Memory leak on Kaspersky Security for Exchange 2003

Maybe you can tweak some settings in the Kaspersky software for MS Exchange Server 2003.
Put it on Standard Anti-virus Protection. If you're in doubt click the button for "Restore the default settings" to make sure you have the default settings.

Attachment Scan :
You can exclude some attachements scanning and exclude zipped attachements with a higher level as 32.

Exclude files defined by mask :
*.txt, *.tx? . *.txx  
test . all files with test in it's file name

Stop scan if it takes longer than 180 seconds

Actions :
Protected and damaged objects :
Additional setings :
Number of scanning threads? Put them on three.
Number of copies of the antivirus kernel 3 bij default (Process OutProcAdapter.exe)

Max. size of objects to scan in memory 1024 KB by default.
"Enable background scan"
You can also choose to let the software stop scanning in X hours.

All above was translated from a French website. I hope this will give you some ideas how to tweak Kaspersky software. Sorry for my worse French. Have a look:
http://kb.kaspersky.fr/index.php?article=946

Further more I found a critical update wich states it will remove a memory leak. Have you tried this?
http://www.kaspersky.com/support/exchange/security5.5/common?qid=208279815

This is all for now. I'm not an expert on Kaspersky but only try to help.

Hope this will help you in any way.

Kind regards,

Richard.

Thanks Richard, I need all the help I can get with this problem.

I tried those link already and workout the suggested upgrade from them and now I'm on build 5.5.1388.0 but the problem persist.

I will try your suggestion on default settings and update you with the outcome.

Thanks,

Richard,

I have tried default settings but no luck still.  I heard that I should have a Kaspersky AV 6.0 installed together with my current Exchange 5.5.  I only have Kaspersky Security for Exchange 2003 v 5.5 on my system now.  Would it be the reason I'm having this trouble now?  The manual does not mention about having 6.0 together with my exchange 5.5 as a requirement.

Any thought about this?
Thanks....

I did some research at one of the few sites we have with Kaspersky and they said the same thing about V6.0. It seems that V6.0 has new capabilities that will forget your problems. You can surely try.

I have to mention though that my colleagues warned me about your DNS. You DNS/WINS should be working perfectly. If your DNS isn't correctly configured, you can have performance issues.

Can you also make sure your DNS is working correctly? If you do nslookup on your pc's? can you post the outcome?

Thanks.

 

Thanks Richard.  I am talking about 2 versions of Kaspersky one is Kaspersky Security 5.5 for Exchange Server 2003 which we have currently installed in our Email Server machine and the other is Kaspersky Anti-Virus 6.0 for Windows Servers which we don't have on our Email Server.  But what they are saying is that I must have both versions running on my Email Server.  I am quite confused which setup is right as I can't find anything in this connection on the documentation of Kaspersky Security 5.5 for Exchange Server 2003.  How about on your system do you have them both installed and running on one Email Server Machine?

Here is the output of nslookup;

C:\>nslookup
*** Can't find server name for address x.x.x.1: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address x.x.x.2: Timed out
*** Default servers are not available
Default Server:  UnKnown
Address:  x.x.x.1

Hi,

make sure you have your Reverse DNS setup on your server. See:
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21673026.html

The system I'm looking at, strangely enough, didn't install V5.5. for protection against virusses on their mailboxes but they do have V6.0 installed. I'm still waiting for a reply about the complete functionality on Version 6 if it will also protect their emailboxes.

Let's try to repair your DNS first. This isn't good :-(

Richard.

Thanks Richard.  I will digest the info that I found from the link you provided and try to setup reverse DNS then let you know the outcome.

The IT company that setup our Servers talk about setting up a Reverse lookup from our ISP before.  We had a problem with AOL that time where in our emails are being rejected by AOL.  Do that differ with the DNS which is in our network which handles the computer name in our network?

"Do that differ with the DNS which is in our network which handles the computer name in our network?"
That's correct. Your internal DNS is a seperate issue from the matter with AOL.

The setup of the reverse DNS is pretty simple. If I can help you with it, just let me know :-)

Richard.

Another thing you can try is to exclude the Exchange directories wich holds the .edb - files. This could also be causing all your problems. See links:

Exchange 2007: http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
Exchange 2003: http://support.microsoft.com/kb/823166/
Exchange 2000: http://support.microsoft.com/kb/328841/

A general link:
http://support.microsoft.com/kb/822158/en-us

Do not worry about the exclusion of the .edb files or folders cause the realtime scanner is still there :-)

Hope this will help you.

Richard.

Hi Richard,

I am to make the reverse DNS now, but there is something I want do make sure it's clear to me, do I need to make a reverse DNS of each of my subnets?  We have a lot of remote sites, with there own subnet, which are connected and authenticated here in our main office via VPN.  So, do I need to create a reverse DNS for each of them?

No, just create a B-class subnet like: 192.168.x.x. DNS will automatically make new folders with underlying subnets. If all is good there should be no more errors in your eventlogs about this missing piece in DNS ;-)

Richard.

So I need to create 2? 1 for my 10.0.0.X and my remote sites which use 192.168.X.X?

Another thing I've noticed is that not all remote client machine appeares when I browse the network from here, the Head Office.  Is it also in connection with DNS problem?

