Kaspersky Engine is not updating successfully on Forefront/Antigen installations on both Exchange and Sharepoint
An issue was discovered that is prohibiting the Kaspersky scan engine from updating successfully on Forefront and Antigen installations on both Exchange and Sharepoint.
We are aware of the issue and working diligently to deliver a timely solution to the field.
At this time, we would recommend that you disable the auto updates for Kaspersky to suppress the errors that may begin to be generated on your server(s), see below.
Errors that may be displayed in program log.txt or App log:
Wed Jan 02 03:51:59 2008 (10872-15488), "ERROR: (0x800706be) The remote procedure call failed. Scan engine could not be updated. An error occurred while disabling scan jobs. hr = 0x800706BE."
Wed Jan 02 03:51:59 2008 (10872-15488), "INFORMATION: The Kaspersky5 scan engine has been rolled back."
Wed Jan 02 03:51:59 2008 (10872-15488), "INFORMATION: Sending Signature Update Failed Alert"
Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6012
Date: 1/2/2008
Time: 9:58:51 AM
User: N/A
Computer: %SERVERNAME%
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Error Code: 0x80070102
Description: Unable to acquire the scan engine update mutex within the designated timeout period.
If by chance, Kaspersky is the only scanning engine that you are utilizing please select a different engine so you are assured of proper protection while we work on a solution for delivery.
This thread will be updated ASAP with a status/solution.
Thank you for your patience.
Ryan McGrath
All Replies
Hello Ryan,
after raising the engine update timeout from 10 mins to 20 mins ("EngineDownloadTimeout" under HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server) the update works again. The new value is 4b0 (hex).
Kind regards,
Marc
- Proposed As Answer byCraig Humphrey Tuesday, November 03, 2009 11:29 PM
- Hallo Marc,
I got the same error on my system.
I searched for the key in the registry, but I could not find the "EngineDownloadTimeout" key. Have I set the key manuell and which type does the key should be?
Kind Regards
Thorsten Hi Thorsten,
it is of type REG_DWORD. There is also a KB-Article http://support.microsoft.com/kb/939411/en-us online.
A value of 600 seconds solved the problem some weeks ago; yesterday i had to change it to 1200 seconds (4b0 hex)
Kind regards,
Marc
- Proposed As Answer byCraig Humphrey Tuesday, November 03, 2009 11:30 PM
- Hello Marc,
thank you for the fast and good answer!
Kind Regards
Thorsten As an update to this issue:
It is not that the increased EngineDownloadTimeOut value resolved the issue. The fact is that Kaspersky has changed an aspect of their updates within the past few days that was root of the issue regarding both Forefront and Antigen installations. This correction has allowed Kaspersky updates to complete successfully.
During the window of time that the issue was occurring you may have accumulated some stale directories under the Kaspersky folder structure while the updates were failing. These directories will be under the "Package" directory under "Engines" in the Forefront/Antigen program location. These directories are named for the update version, ex: 08011000002. You will want to delete all of these directories manually. Once that is done you should be able to successfully update Kaspersky and subsequent updates should succeed as well. If these directories are not manually deleted it is possible that the auto update may timeout while attempting to delete the directories as part of the update process.
We strongly recommend that you apply the fix that will be available for this type of issue should it occur again with Kaspersky or any of the other engine vendors. These fixes will be made available very soon.
Thank you,
Ryan McGrath
Ryan,
it is very dubious that, in my case, immediately after changing the value to 1200 seconds the update succeeded without any errors. Before that change the update failed for two weeks or more.
Kind regards,
Marc
Increasing the timeout value (by default 5 min or 300 sec) most likely gave the update process enough time to clean up any stale directories that were present. The deletion of these directories is a function of the updating process. There were a lot of timeouts at customer locations due to the presence of these stale directories that needed to be cleaned up and there is a time gap between each deletion. I had over 200 stale directories under my Package folder at one point.
If you manually clean these directories up the default timeout value should prove to be sufficient for successful Kaspersky updates.
In addition, increasing the timeout value proved to assist in the successful update only after Kaspersky re-configured their updates so that the initial issue with our product(s) was not present any longer. While that issue was present with their updates the increase in the timeout value proved to be irrelevant in all of our testing.
Thanks,
-Ryan
- We are still experiencing the problem. Do you have an eta of the fix?
It's been some time now.....
The KB for this issue and the hotfix have not been published publicly yet. I will post them to this thread when they become available shortly.
However, this issue can be corrected manually by deleting the stale directories as seen in posts above. The hotfix will prevent the issue from ever reoccurring in the future. That said, you should be able to update the Kaspersky engine to its current definition files by going through the manual steps (deleting all the stale directories under the package directory and attempting an update)
In addition, the fix (different fixes for each different Forefront/Antigen product) can be obtained by contacting Microsoft CSS directly
- Please note that I experienced this problem on a brand new MOSS VM with a brand new Forefront sp2 install.
All other engines updated just fine, but Kaspersky kept failing until I increased the EngineDownloadTimeout reg key.
So this is not entirely related to having lots of folders to clean up.
Considering that it's now nearly seven months later, I'm surprised there hasn't been a patch, nor did Forefront SP2 fix this (which was released after this issue was raised (even SP1 was after!).
Oh well, all working fine now! Just need to think how I'm going to impliment this in production with a locked down DMZ.... fun! - First off, I want to thank M. Bastian for giving us the solution to our issues and doing Microsofts work for them. And yes, it is sad that we had so many SP's out and this wasn't fixed.
We use Server 2003 with Antigen and not only did this fix the Kaspersky update issue.. but, also the SPAMCURE update not completing. It seems that there are so many files that need to be updated in the folders that the process times out before it gets a chance to complete the process.
Note for people that have Server 2003 with Antigen for Exchange.
FIX: (EDIT REGISTRY KEY)
HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange
EngineDownloadTimeout = 4B0 (HEX) or 1200 (BIN)
The engine update (and server reboot) will stop all the emails from becoming STUCK in the QUEUE Exchange folder. (Reboot server after Antigen engine updates)
" C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue "
We had to select EACH and every engine in the Antigen Administrator Console and update each engine one at a time. For some reason, the SCHEDULED updates did not perform as intended.
As of current post, we do not know if Antigen will auto update the engines after this fix. We will continue to monitor the systems to see if the "Time Out" registry change will fix the update issues. Also, please check your Queue folder to make sure you don't have any emails stuck as this will eventually stop your Exchange from processing new emails. (Manual cleaning with multiple reboots and service STOPS will be required).
Hope this helps future readers to resolve any issues with Antigen and server 2003.
Note: We also have Forefront Client Security running with default settings.
