none
anti virus deleted log file

    Question

  • Like a big dummy i believed Symantec when it said it automatically put exclusions on servers where MS exchange is installed.  well it deleted to of my log files and one i was able to resotre form the quaratine.  What are my next steps now?  Is there a toll or command to see what is missing?  Thanks.  

    Monday, February 20, 2012 2:32 PM

Answers

  • a call to MS set me straight.  As long as i get a clean shut down from eseutil /mh i can remove the logfiles and create a new fodler for the database logs.  Then remount the database and all is well. 
    • Marked as answer by KirkSH Monday, February 20, 2012 11:42 PM
    Monday, February 20, 2012 11:42 PM

All replies

  • Exclude the Log flies, database and binary files.
    We had issues with Symatec with one client, it was causing failover to server and we had to uninstall the product.

    I would recommend Keep only EndPoint protection on Mailbox Server and Remove Mail Security for exchange. Install EndPoint and Mail Security on HT/CAS server.

    I would say, you call Symantec they will help you configuring their product. Personally I will never ever install Symantec on the server, ever.


    Gulab Prasad,
    MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
    MCITP: Lync Server 2010 | MCITP: Windows Server 2008
    My Blog | Z-Hire Employee Provisioning App

    Monday, February 20, 2012 2:44 PM
  • @ Gulab

    I would recommend Keep only EndPoint protection on Mailbox Server and Remove Mail Security for exchange.

    Wouldn't you want Mail Security on the MBX server so it can scan the database for viruses?

    Or... does the product scan email as in enters the system, i.e. at Send Connector or in Submission Queue -> HT role. ???

    Otherwise, if the OP has all roles on the same server, then he has little choice.

    It would be interesting to know which product (SAV/SEP or Mail Security) deleted the log files. It may have been SEP for all we know.

    But yes, OP should contact Symantec directly. It's their product and they should make it work/make it right.

    @KirkSH

    Are all Exchange roles on the same server?

    And what products do you have installed? SEP and Mail Security? What versions?

    I believe that since version 11 (10?) Symantec does claim that it makes automatic exclusions for Active Directory and Exchange files and folders.

    Monday, February 20, 2012 3:33 PM
  • @ Le Pivert
    Because for external emails, the application is installed on HT server and for internal emails I already have EndPoint protection running on the server.
    I have a client and we are running the same configuration and we don't have any issue (not yet) ;)

    Again...Yes, It's recommended to have the OS and Exchange aware AV on the server.


    Gulab Prasad,
    MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
    MCITP: Lync Server 2010 | MCITP: Windows Server 2008
    My Blog | Z-Hire Employee Provisioning App

    Monday, February 20, 2012 3:42 PM
  • Ok so i called Symantec and i was able to recover one of the logfiles since it was quaratined.  I have recoverdd that one and tried an online  backup using Symantec BE 2010.  it tried to flush the logs but it didn't work.  My Exchange server is up and running and i am fine for now.  The real issue is the drive with the logs will fill up in the next few days.  What are my options at this point?  If i want to shut down and replay the log files back into the database what will happen?  Will it allow me to skip those two logfiles and then continue past or have i lost all of my email from thos elogfile son?  Can i export out of my DB the meails and shutdown and reply back?  The worse part of this is that i was moving my mailboxes over to a new server and htis happened right after they were allmoved before i could a clean backup.     
    Monday, February 20, 2012 10:09 PM
  • a call to MS set me straight.  As long as i get a clean shut down from eseutil /mh i can remove the logfiles and create a new fodler for the database logs.  Then remount the database and all is well. 
    • Marked as answer by KirkSH Monday, February 20, 2012 11:42 PM
    Monday, February 20, 2012 11:42 PM
  • So how many logfiles did you lose altogether?

    3?

    1 was recovered?

    2 were not?

    If i want to shut down and replay the log files back into the database what will happen?  Will it allow me to skip those two logfiles and then continue past or have i lost all of my email from thos elogfile son?

    If you dismount the database there are a couple eseutil commands you could run that might provide some information on the relationship between the database and associated log files (how many, which ones missing) and in a worse case scenario there is a repair process that can be run - albeit with risk of data loss.

    Did you loose all the mail in those log files? Possibly.

    But I'm going to wait for someone with more experience with eseutil and corrupt or missing log files to comment this.

    My concern is that if you dismount the database (to run the eseutil cmds), it might not want to (re)mount because of the missing logs and that would force you to perform the repair process.

    Repair process is often recommended only as a last resort and I'm not sure we are quite at that point yet.

    Tuesday, February 21, 2012 12:00 AM