none
Antigen crashes and disables mailflow.

    Pertanyaan

  • I am having a serious problem with Antigen 9 SP2. My server is Windows 2003 R2 SP2 running Exchange 2003 SP2 with Antigen 9 SP1. On a fairly frequent basis Antigen will error out on an internet scan and throw this event in the event viewer:

    EVENT LOG    Application
    EVENT TYPE    Error
    SOURCE    AntigenSmtpSink
    CATEGORY    Scan Error
    EVENT ID    5015
    COMPUTERNAME      EXCHANGE
    DATE / TIME      2/15/2012 8:06:50 AM
    MESSAGE    Internet scan exceeded the allotted scan time limit while processing message ( My password).

    This error is repeated over and over for each email message that Antigen attempts to process after this.

    All message scanning stops but more alarmingly all message flow stops as well. Messages pile up in the SMTP Categorizer queue. The only way to restore scanning and mail flow at this point is to reboot the server, restarting services or the Default SMTP server won't work. The most recent time this happened I had to completely uninstall Antigen to get mail flow working again.

    The only solution that I have been able to find for this after searching extensively online is to modify the internet scan timeout in the registry. I have mine set to 10 minutes and still have the same problem.

    Here are some other errors I have seen that are related to this:

    FILE QUARANTINED
    ----------------
    The original contents of this file have been replaced with this message because of its characteristics.
    File name: "Body of Message"
    Virus name: "Exceeded Internet Timeout"

    EVENT LOG    Application
    EVENT TYPE    Error
    SOURCE    AntigenSmtpSink
    CATEGORY    Server/IMC Error
    EVENT ID    4007
    COMPUTERNAME      EXCHANGE
    DATE / TIME      2/15/2012 9:58:32 AM
    MESSAGE    Internal error 3-6, method returned 0x800706ba.

    EVENT LOG    Application
    EVENT TYPE    Error
    SOURCE    AntigenInternet
    CATEGORY    Scan Error
    EVENT ID    5008
    COMPUTERNAME      EXCHANGE
    DATE / TIME      2/15/2012 9:56:28 AM
    MESSAGE    Unable to register internet scan.

    EVENT LOG    Application
    EVENT TYPE    Error
    SOURCE    AntigenInternet
    CATEGORY    Scan Error
    EVENT ID    5001
    COMPUTERNAME      HERMES
    DATE / TIME      2/15/2012 9:57:32 AM
    MESSAGE    Unable to create sybari service.

    I need help!
    15 Februari 2012 19:45

Jawaban

  •  

    Hi,

    Thank you for the post.

    Please perform the following steps and see if it works:

    1. Uninstall Antigen completely from the server

    2. Manually delete the folder C:\Program Files\Microsoft Antigen for Exchange

    3. Restart the server

    4. Reinstall Antigen for Exchange 9.0 SP2

    5. Also install the latest Hotfix Rollup 4 update for Antigen

    Regards,


    Nick Gu - MSFT

    17 Februari 2012 3:35
    Moderator

Semua Balasan

  • Hi,

    check the programlog.txt inside the installation directory of Antigen. There should be some more interesting information in it regarding the crashes.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    15 Februari 2012 21:28
  • I reinstalled Antigen and it promptly began causing the same problems.

    Here are some entries from my programlog.txt:

    Wed Feb 15 14:25:35 2012 ( 1384- 3388), "ERROR: Internet scan exceeded the allotted scan time limit while processing message (Tara Whitten ID (0285590))."
    Wed Feb 15 14:25:35 2012 ( 1384- 3388), "INFORMATION: ArchiveMailMsg called to archive C:\Program Files\Microsoft Antigen for Exchange\Archive\out\20120215142535001.eml"
    Wed Feb 15 14:25:40 2012 ( 5024- 5784), "INFORMATION: AntigenInternet is shutting down"
    Wed Feb 15 14:25:40 2012 ( 5024- 5784), "INFORMATION: Antigen SMTP scanning subsystem has been taken offline"
    Wed Feb 15 14:25:45 2012 ( 1384- 4220), "ERROR: Internet scan exceeded the allowed scan time limit"
    Wed Feb 15 14:25:46 2012 ( 5024- 5784), "INFORMATION: Antigen Monitor detected SMTPSVC started"
    Wed Feb 15 14:25:46 2012 ( 5024- 5784), "INFORMATION: Antigen SMTP scanning subsystem online"


    Wed Feb 15 14:30:42 2012 ( 1384- 1800), "ERROR: Internet scan exceeded the allotted scan time limit while processing message ( ES: AntigenSmtpSink:Scan Error:5015 by Warnings and Errors)."

    Wed Feb 15 14:30:42 2012 ( 1384- 1800), "INFORMATION: ArchiveMailMsg called to archive C:\Program Files\Microsoft Antigen for Exchange\Archive\in\20120215143042002.eml"

    Wed Feb 15 14:33:04 2012 ( 1912- 1304), "ERROR: Unable to register internet scan"

    Wed Feb 15 14:33:04 2012 ( 2000- 1584), "WARNING: The call to enable the scan engine returned the value: hr = 0x800706BE."


    Wed Feb 15 14:33:10 2012 ( 1384- 1804), "ERROR: Internet scan exceeded the allowed scan time limit"

    Wed Feb 15 14:33:10 2012 ( 1384-  360), "ERROR: Internet scan exceeded the allowed scan time limit"

    Wed Feb 15 14:33:10 2012 ( 5396- 4388), "GetAllExchVirtualServerNames: OpenCluster Failed."


    Wed Feb 15 14:33:37 2012 ( 1384- 3388), "ERROR: A scanning thread has been terminated and restarted."

    Wed Feb 15 14:33:37 2012 ( 1384- 3388), "ERROR: Antigen timed out while processing message (Tara Whitten ID (0285590)).  Antigen then attempted to treat this file according to the 'Internet Scan Timeout Action' setting, but Antigen timed out again.  Therefore, Antigen allowed this message to continue unscanned.  To prevent this problem, increase the 'InternetTimeout' registry key."


    Wed Feb 15 15:07:00 2012 ( 3364- 5404), "ERROR: Unable to create Sybari service. hr=80070422"
    15 Februari 2012 22:42
  • Hi,

    do you have enough disk space on your server?

    The following line shows that the service crashes after archiving the email:

    Wed Feb 15 14:25:35 2012 ( 1384- 3388), "INFORMATION: ArchiveMailMsg called to archive C:\Program Files\Microsoft Antigen for Exchange\Archive\out\20120215142535001.eml"
    Wed Feb 15 14:25:40 2012 ( 5024- 5784), "INFORMATION: AntigenInternet is shutting down"
    Wed Feb 15 14:25:40 2012 ( 5024- 5784), "INFORMATION: Antigen SMTP scanning subsystem has been taken offline" 

    What happens if you temporary disable archiving of the emails?

    Greetings

    Christian


    Christian Groebner MVP Forefront

    15 Februari 2012 22:51
  •  

    Hi,

    Thank you for the post.

    Please perform the following steps and see if it works:

    1. Uninstall Antigen completely from the server

    2. Manually delete the folder C:\Program Files\Microsoft Antigen for Exchange

    3. Restart the server

    4. Reinstall Antigen for Exchange 9.0 SP2

    5. Also install the latest Hotfix Rollup 4 update for Antigen

    Regards,


    Nick Gu - MSFT

    17 Februari 2012 3:35
    Moderator