Avast/Exchange/SMTP Issue

Issue with Avast/Exchange in which the solution was to uninstall Avast in order to get mail flowing.

Issue:
Mail was not being delivered in a timely fashion
“Message Pending Submission” queue was backing up on Exchange 2003 server
SMTP Service status was listed as “Starting”
The following event entries repeated over and over

Event Type: Information
Event Source: IISCTLS
Event Category: None
Event ID: 1
Date: 11/6/2006
Time: 1:26:54 PM
User: N/A
Computer: AMCMAIL
Description:
IIS start command received from user NT AUTHORITY\SYSTEM. The logged data is the status code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 1d 04 07 80 …�

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1069
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service failed to record the proper state ‘2’ and win32error ‘0’ of application pool ‘DefaultAppPool’ in the metabase. To correct, start/stop the application pool or restart the World Wide Web Publishing Service. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º…�

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1063
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service encountered a failure requesting metabase change notifications. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º…�

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1064
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The World Wide Web Publishing Service encountered a failure requesting metabase change notifications during recovery from inetinfo terminating unexpectedly. While the World Wide Web Publishing Service will continue to run, it is highly probable that it is no longer using current metabase data. Please restart the World Wide Web Publishing Service to correct this condition. The data field contains the error number.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ba 06 07 80 º…�

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The IIS Admin Service service terminated unexpectedly. It has done this 21 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Microsoft Exchange IMAP4 service terminated unexpectedly. It has done this 21 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Microsoft Exchange Routing Engine service terminated unexpectedly. It has done this 21 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 11/6/2006
Time: 1:27:49 PM
User: N/A
Computer: AMCMAIL
Description:
The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly. It has done this 21 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Telephone call to Microsoft in which they had me uninstall Avast. Mail flowed after uninstall.

Thoughts?

Thanks in Advance

Hello? Anybody out there…

So, the IIS service (inetinfo.exe) is actually crashing??

To analyse the problem, it would be useful to install the following diagnostic utility from the Microsoft website:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en

After installing the program, run it and verify that the page “Rules” shows only one entry - “Crash rule for all IIS related processes”; the “Userdump Count” column should show 0.

Next, simulate the problem. This should be intercepted by the tool and the “Userdump count” value should increase. This means that a dump file has been generated - and you can send it to me.

The dump file will be (by default) placed in the “C:\Program Files\IIS Resources\DebugDiag\Logs\Crash rule for all IIS related processes” folder, and usually has about 80MB in size (may be more or less). Please ZIP this file, and upload it to our ftp site ftp://ftp.avast.com/incoming (please note that you will only have WRITE access to the ftp site, not READ).

When you’re done, please let me know and we will have the dump file analysed.

Thanks
Vlk

thanks,
I have uploaded the zip file

I am having the same sort of problems with my deployment.
I have a 2-node Active/Passive Cluster. The systems are setup the same, hardware and software, except that on server1 we uninstalled Avast completely. When server1 is active exchange runs great, no errors of any kind in the event logs. When we move the cluster to server2 (which has Avast 4.6 installed) we see these same errors in the event log and eventually exchange fails and moves back to server1. We had avast 4.7 installed on server 2, but things got much worse, we couldn’t keep that server up for more that a few hours at a time. We rolled back to 4.6 and it will stay up for a day or so, then the cluster group will fail to server1.
Any ideas what is happening here?

Thanks
dan

:frowning: So I would like to know what’s going on with this. I work with Dan (Scrimpyd) and the file that was requested was uploaded. I also see that there are other folks that are having the same problem and Gadeem has also uploaded the file on the 10th but nothing has been posted to say that you received any files and they are being analyzed or any sort of update. We need to get this rectified as quickly as possible. If you need more information let us know and at the least put a post up of the status. Thx Tony

I’m in contact with Gdeem who submitted the dump files as first. We are actively working on it. I can’t tell you more at this moment, sorry (right now I’m in the MS campus in Redmond so I’m just “at the source” and able to consult e.g Exchange source code to debug this, if necessary).

Will get back to you as soon as I know more.

Thanks for your patience.
Vlk

Thanks for the quick response. We are only one state over (Idaho), you could take a trip over here and fix it ;D

:-
Let us know if you need any other info.

Guys, I have a question. Is the problem easily reproducible on your machine(s)?

That is, if I send you a modified version of one of the avast DLLs (together with instructions on how to install it), do you know a way to verify that it fixes the problem?

Thanks
Vlk

We have this problem just from having Avast 4.6 installed. When we uninstall Avast the problem goes away, We install Avast 4.6 again and the problems come back.

Do you want me to install 4.6 or update to 4.7? We know the problem is not related to a cluster environment because our Front-End Exchange 2003 server, which had Avast 4.6 and 4.7 installed & is not a cluster member, would also ‘crash’ on a regular basis.

Send the files and instructions and we will give it a shot. If you need more contact info from me let me know.

OK, thanks a lot for your speedy reply.

Here are the steps:

  1. install the latest version of avast Server Edition (build 4.7.676). Do NOT reboot when asked to do so.

  2. Download http://public.avast.com/~vlk/avsmtp2k-patch-676.zip and extract its contents to the avast folder (overwriting existing AvSmtp2K.dll). The .dll.sum file will guarantee that the avast auto-updater will not replace the patched version by the official one (which it would normally do as soon as it would detect the change)

  3. restart the server

  4. use the Server Deployment Wizard (automatically started after log on) to add the SMTP provider to the on-access scanning task.

  5. try to simulate the problem

Please let me know if you have any problems, or need further assistance. This is a very strange issue and I have to say that even consulting the Exchange source code didn’t help much (it’s not a very nice code indeed :))

Thanks
Vlk

Thanks Vlk.

I have installed and replaced the files. I moved my exchange cluster to server2 and now I need to wait and watch what happens.

I will post again when I have some news.
If you need anything else let me know.

Heres to hoping things go well for all of us.
:slight_smile:
dan

OK, thanks a lot. BTW how long would it normally take for the problem to happen? Is there a big load on the server?

Thanks
Vlk

We would start to see errors in the event logs after a couple hours. The server is not too busy. We have about 640 mailboxes. The server processes about 400 msgs an hour.

One more note. We see this error only when we have Avast installed:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/15/2006
Time: 11:24:13 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{9DA0E106-86CE-11D1-8699-00C04FB98036}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When we uninstall Avast this error goes away. We have been trying to figure this one out too.
Is this something you can help with also?

Sounds like related to this: http://support.microsoft.com/default.aspx?scid=kb;en-us;299046

Try putting the Exchange M: drive (it’s M: on your server, too, right?) to the list of Standard Shield’s scan exceptions.

I.e. add something like

M:*

(double-click avast tray icon, select “Details >>”, double-click Standard Shield, go to the “Advanced” page and add it to the list).

Cheers
Vlk

;D
Thanks.

I added that to the list. I will let you know what happens.

dan

OK, thanks.

BTW you (scrimpyd) and twilson are both with the same “company”? That is, you’re both refering to the same servers? :slight_smile:

Thanks
Vlk

Yes we are in the same company- The College of Southern Idaho.
We are even in the same office. :slight_smile:

So far we don’t see any errors in our event log on the server running Avast. We will keep an eye on it. The DCOM error I posted we only saw on boot up. When I get a chance I will reboot that server to see if that DCOM error goes away.

dan

OK, let’s see how it evolves. The change that was made to the modified DLL is quite subtle but may actually be the culprit (let’s hope so).

BTW how many messages has the service scanned so far?