Exchange 2007 Store.exe crashes with Event IDs 4999, 1000 and 7031

Exchange 2007 SP3 is installed on Windows 2008-R2.
Last week, after TrendMicro AV update, we have started seeing these Errors:

Source:        MSExchange Common
Event ID:      4999
Description: Watson report about to be sent to dw20.exe for process id: 5100, with parameters: E12N, c-

Source:        Application Error
Event ID:      1000
Description: Faulting application name: store.exe, version: 8.3.330.0, time stamp: 0x5208b2fb. Faulting module name: MSVCR80.dll, version: 8.0.50727.6229, time stamp: 0x4ec3407e

Log Name:      System
Source:        Service Control Manager
Event ID:      7031
Description: The Microsoft Exchange Information Store service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

We suspected that TrendMicro must have done something and found that Exclusions were gone in OfficeScan client configuration. We have restored all of them, have rebooted the server, but the problem remains.

There is a small possibility that a few mailboxes may have been migrated in around that time. Windows updates also were installed last week.

Thanks for any insight you can provide.
LVL 3
AkulshAsked:
Who is Participating?
 
Arjun VyavahareConnect With a Mentor Technical ConsultantCommented:
Hi,

If event id: 7031 is getting occurred continuously then i would recommend you to please uninstall Trend Micro antivirus and use Microsoft Security Essential Antivirus for next 2 working days and monitor exchange event logs, and if non of these events are getting generated then suggest you to open case with Trend Micro support case on this issue.

Regards,
Arjun
0
 
Gareth GudgerConnect With a Mentor Commented:
I would blame Trend on this one. Have you recreated exceptions for your Database paths, Log paths and all your Transport Queues? I usually do the whole Exchange Installation path as well.
0
 
NetoMeter ScreencastsCommented:
Instead of guessing, you can just disable temporary the TrendMicro Transport Agents.

Use get-transportagent to list the installed agents and then disable-agent <agentname> to disable the TrendMicro agents.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
AkulshAuthor Commented:
Diggisaur and Arjun,

Thank you both for responding. As I mentioned in the original post, I have specified Exclusions in OfficeScan. They are per documentation of Microsoft and TrendMicro. Here is the final Exlusion list (server has Client Access, Hub Transport and Mailbox roles; databases on E: and logs on F:)

C:\inetpub\logs
C:\Windows\System32\Inetsrv
C:\Windows\TEMP

C:\Exchange Server\ClientAccess
C:\Exchange Server\TransportRoles\Logs
C:\Exchange Server\TransportRoles\Pickup
C:\Exchange Server\TransportRoles\Replay
C:\Exchange Server\TransportRoles\Data
C:\Exchange Server\Working

C:\Exchange Server\Logging
C:\Exchange Server\Mailbox
E:\Exchange Server\Mailbox
F:\Exchange Server\Mailbox

C:\Program Files\Trend Micro\Smex

1. Should not these paths be enough?
2. I was thinking of stopping all OfficeScan services for a day. It should not be too risky, right?
3. On installing Microsoft Security Essential Antivirus, do we have to setup Exclusions or is it smart enough to not go where it is not supposed to?
4. How about using this MSE AV, instead of OfficeScan, on this server for good?

Thanks again.

Jay
0
 
Arjun VyavahareTechnical ConsultantCommented:
If you install Microsoft Security Essential, then you don't need to set any exclusions which you have specified.

I know that removing antivirus is risky, thatswhy recommending to install Security Essential for 2 days, if it works properly then proceed to open case with Trend Micro support.

Regards,
Arjun
0
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Last time I checked, the free Microsoft Security Essential Antivirus wouldn't install on servers.

Disabling AV products on an Exchange server doesn't always provide the right results because the links in to the product are still there. Removing the product and rebooting is required.

You may find that removing the product, rebooting then installing the latest build from Trend resolves the issue, as the update may well have simply damaged the original installation.

Simon.
0
 
AkulshAuthor Commented:
Sembee,

I also used to think that MSE AV is for workstations only. However, this MSDN link specifically says: Download Microsoft Security Essentials For Windows Server 2008 R2.

I did ask in my previous post if such MSE can be used as permanent replacement on servers for AV softwares like OfficeScan BUT no one has responded.

About your second statement -- links are there and server needs to be rebooted -- we had similar experience only today when the person in-charge just uninstalled the AV and problem continued. But then I stopped and disabled both OfficeScan services and this did the trick. We will reboot in off-hours.

Finally, about your last suggestion, I had already done this -- including pre and post reboots -- before starting this thread. It did not help one bit. The latest build of TrendMciro's OfficeScan (10.6 SP3) is the problem on this Exch 2007 server, even though this build is not all that new.

Ajay K
0
 
AkulshAuthor Commented:
Looks like no one wants to say that MSE can be used as a permanent AV solution, since its use on servers is not official.

In any case, we still have Store.exe termination instances after removing OfficeScan, though much fewer. Now I have added Exclusions of folders in MSE  -- was told that it is not necessary -- and hopefully things will improve further.

A question: I don't see any service related to MSE. Where is it? Any other way to restart this program? Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.