I had setup the reverse lookup for 10.0.0.x but when I try nslookup again the same message appear.  is there anything I need to do first?

"So I need to create 2? 1 for my 10.0.0.X and my remote sites which use 192.168.X.X?"
Yes.

Another thing I've noticed is that not all remote client machine appeares when I browse the network from here, the Head Office.  Is it also in connection with DNS problem?
Could be. Not entirely sure but can also have something to do with your firewall, master browser service or DNS.

After you added your reverse lookup in your DNS, restart your DNS services on your server. What do you get when you type in "nslookup" on your server?

Richard.

I have restarted my DNS services, DNS Server and DNS client, and done nslookup on the server but it still said "can't find server name", "none existant domain" and "default server: unknown"

Make sure you filled in your own DNS ipaddress in the NIC properties of your network card. Can you do an IP-config /all on your server and post the outcome?

Richard.

Anything that I might be missing?  

I will add the reverse DNS for the 192.168.X.X now.

Yes it got its own adress as DNS. Here it is

Windows IP Configuration

   Host Name . . . . . . . . . . . . : alabsalsvr01
   Primary Dns Suffix  . . . . . . . : alabare.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : alabare.local

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server
apter
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.254
   DNS Servers . . . . . . . . . . . : 10.0.0.1
                                       10.0.0.2

C:\Documents and Settings\Administrator>nslookup
*** Can't find server name for address 10.0.0.1: Non-existent domain
Default Server:  UnKnown
Address:  10.0.0.1

What's installed on 10.0.0.2? Also DNS?

Can you post ipconfig /all from the workstations from the 10.0.0.x subnet?

Richard.

PS: What a bout the directory exclusions? Did you try in Kaspersky?

10.0.0.2 is also a DC and DNS.

Here is the result.  I have changed some of the info.

Windows IP Configuration

        Host Name . . . . . . . . . . . . : HQ-IN-DESKTOP01
        Primary Dns Suffix  . . . . . . . : alabare.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : alabare.local
                                            alabare.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : alabare.local
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast E
ernet NIC
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.0.36
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : x.x.x.x
        DHCP Server . . . . . . . . . . . : 10.0.0.1
        DNS Servers . . . . . . . . . . . : 10.0.0.1
                                            10.0.0.2
        Lease Obtained. . . . . . . . . . : 11 September 2008 11:43:32
        Lease Expires . . . . . . . . . . : 19 September 2008 11:43:32

I haven't installed kaspersky 6.0 I have it scheduled tomorrow.  I will also uninstall and reinstall kaspersky 5.5 for exchange and see if that will make a diff.

what do you think about the ipconfig output?

DC should always have a static ipaddress.
A DC should never have a DHCP address!!!!
This is far away from standards.

Why was there chosen for a domaincontroller on DHCP? Was there a special reason to it?
Why do you have two DNS servers on your local LAN? One should be enough. Any special reason for that?

Before reinstalling the products. Did you try to exclude the folders? Kill the processes and restarted the server?

Richard.

We have two DC here and both have static IP.  The physical servers both have DC and DNS Server running in them.

I think you miss took the last data I sent.  The last one is from a client PC that is why the DHCP is enabled.

I don't know about the 2 DNS the IT company set it up for us.  I don't know about special reason also in this regards.  I was just thinking that it could be for fault tolerance, would it?

Thanks alot Richard for your effort

I will install kaspersky anti-virus 6.0 tomorrow.  That is schedule I got from the management since the email will be affected they agreed for it on friday.

In Kaspersky Security 5.5 for Exchange I could not find a way to exclude a folder.  It doesn't seem to have that functionality

Hi Richard,

I tried nslookup again this morning and it did find the DNS server.  Probably it has not finished processing the settings yesterday when I've done the command.  Here is the output now;

C:\>nslookup
Default Server:  alabsalsvr01.alabare.local
Address:  10.0.0.1

Ahhh GREAT. This is the way it should be :-)

Did you try this from your server? This output should also be seen on your workstation. Can you try?

Richard.

yap.... I did tried it from both and the same output.  

do I need to do anything else using nslookup to verify that it is working alright?

Great!

"do I need to do anything else using nslookup to verify that it is working alright?"
Nope, should be fine like this.

Good luck on your install with Kaspersky.

Thanks Richard
I will post the result on monday... . .

thanks

Hi Richard,

I have already installed KAV 6.0 and have excluded the files you recommended.  I have checkout the processes and OutProcAdapters are still there with same memory usage.

Will turning off the anti-virus of Kaspersky for Exchange be ok in my case and let KAV6.0 take care of anti-virusing.  Disabling Kaspersky for Exchange anti-virus gets rid of the outprocadapter processes.  Any thoughts?

I was off sick yesterday and going home now I will post when I come back.

Thanks Richard

Hi Richard,

I was support to post yesterday but its been a busy day.

I uninstalled the K Security and re installed it last Friday I thought it was already OK because all OutProcAdapter are just around 26MB each but I said I'll leave it for the weekend.  When I came yesterday they were back to 70+MB :-(. .. . .

Luckily they seem to have stabilized in size... .. .

Thanks alot for your help .. ..   I'll be awarding you the points. .. .

See you around.. .. . .