Solved

Groupshield stuck in loop?

Posted on 2004-08-27
22
771 Views
Last Modified: 2008-03-04
I seem to be having a probkem with my Exchange 2000 server. It is running at 100% CPU pretty much constantly, caused by a combination of Avexch32.exe, DAO_log.exe and log_qtine.exe. On inspecting the Groupshield Event Log, it seems it is finding about 100 viruses per second(!). The logfile is getting huge (100s of Mbs). It claims that they are being quarantined, but there is no sign of them in the quarantine.

I suspect that it is the same few viruses that is is constantly re-detecting, but unable to clean/remove. The quarantine seems to be working for viruses in normal incoming mail.

I have tried restarting the Groupshield service. Is there some way of finding out where all these detections are coming from and fixing the problem?

A fast response would be appreciated, as  this is causing the server to run very slow :@

Andy
0
Comment
Question by:Cpt_Andy
  • 11
  • 4
  • 4
  • +1
22 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11912685
What version of groupshield do you have? I would log on Mcafee website to see if there is any available patches.. if you have 2 antivirus on 1 machine, this problem could happen.. i would try to disable the second one..

This could also be caused by your backup software.... In any case, updating the groupshield application would probably solve your problem..
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11912701
Which version of Groupshield is it?
Anything in the queues?
If so, I would stop all Exchange services (which will take Groupshield down with it) then flush out the queues. You can then start Exchange and Groupshield once more.

It might also be scan engine version. Is it the latest? (4320)

Simon.
0
 

Author Comment

by:Cpt_Andy
ID: 11912871
Thanks for the quick respsonses.

First off I should have said that I have recently taken over running the server and do not have much (any) previous experience with Exchange, so step-by-step instructions would be really useful :)

Avexch32.exe has version 5.20.664.0 - is this what you want?

I have tried to install the latest SuperDat, but it says the latest version is already installed.

VirusScan Enterprise 7 is also installed on the server, but disabling this seems not to have an effect.

How to I check the queues?

Andy
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11912902
1st, you have to exclude from viruscan

1- All the exchsvr folder
2- All the groupshield folder

2 go on mcafee website,  and download the lasted patch for groupshield.. the sp1..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11912928
To download the most recent update, go to:
https://secure.nai.com/us/forms/downloads/upgrades/login.asp

and enter your grant number.. this number should be on your licensing certificate for groupshield. This will bring you to your product download page..
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11912993
With regards to updating group shield, get the latest service pack for version 5.2 - don't go to 6.0 - it is problematic.

The latest version is 5.2.723. Check in Group Shield manager (Group Shield Exchange, Org Name, Server Name, right click on Config - on the version tab). GS Engine seems to be running a little behind the main VS at 4.2.60

Queues is ESM. Admin  Groups, <your admin group>, servers etc

Simon.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913011
btw sembee, since the most recent service pack came out with groupshield 6, I had no problem at all running it at all....
0
 

Author Comment

by:Cpt_Andy
ID: 11913201
OK, I have Groupshield version 5.20.689 and engine 4.3.20. I'll see if I can dig out the licence certificate and get it updated <picks up shovel>.

Thanks again for the replies.

Andy
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11913268
Yan_West - NAI told me the same thing... I am not yet convinced so I have kept my clients on 5.2. It works and has kept the nasties out (along with good attachment blocking).

Ctp_Andy - when you get in to NAI, pick up VirusScan 8.0 which was released Wednesday. I have it on a test machine and it looks very interesting.

Simon.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913330
Yeah, it works as well as the old version, but it handles the scanning of Zip files alot better then older version, it even remove the content of zipped file if it is not appropriate.. if I remember well, the old version did not do that.. not sure :)
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913376
btw, mcafee and microsoft does not recomment running a file AV and a Gateway AV on the same machine.. this is a known cause of many problems.. if you want to make it work, you have to exclude alot of things from the file AV software..

I run both anyways :)
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 

Author Comment

by:Cpt_Andy
ID: 11913418
Do you know if installing the update will require restarting the exchange server?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913428
It did not for me, but It did stop the Exchange / Stmp services..

I would wait personnaly, it'S really fast anyway, so Do it on non-production hours..
0
 
LVL 17

Accepted Solution

by:
Microtech earned 500 total points
ID: 11913710
I know where this issue lies, if you go to the program file of groupshield and then go to the qtinewrk folder delete all out of here and hey presto the problem is gone
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913732
that's the quarantine folder...  the issue is not really solved if you do that..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913739
part of the quarantine folder I mean, but you do have to exclude it from the other AV scanning path.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913748
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913756
it is the working quarentine folder

the issue is that your virus scan (on the same machine) is scanning the queue of the exchange server... and causing it to try to clean the virus which is being cleaned already in the groupshield...so it loops. Must exclude all exchange folders and the m drive.

The reason it is causing such a process hog is it is logging these again and again... I have had the same prob here on 8 servers!!!!
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11913767
Yeah, I had the same problem.. that is why excluding it is the good solution...
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913787
but to get rid of the loop and process hog delete all in the qtinewrk folder
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11913813
The reason we had such a prob was due to E-policy orchestrator changed the excude settings all the time!!!, then we realised there was a "server" option...
0
 

Author Comment

by:Cpt_Andy
ID: 11913925
Thanks Microtech that fixed it :D

Andy
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now