반응형

2022/1/1 MS Exchange Team Blog 아래의 글이 게시되었습니다.

Email Stuck in Transport Queues - Microsoft Tech Community

 

We are aware of and working on an issue causing messages to be stuck in transport queues on Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.
We are actively working on resolving this issue and expect to release details on how to resolve this issue later today. In the meantime, if your organization performs malware scanning of messages outside of your on-premises Exchange servers (for example, by routing mail through Exchange Online, or by using a third-party message hygiene solution), you can bypass or disable malware scanning on your Exchange servers and clear your transport queues. You should use one of these workarounds only if you have an existing malware scanner for email other than the engine in Exchange Server. See the following articles for details on how to disable or bypass malware scanning:
Our engineers were working around the clock on a fix that would eliminate the need for customer action, but we determined that any change that did not involve customer action would require several days to develop and deploy. We are working on another update which is in final test validation. The update requires customer action, but it will provide the quickest time to resolution.
We expect to have this update to you shortly along with the actions required by you. We are sorry for any inconvenience that this issue has caused.

요약하면 Exchange Server 2016/2019 Malware Agent 2022 날짜 인식에 문제가 있어서 메시지 발송이 안될 있다고 합니다. 현재까지 Hot-Fix 제작하기에는 시간이 소요될 있기 때문에 Malware Agent Disable 하라고 공지되어 있습니다.

 

Exchange Server 2019 테스트 환경에서 2022 1 1 이후에 메일 발송시 아래와 같이 Submission에서 계속 적제되는 것으로 확인됩니다.

그리고 아래와 같은 오류들이 이벤트 로그에서 계속 확인됩니다.

Event ID 5300 FIPFS
The FIP-FS "Microsoft" Scan Engine failed to load. PID: 14524, Error Code: 0x80004005. Error Description: Can't convert "2201010009" to long.

 

Event ID 1106 FIPFS
The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error

 

Event ID 5800 MSExchange Antimalware
The anti-malware agent could not submit a message to the hygiene management service. MessageId: <45d738f5-8b83-475c-a91f-6b9a27c5dc90@EX19MBX2.contoso.kr> Message sent: 1/1/2022 8:13:33 PM From: <> Size: 41272 Bytes Error: Microsoft.Filtering.ServiceUnavailableException: The connection to the filtering service has been broken ---> System.Runtime.InteropServices.COMException: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
   at Microsoft.Filtering.Interop.WorkSubmissionManagerClass.Scan(WSM_Request& request)
   at Microsoft.Filtering.SafeWorkSubmissionManager.Scan(WSM_Request request)
   at Microsoft.Filtering.FilteringService.SafeWorkSubmissionManagerExceptionProxy.Scan(WSM_Request request)
   --- End of inner exception stack trace ---
   at Microsoft.Filtering.InteropUtils.ThrowComExceptionAsFilteringException(COMException ce)
   at Microsoft.Filtering.FilteringService.SafeWorkSubmissionManagerExceptionProxy.Scan(WSM_Request request)
   at Microsoft.Filtering.FilteringService.BeginScan(FilteringRequest request, FilteringAsyncResult far)
   at Microsoft.Filtering.FilteringService.BeginScan(FilteringRequest request, AsyncCallback callback, Object state)
   at Microsoft.Exchange.Transport.Agent.Malware.MalwareAgent.OnSubmittedMessageHandler(SubmittedMessageEventSource source, QueuedMessageEventArgs args)

 

Event ID 5801 MSExchange Antimalware
The anti-malware agent encountered an error while scanning. MessageId: <e849ba1c2eed4edbb3cdf356c678f8ff@contoso.kr> Message sent: 1/2/2022 12:45:03 AM From: onprem-1@contoso.kr Size: 7630 Bytes Error: Microsoft.Filtering.ScanAbortedException: Exception of type 'Microsoft.Filtering.ScanAbortedException' was thrown.
   at Microsoft.Filtering.InteropUtils.ThrowPostScanErrorAsFilteringException(WSM_ReturnCode code, String message)
   at Microsoft.Filtering.FilteringService.EndScan(IAsyncResult ar)
   at Microsoft.Exchange.Transport.Agent.Malware.MalwareAgent.OnScanCompleted(IAsyncResult ar)

 

Event ID 3813 MSExchange Antimalware
An anti-malware scan did not complete within the timeout threshold. MessageId: <a42583a9-0caa-4898-ba65-0d4dcc4dc8c7@EX19MBX2.contoso.kr> Message sent: 1/1/2022 11:21:10 PM From: <> Size: 28906 Times deferred 0

 

해결방법

1월 2일 저녁에 MS 공식 Script 파일이 제공되어 Malware Agent 를 업데이트 합니다.

#스크립트 실행 권한 설정
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
#경로 이동
Cd "C:\Program Files\Microsoft\Exchange Server\V15\Scripts"
#업데이트 확인 Add-in 추가
Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
#업데이트 확인
Get-EngineUpdateInformation
#스캔엔진 리셋
.\Reset-ScanEngineVersion.ps1
#업데이트 확인
Get-EngineUpdateInformation

Updateversion 211233000X 인지 확인합니다.(1.2일 기준)

큐에서 제거된 것으로 확인됩니다.

 

 

아래의 내용은 MS공식 Script가 제공되기전에 작성한 Workaround 입니다.

업데이트가 너무 오래걸리면 아래의 명령어를 먼저 적용합니다. (Malware Agent Bypass 설정)

 

아래의 명령어를 실행한 , 서버의 Microsoft Exchange Transport 서비스를 재시작합니다.

#Malware Agent Bypass 설정
Get-MalwareFilteringServer|Set-MalwareFilteringServer -BypassFiltering $true
#설정 확인
Get-MalwareFilteringServer

 

반응형

+ Recent posts