none
Incidents Report Queue isn't purging RRS feed

  • Question

  • Hi There,

    Using Antigen 9.2.1097 SP2 for SMTP server on Win2003 and although the "Purge after 91 days" check box for the Incidents report queue is enabled right now there are incidents going clear back to April 2014.

    The quarantine report queue is configured the same way yet it seems to be working with messages going back to only October 28, 2014.

    I have removed the purge check mark and clicked 'apply'  Then I re-enabled it and also changed the time to 101 days.  Then I waited overnight since I know the purge routine doesn't take effect right away.  In fact I waited multiple evenings with the same setting and no change.

    I have clicked the "Clear Log" button at the top right which I'm assuming should wipe out ALL the incidents and it gave feedback indicating it worked however I still have every single incident in the log.

    I'm only concerned with running out of disk space here.

    Any ideas or advice welcome!

    PS: As the Windows 2003 server is fully updated this issue has been surviving reboots as well since it had to be rebooted numerous times since October 28, anyway in order to apply security patches.

    Thanks!


    Sam

    Tuesday, January 27, 2015 4:23 PM

Answers

  • Hi Sam,

    1) How can I monitor the database size in order that I might be able to decide if and when to uninstall / reinstall Antigen?  Where is this incidents database and can you confirm that it's true there's a 2GB limit oh and what will happen, exactly, when that's reached?  Will the computer catch on fire, do you suppose?  I sure hope it won't break in half to reveal all the smoke and mirrors inside of it, anyway! ;)

    Answer: You can monitor the size of your Incidents Database by looking at the size of the incident.mdb file located in your Antigen directory. There is a 2 GB limit for this file, once this limit is hit the file is corrupted and can no longer be purged by the Antigen option to 'purge after.' Can you verify the size of this file now? It is possible it is past the 2GB limit already and this is why your incidents are not purging.

    2) Can you point me to best practice method for that export and uninstall / reinstall you suggested so that I might have it handy in the event I determine, using your answers to point 1), that I'll need to buy myself a bit more time before we replace Antigen with another system?  (probably in August when things are a bit quieter in the office).

    Answer: You can export you incident list by choosing Export in Report -> Incidents --> Export. This will export your incidents to a .txt file to a location of your choice.

    Antigen stores program settings as well as scanning activity information, including the Quarantine Area, on the file system. If you want, you can relocate these files at any time after installation.

    To relocate data files :

    1. Stop all Exchange services and any Antigen services that might still be running after Exchange is stopped.

    2. Create a folder in the location where you want to move the files.

    3. Move all the data files (files with the .adb extension) and the Quarantine and Engines folders.

    4. Change the following registry key to reflect the new location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange\DatabasePath.

    5. Set the security for the new location. Right-click the folder of the new location, and then select Properties. On the Security tab, add a user called “Network Service” with Full Control privileges. This is necessary so that logging is performed for the SMTP Scan Job.

    6. Restart the Exchange services.

    If you have any questions you can reference the link below

    https://technet.microsoft.com/en-us/library/bb914021.aspx

    Best Regards,

    Joyce


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HN_Support Wednesday, February 25, 2015 2:49 AM
    Wednesday, February 25, 2015 1:56 AM
    Moderator

All replies

  • Hi,

    Please check the steps of clearing the incidedts database in the article below.

    "To clear the Incidents database
    1. Click Clear Log on the Incidents work pane on the REPORT shuttle. This clears all the items from the Incidents work pane. You will be asked to confirm your decision.

    2. Select Run Job in the OPERATE shuttle. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database.

    After you have cleared the entries in both places, they no longer appear in the Incidents work pane."

    https://technet.microsoft.com/en-us/library/bb914043.aspx

    Best Regards,

    Joyce


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 28, 2015 6:48 AM
    Moderator
  • Hi Joyce,

    Thanks for the reply and I thought you might be on to something there since I had not tried clearing the log in the scan job from the "Operate" shuttle before.

    However I did follow those instructions this time - both clearing the log from the Incidents shuttle as well as from the Operate shuttle.  I followed them twice in fact because the first time didn't clear the Incidents log.  Neither did the second attempt.  But I thought I'd wait until after the next time 2:00am was passed - the default compact database time - to see if there were any changes until writing back.

