Today few of my colleagues started to receive emails from Exchange 2007 Server as follows: FILE QUARANTINED The original contents of this file have been replaced with this message because of its characteristics. File name: ‘Body of Message’ Virus name: ‘Exceeded Internet Timeout’ Since we have an Edge Transport Server that has forefront server security installed, I tried to login to the server to check the logs. The CPU is at its peak and the server is inaccessible. After a long wait, I finally managed to get in there, but I am still unable to open Services or Event Log. I checked the Hub Transport server and all the outbound emails are in the queue. The Edge Transport server is not processing inbound or outbound emails. I did a hard reset and still 100% CPU utilization. When I managed to get the Services console open, I stopped the following services in this order. • Microsoft Exchange Transport • FSCController Then the server started to behave normally. On the Application Event Log, the following entries appear. • The execution time of agent ‘FSE Routing Agent’ exceeded 300000 (milliseconds) while handling event ‘OnSubmittedMessage’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message. • Transport scan exceeded the allowed scan time limit. • At least one of the engines that is in use is slated to be discontinued. You need to take immediate action to prevent a reduction in malware/spam protection. Details can be found at:. After a few minutes of search on Bing ( ), I found out that Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products. The AhnLab, CA and Sophos engines will be retired on Dec. As of this date, customers will not receive any updates for these retired engines. Any customers running the AhnLab, CA or Sophos engines must DISABLE these engines before Dec. VMware Global, Inc. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman and VirusBuster. ![]() The original contents of this file have been replaced with this message because of its characteristics. File name: ‘Body of Message’. Rishtey full movie anil kapoor dailymotion. Virus name: ‘Exceeded Internet Timeout’. Since we have an Edge Transport Server that has forefront server security installed, I tried to login to the server to check the logs. So I had to disable the Forefront Security for Exchange Server. From a command prompt, navigate to the Forefront Security for Exchange Server installation directory ( C: Program Files (x86) Microsoft Forefront Security Exchange Server). Disable Forefront Security dependencies by typing: FSCUtility /disable To confirm that the Forefront Security dependencies have been removed, type: FSCUtility /status Restart the Exchange services (Microsoft Exchange Transport). Now the emails should go without being scanned. Do the changes to the engines in Forefront Administrator console. Make sure you do it to the Transport Scan Job as well as Default. If you think that the scan engines are corrupted, you can delete the folders at “ C: Program Files (x86) Microsoft Forefront Security Exchange Server Data Engines x86″ So the next time the Forefront updates according to the schedule, it will get the latest engine and recreate the folders. After you disable the retired engines in the console, you can enable the Forefront for exchange again. FSCUtility /enable Hopefully, the CPU utilization will be normal and the emails are checked for viruses. This (confusing) message is Forefront's way of saying that the virus scans are timing out. Do you have high CPU or I/O utilization on this server that may be making it difficult for Forefront to scan the e-mails in the default timeout period? In any case, you can increase the timeout for the Realtime and Transport scans by navigating to the following registry key: HKEY_LOCAL_MACHINE Software Wow6432Node Microsoft Forefront Server Security Exchange Server You will need to create two DWORD value keys that specify the timeout, which by default is 300,000 milliseconds (5 minutes). Try a value of 600000 (10 minutes), and if you are still getting timeouts, try 900000 (15 minutes). The keys are: RealtimeTimeout TransportTimeout I don't know off the top of my head the FSE service name that you'll need to bounce to load these registry settings once you add them, but a reboot will do the trick. Two other thoughts. 1) In the FSE options, there is a Transport Scan Timeout Action option. If you set this setting to Skip, ForeFront will try to scan the message, and if it times out, will skip the message and move on to the next one. If it times out again the next time it trys to scan the message, it will be delivered without being scanned.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |