Ever since installing the 4.8.1049 program update for Avast Server Edition this morning, Exchange Server 2003 has been shutting down on its own. Thereafter, the Avast Exchange 2000/2003 provider shows that it is “waiting for a subsystem to start.”

Rebooting the server corrects the problem for a while, but Exchange Server eventually shuts down again, one or two hours after the reboot.

Before the 4.8.1049 program update this morning, I have never experienced a similar problem with Avast or Exchange Server.

Hmm. Do you have any dump files that we could use to look into the problem?

Thanks
Vlk

Specifically, the problem is with the Exchange Information Store service. The service does not actually stop, but restarting the service corrects the problem for a while.

While mail delivery is halted, an error similar to the following is recorded repeatedly in the Application log:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: Exchange Store Driver
Event ID: 348
Date: 12/5/2008
Time: 1:30:51 PM
User: N/A
Computer: SBS2003
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <…> Error Code 0x0.

Can you please check the Antivirus category of the Windows Event Log as well? Does it contain any entries that may be related to this?

Thanks
Vlk

BTW couldn’t this be related?
http://support.microsoft.com/kb/843545

Thanks
Vlk

There are no errors in the Antivirus log; only the usual 26923 warning events whenever a virus is detected.

However, just before the Exchange crash, this information event appears in the Application log, suggesting that Avast may now conflict with IMF:

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7513
Date: 12/5/2008
Time: 10:18:39 AM
User: N/A
Computer: SBS2003
Description:
Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.

I think this issue is unlikely to be related. To my knowledge, no one in this particular company would send a digitally signed message.

Can you please also check the file \data\log\selfdef.log? Does it exist? And if so, what does it contain (if it’s non-empty)?

Contents of selfdef.log:

12/5/2008 7:42:02 AM Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe] 12/5/2008 8:11:09 AM Write access to file \Device\HarddiskVolume2\Program Files\Alwil Software\Avast4\DATA\PxyCache\index.dat denied. [C:\Program Files\Microsoft ISA Server\wspsrv.exe]

The time 7:42:02 AM corresponds to when the 4.8.1049 program update was installed.

The time 8:11:09 AM corresponds to when I rebooted the sever a second time after installation. The second reboot was necessary because the Exchange 2000/2003 provider was not active (“waiting for a subsystem to start”) after the initial reboot requested by the program update.

Can you please try disabling avast self-defense and see if it makes any difference re Exchange stability?

avast settings → Troubleshooting page.

Thanks
Vlk

Done!

I’ll update this thread with a report about Exchange stability over the next few hours.

Hi kwg,

do you have any updates for us?
How’s it going with the self-defense module disabled?

Thanks
Vlk

Unfortunately, the problem has recurred. Again, the problem seems to be associated with IMF.

Here’s the first entry in the Application log:

Event Type: Information Event Source: MSExchangeTransport Event Category: SMTP Protocol Event ID: 7513 Date: 12/5/2008 Time: 6:24:47 PM User: N/A Computer: SBS2003 Description: Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.

One minute later:

Event Type: Error Event Source: MSExchangeTransport Event Category: Exchange Store Driver Event ID: 348 Date: 12/5/2008 Time: 6:25:44 PM User: N/A Computer: SBS2003 Description: A message could not be virus scanned - this operation will be retried later. Internet Message ID <...>, Error Code 0x0.

Restarting the Microsoft Exchange Information Store service restores mail delivery and causes the Avast Exchange 2000/2003 provider to restart.

If you look e.g. in the Antivirus event log, and compare the timestamps, can’t the problem be e.g. related to a positive detection?

Thanks
Vlk

It gets complicated here.

Ordinarily, Avast detects several viruses each minute. However, Avast seems to have stopped detection completely for 18 hours. Detection was restored only when I restarted the Microsoft Exchange Information Store service this morning.

Here is the last Antivirus log entry before detection stopped:

Event Type: Warning Event Source: avast! Event Category: (12) Event ID: 26923 Date: 12/5/2008 Time: 2:02:56 PM User: N/A Computer: SBS2003 Description: VSAPI: A virus was found in message body part Full_Details.htm. The message will be processed according to the user-defined rules.

Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: …
Folder: /Junk E-mail
Message: /Junk E-mail/ Earn $250 per day just for clicking your mouse with ClickedCash.EML
From: ClickedCash clickedcash2@gmail.com
To: …
CC: <>
Subject: Earn $250 per day just for clicking your mouse with ClickedCash

Here is the first Antivirus log entry after I restarted the Microsoft Exchange Information Store service today:

Event Type: Warning Event Source: avast! Event Category: (12) Event ID: 26923 Date: 12/6/2008 Time: 10:37:29 AM User: N/A Computer: SBS2003 Description: VSAPI: A virus was found in message body part Update-KB3125-x86.zip. The message will be processed according to the user-defined rules.

Message info:
Server: SBS2003
Database: First Storage Group\Mailbox Store (SBS2003)
Mailbox: …
Folder: /Inbox
Message: /Inbox/Mail server report.-5.EML
From: serv@logoluso.com serv@logoluso.com
To: …
CC: <>
Subject: Mail server report.

The problem continues, and the pattern is the same.

First a refresh of IMF:

Event Type: Information Event Source: MSExchangeTransport Event Category: SMTP Protocol Event ID: 7513 Date: 12/6/2008 Time: 12:35:30 PM User: N/A Computer: SBS2003 Description: Microsoft Exchange Intelligent Message Filter was refreshed. Microsoft Exchange Intelligent Message Filter is now enabled. A refresh occurs when the SMTP service is restarted or Microsoft Exchange Intelligent Message Filter is updated.

Then a failure of Avast;

Event Type: Error Event Source: MSExchangeTransport Event Category: Exchange Store Driver Event ID: 348 Date: 12/6/2008 Time: 12:45:28 PM User: N/A Computer: SBS2003 Description: A message could not be virus scanned - this operation will be retried later. Internet Message ID <...>, Error Code 0x0.

Restarting the Microsoft Exchange Information Store service corrects the problem temporarily.

Update: The problem continues exactly as described above.

In addition, I sometimes see these messages in the Application log soon before mail delivery stops and the Avast Exchange provider becomes disabled:

Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 12/8/2008 Time: 9:14:21 AM User: N/A Computer: SBS2003 Description: Faulting application store.exe, version 6.5.7653.38, faulting module AvExVxx2.dll, version 4.8.1296.0, fault address 0x00005b7e.

Event Type: Information Event Source: Application Error Event Category: (100) Event ID: 1004 Date: 12/8/2008 Time: 12:18:26 PM User: N/A Computer: SBS2003 Description: Reporting queued error: faulting application store.exe, version 6.5.7653.38, faulting module AvExVxx2.dll, version 4.8.1296.0, fault address 0x00005b7e.

Update: It is now Day 5 with this problem. Still no resolution.

Please check your email. Thanks.