Solved

Groupshield stuck in loop?

Posted on 2004-08-27
22
783 Views
Last Modified: 2008-03-04
I seem to be having a probkem with my Exchange 2000 server. It is running at 100% CPU pretty much constantly, caused by a combination of Avexch32.exe, DAO_log.exe and log_qtine.exe. On inspecting the Groupshield Event Log, it seems it is finding about 100 viruses per second(!). The logfile is getting huge (100s of Mbs). It claims that they are being quarantined, but there is no sign of them in the quarantine.

I suspect that it is the same few viruses that is is constantly re-detecting, but unable to clean/remove. The quarantine seems to be working for viruses in normal incoming mail.

I have tried restarting the Groupshield service. Is there some way of finding out where all these detections are coming from and fixing the problem?

A fast response would be appreciated, as  this is causing the server to run very slow :@

Andy
0
Comment
Question by:Cpt_Andy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 4
  • 4
  • +1
22 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11912685
What version of groupshield do you have? I would log on Mcafee website to see if there is any available patches.. if you have 2 antivirus on 1 machine, this problem could happen.. i would try to disable the second one..

This could also be caused by your backup software.... In any case, updating the groupshield application would probably solve your problem..
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11912701
Which version of Groupshield is it?
Anything in the queues?
If so, I would stop all Exchange services (which will take Groupshield down with it) then flush out the queues. You can then start Exchange and Groupshield once more.

It might also be scan engine version. Is it the latest? (4320)

Simon.
0
 

Author Comment

by:Cpt_Andy
ID: 11912871
Thanks for the quick respsonses.

First off I should have said that I have recently taken over running the server and do not have much (any) previous experience with Exchange, so step-by-step instructions would be really useful :)

Avexch32.exe has version 5.20.664.0 - is this what you want?

I have tried to install the latest SuperDat, but it says the latest version is already installed.

VirusScan Enterprise 7 is also installed on the server, but disabling this seems not to have an effect.

How to I check the queues?

Andy
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 15

Expert Comment

by:Yan_west
ID: 11912902
1st, you have to exclude from viruscan

1- All the exchsvr folder
2- All the groupshield folder

2 go on mcafee website,  and download the lasted patch for groupshield.. the sp1..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11912928
To download the most recent update, go to:
https://secure.nai.com/us/forms/downloads/upgrades/login.asp

and enter your grant number.. this number should be on your licensing certificate for groupshield. This will bring you to your product download page..
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11912993
With regards to updating group shield, get the latest service pack for version 5.2 - don't go to 6.0 - it is problematic.

The latest version is 5.2.723. Check in Group Shield manager (Group Shield Exchange, Org Name, Server Name, right click on Config - on the version tab). GS Engine seems to be running a little behind the main VS at 4.2.60

Queues is ESM. Admin  Groups, <your admin group>, servers etc

Simon.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913011
btw sembee, since the most recent service pack came out with groupshield 6, I had no problem at all running it at all....
0
 

Author Comment

by:Cpt_Andy
ID: 11913201
OK, I have Groupshield version 5.20.689 and engine 4.3.20. I'll see if I can dig out the licence certificate and get it updated <picks up shovel>.

Thanks again for the replies.

Andy
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11913268
Yan_West - NAI told me the same thing... I am not yet convinced so I have kept my clients on 5.2. It works and has kept the nasties out (along with good attachment blocking).

Ctp_Andy - when you get in to NAI, pick up VirusScan 8.0 which was released Wednesday. I have it on a test machine and it looks very interesting.

Simon.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913330
Yeah, it works as well as the old version, but it handles the scanning of Zip files alot better then older version, it even remove the content of zipped file if it is not appropriate.. if I remember well, the old version did not do that.. not sure :)
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913376
btw, mcafee and microsoft does not recomment running a file AV and a Gateway AV on the same machine.. this is a known cause of many problems.. if you want to make it work, you have to exclude alot of things from the file AV software..

I run both anyways :)
0
 

Author Comment

by:Cpt_Andy
ID: 11913418
Do you know if installing the update will require restarting the exchange server?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913428
It did not for me, but It did stop the Exchange / Stmp services..

I would wait personnaly, it'S really fast anyway, so Do it on non-production hours..
0
 
LVL 17

Accepted Solution

by:
Microtech earned 500 total points
ID: 11913710
I know where this issue lies, if you go to the program file of groupshield and then go to the qtinewrk folder delete all out of here and hey presto the problem is gone
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913732
that's the quarantine folder...  the issue is not really solved if you do that..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913739
part of the quarantine folder I mean, but you do have to exclude it from the other AV scanning path.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913748
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913756
it is the working quarentine folder

the issue is that your virus scan (on the same machine) is scanning the queue of the exchange server... and causing it to try to clean the virus which is being cleaned already in the groupshield...so it loops. Must exclude all exchange folders and the m drive.

The reason it is causing such a process hog is it is logging these again and again... I have had the same prob here on 8 servers!!!!
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913767
Yeah, I had the same problem.. that is why excluding it is the good solution...
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913787
but to get rid of the loop and process hog delete all in the qtinewrk folder
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913813
The reason we had such a prob was due to E-policy orchestrator changed the excude settings all the time!!!, then we realised there was a "server" option...
0
 

Author Comment

by:Cpt_Andy
ID: 11913925
Thanks Microtech that fixed it :D

Andy
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question