date:      12/5/2008
Time:      6:24:47 PM
User:      N/A
Computer:   SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is  restarted or Microsoft Exchange Intelligent Message Filter is updated.

One minute later:

Event Type:   Error
Event Source:   MSExchangeTransport
Event Category:   Exchange Store Driver
Event ID:   348
Date:      12/5/2008
Time:      6:25:44 PM
User:      N/A
Computer:   SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID  <...>, Error Code 0x0.

Restarting the Microsoft Exchange Information Store service restores mail delivery and causes the Avast Exchange 2000/2003 provider to restart.

[Vlk]

If you look e.g. in the Antivirus event log, and compare the timestamps, can't the problem be e.g. related to a positive detection?

Thanks
Vlk

[kwg]

It gets complicated here.

Ordinarily, Avast detects several viruses each minute. However, Avast seems to have stopped detection completely for 18 hours. Detection was restored only when I restarted the Microsoft Exchange Information Store service this morning.

Here is the last Antivirus log entry before detection stopped:

Event Type:   Warning
Event Source:   avast!
Event Category:   (12)
Event ID:   26923
Date:      12/5/2008
Time:      2:02:56 PM
User:      N/A
Computer:   SBS2003
Description:
VSAPI: A virus was found in message body part Full_Details.htm. The message will be processed according to the user-defined rules.

Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: ...
Folder: /Junk E-mail
Message: /Junk E-mail/ Earn $250 per day just for clicking your mouse with ClickedCash.EML
From: ClickedCash <clickedcash2@gmail.com>
To: ...
CC:  <>
Subject:  Earn $250 per day just for clicking your mouse with ClickedCash

Here is the first Antivirus log entry after I restarted the Microsoft Exchange Information Store service today:

Event Type:   Warning
Event Source:   avast!
Event Category:   (12)
Event ID:   26923
Date:      12/6/2008
Time:      10:37:29 AM
User:      N/A
Computer:   SBS2003
Description:
VSAPI: A virus was found in message body part Update-KB3125-x86.zip. The message will be processed according to the user-defined rules.

Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: ...
Folder: /Inbox
Message: /Inbox/Mail server report.-5.EML
From: serv@logoluso.com <serv@logoluso.com>
To: ...
CC:  <>
Subject: Mail server report.