    Well it's 4.75 hours past that time now and we still have all the Incidents we had since April 8 and now of course including all the new ones since then up until now.

    I think there really is something stuck.  Do you have any other ideas for me?

    Thanks!


    Sam

    Thursday, January 29, 2015 11:48 AM
  • Hi,

    Have you resolved this issue? I consulted a more experienced person. He said that the fix for this at this moment will to export any configuration settings for Antigen and uninstall\re-install.

    Best Regards,

    Joyce


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 1:41 AM
    Moderator
  • Hi Joyce,

    Unfortunately no the issue isn't resolved as I'm looking at the incidents queue it still has records from April 8, 2014 and onward even though the "Purge" box is checked with "101" days as the purge parameter.

    Since we'll need to stop using Antigen before support stops on December 31 coupled with that fact that it is otherwise working perfectly well I'm almost wondering if I can get away with just leaving things as is until then.  The only concern of course is that I thought I read somewhere there is a 2GB limitation on the logs....  If you could help me find out these two things I think I'd have everything I need:

    1) How can I monitor the database size in order that I might be able to decide if and when to uninstall / reinstall Antigen?  Where is this incidents database and can you confirm that it's true there's a 2GB limit oh and what will happen, exactly, when that's reached?  Will the computer catch on fire, do you suppose?  I sure hope it won't break in half to reveal all the smoke and mirrors inside of it, anyway! ;)

    2) Can you point me to best practice method for that export and uninstall / reinstall you suggested so that I might have it handy in the event I determine, using your answers to point 1), that I'll need to buy myself a bit more time before we replace Antigen with another system?  (probably in August when things are a bit quieter in the office).

    Thanks!


    Sam

    Thursday, February 12, 2015 3:16 AM
  • Hi Sam,

    1) How can I monitor the database size in order that I might be able to decide if and when to uninstall / reinstall Antigen?  Where is this incidents database and can you confirm that it's true there's a 2GB limit oh and what will happen, exactly, when that's reached?  Will the computer catch on fire, do you suppose?  I sure hope it won't break in half to reveal all the smoke and mirrors inside of it, anyway! ;)

    Answer: You can monitor the size of your Incidents Database by looking at the size of the incident.mdb file located in your Antigen directory. There is a 2 GB limit for this file, once this limit is hit the file is corrupted and can no longer be purged by the Antigen option to 'purge after.' Can you verify the size of this file now? It is possible it is past the 2GB limit already and this is why your incidents are not purging.

    2) Can you point me to best practice method for that export and uninstall / reinstall you suggested so that I might have it handy in the event I determine, using your answers to point 1), that I'll need to buy myself a bit more time before we replace Antigen with another system?  (probably in August when things are a bit quieter in the office).

    Answer: You can export you incident list by choosing Export in Report -> Incidents --> Export. This will export your incidents to a .txt file to a location of your choice.

    Antigen stores program settings as well as scanning activity information, including the Quarantine Area, on the file system. If you want, you can relocate these files at any time after installation.

    To relocate data files :

    1. Stop all Exchange services and any Antigen services that might still be running after Exchange is stopped.

    2. Create a folder in the location where you want to move the files.

    3. Move all the data files (files with the .adb extension) and the Quarantine and Engines folders.

    4. Change the following registry key to reflect the new location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange\DatabasePath.

    5. Set the security for the new location. Right-click the folder of the new location, and then select Properties. On the Security tab, add a user called “Network Service” with Full Control privileges. This is necessary so that logging is performed for the SMTP Scan Job.

    6. Restart the Exchange services.

    If you have any questions you can reference the link below

    https://technet.microsoft.com/en-us/library/bb914021.aspx

    Best Regards,

    Joyce


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HN_Support Wednesday, February 25, 2015 2:49 AM
    Wednesday, February 25, 2015 1:56 AM
    Moderator
  • Ok Joyce I checked the incidents.mdb and as of right now it's 389,412KB or about 380MB.

    Given that covers almost 11 months of 'incidents' data and there is only - at this point - about 10 months left before we have no choice but to migrate to a new anti-spam solution it seems to me that at this rate there won't be enough time for the file to even get to the 2GB limit.

    Since there's plenty of space left on the drive I think I'm just going to leave everything else as is and instead focus on getting the antigen replacement in place.

    Thanks.

    Sam

    Wednesday, February 25, 2015 2:49 AM