locked
Forefront 5008 errors and scans RRS feed

  • Question

  • Hi guys

    I have a question about how the Forefront scan engine handles scans, after encountering a 5008 error and the service going offline.

    Basically what I'd like to know if possible is when Forefront encounters an error while scanning a file, generates a 5008 error about it and the service needs restarting, will the scan pick up where it left off or start all over again?

    I realise for instance a quick scan starting over wouldn't be a big deal but what about a full scan on a file server, where sometimes 100's of GB's of data are involved?

    We've started seeing quite a few 5008 errors in the last few weeks amongst a fair selection of our customers. The faulting file each time looks to be random in nature, with no exact pattern that I can see.

    TIA

    Dominic

    Thursday, October 16, 2014 3:43 PM

Answers

All replies

  • Hi,

    Is there a error code about this event? Could you please provide the message content?

    If you restart the service, does the client still fail in the same way?

    Please check the logs to see if there is any helpful information.

    http://technet.microsoft.com/en-us/library/bb418913.aspx

    Best Regards,

    Joyce


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Friday, October 17, 2014 8:59 AM
  • Hi Joyce

    When this happens, it generates an event ID 5008 in the System log. An example of this is below:

    Log Name:      System
    Source:        FCSAM
    Date:          14/10/2014 20:44:37
    Event ID:      5008
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXXXXXXXXXX
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc00000fd
      Resource: file:C:\rlink\Install_files\glassfish4win\DocStore_28.ear->lib/davisor-publishor.jar->com/davisor/publishor/aqq.class
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="FCSAM" />
        <EventID Qualifiers="0">5008</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-10-14T19:44:37.000000000Z" />
        <EventRecordID>53292</EventRecordID>
        <Channel>System</Channel>
        <Computer>XXXXXXXXX</Computer>
        <Security />
      </System>
      <EventData>
        <Data>%%830</Data>
        <Data>1.5.1996.0</Data>
        <Data>file:C:\rlink\Install_files\glassfish4win\DocStore_28.ear-&gt;lib/davisor-publishor.jar-&gt;com/davisor/publishor/aqq.class</Data>
        <Data>2</Data>
        <Data>%%831</Data>
        <Data>0xc00000fd</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>

    Once the service has been restarted, it may be fine for days after. Also, it doesn't appear to crash on the exact same file each time either. In fact, it isn't even always the same file type each time. As I mentioned originally, we've only really seen this error pop up in the last 2 - 3 weeks for some reason.

    I've tried to look at the Forefront logs as per the article you link to but I don't seem to have access to the log files. This is the same on a few different customer servers that I've tried, with different administrative accounts.

    Regards,

    Dominic

    Friday, October 17, 2014 1:13 PM
  • Hi Joyce

    Do you have any other idea what may have caused this?

    I've noticed that we've had no further instances of this error, on any of the client servers that I'm aware of, to date. Looks like this was due to a bad update or something?

    Regards,

    Dominic

    • Proposed as answer by Joyce L Thursday, November 6, 2014 11:16 AM
    Monday, November 3, 2014 10:07 AM
  • Hi,

    I think the error might be due to a faulty signature.

    If you run into this error in the future, you need to open a case with Microsoft and send the Resource file in the log for analysis.

    C:\rlink\Install_files\glassfish4win\DocStore_28.ear->lib/davisor-publishor.jar->com/davisor/publishor/aqq.class

    Best Regards,

    Joyce


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    • Proposed as answer by Joyce L Thursday, November 6, 2014 11:16 AM
    • Marked as answer by Domsq Thursday, November 6, 2014 11:24 AM
    Tuesday, November 4, 2014 1:49 AM