Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 790
  • Last Modified:

Groupshield stuck in loop?

I seem to be having a probkem with my Exchange 2000 server. It is running at 100% CPU pretty much constantly, caused by a combination of Avexch32.exe, DAO_log.exe and log_qtine.exe. On inspecting the Groupshield Event Log, it seems it is finding about 100 viruses per second(!). The logfile is getting huge (100s of Mbs). It claims that they are being quarantined, but there is no sign of them in the quarantine.

I suspect that it is the same few viruses that is is constantly re-detecting, but unable to clean/remove. The quarantine seems to be working for viruses in normal incoming mail.

I have tried restarting the Groupshield service. Is there some way of finding out where all these detections are coming from and fixing the problem?

A fast response would be appreciated, as  this is causing the server to run very slow :@

Andy
0
Cpt_Andy
Asked:
Cpt_Andy
  • 11
  • 4
  • 4
  • +1
1 Solution
 
Yan_westCommented:
What version of groupshield do you have? I would log on Mcafee website to see if there is any available patches.. if you have 2 antivirus on 1 machine, this problem could happen.. i would try to disable the second one..

This could also be caused by your backup software.... In any case, updating the groupshield application would probably solve your problem..
0
 
SembeeCommented:
Which version of Groupshield is it?
Anything in the queues?
If so, I would stop all Exchange services (which will take Groupshield down with it) then flush out the queues. You can then start Exchange and Groupshield once more.

It might also be scan engine version. Is it the latest? (4320)

Simon.
0
 
Cpt_AndyAuthor Commented:
Thanks for the quick respsonses.

First off I should have said that I have recently taken over running the server and do not have much (any) previous experience with Exchange, so step-by-step instructions would be really useful :)

Avexch32.exe has version 5.20.664.0 - is this what you want?

I have tried to install the latest SuperDat, but it says the latest version is already installed.

VirusScan Enterprise 7 is also installed on the server, but disabling this seems not to have an effect.

How to I check the queues?

Andy
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
Yan_westCommented:
1st, you have to exclude from viruscan

1- All the exchsvr folder
2- All the groupshield folder

2 go on mcafee website,  and download the lasted patch for groupshield.. the sp1..
0
 
Yan_westCommented:
To download the most recent update, go to:
https://secure.nai.com/us/forms/downloads/upgrades/login.asp

and enter your grant number.. this number should be on your licensing certificate for groupshield. This will bring you to your product download page..
0
 
SembeeCommented:
With regards to updating group shield, get the latest service pack for version 5.2 - don't go to 6.0 - it is problematic.

The latest version is 5.2.723. Check in Group Shield manager (Group Shield Exchange, Org Name, Server Name, right click on Config - on the version tab). GS Engine seems to be running a little behind the main VS at 4.2.60

Queues is ESM. Admin  Groups, <your admin group>, servers etc

Simon.
0
 
Yan_westCommented:
btw sembee, since the most recent service pack came out with groupshield 6, I had no problem at all running it at all....
0
 
Cpt_AndyAuthor Commented:
OK, I have Groupshield version 5.20.689 and engine 4.3.20. I'll see if I can dig out the licence certificate and get it updated <picks up shovel>.

Thanks again for the replies.

Andy
0
 
SembeeCommented:
Yan_West - NAI told me the same thing... I am not yet convinced so I have kept my clients on 5.2. It works and has kept the nasties out (along with good attachment blocking).

Ctp_Andy - when you get in to NAI, pick up VirusScan 8.0 which was released Wednesday. I have it on a test machine and it looks very interesting.

Simon.
0
 
Yan_westCommented:
Yeah, it works as well as the old version, but it handles the scanning of Zip files alot better then older version, it even remove the content of zipped file if it is not appropriate.. if I remember well, the old version did not do that.. not sure :)
0
 
Yan_westCommented:
btw, mcafee and microsoft does not recomment running a file AV and a Gateway AV on the same machine.. this is a known cause of many problems.. if you want to make it work, you have to exclude alot of things from the file AV software..

I run both anyways :)
0
 
Cpt_AndyAuthor Commented:
Do you know if installing the update will require restarting the exchange server?
0
 
Yan_westCommented:
It did not for me, but It did stop the Exchange / Stmp services..

I would wait personnaly, it'S really fast anyway, so Do it on non-production hours..
0
 
MicrotechCommented:
I know where this issue lies, if you go to the program file of groupshield and then go to the qtinewrk folder delete all out of here and hey presto the problem is gone
0
 
Yan_westCommented:
that's the quarantine folder...  the issue is not really solved if you do that..
0
 
Yan_westCommented:
part of the quarantine folder I mean, but you do have to exclude it from the other AV scanning path.
0
 
Yan_westCommented:
0
 
MicrotechCommented:
it is the working quarentine folder

the issue is that your virus scan (on the same machine) is scanning the queue of the exchange server... and causing it to try to clean the virus which is being cleaned already in the groupshield...so it loops. Must exclude all exchange folders and the m drive.

The reason it is causing such a process hog is it is logging these again and again... I have had the same prob here on 8 servers!!!!
0
 
Yan_westCommented:
Yeah, I had the same problem.. that is why excluding it is the good solution...
0
 
MicrotechCommented:
but to get rid of the loop and process hog delete all in the qtinewrk folder
0
 
MicrotechCommented:
The reason we had such a prob was due to E-policy orchestrator changed the excude settings all the time!!!, then we realised there was a "server" option...
0
 
Cpt_AndyAuthor Commented:
Thanks Microtech that fixed it :D

Andy
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 11
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now