Kaseya Community

AVG enabling MSExchangeIS Virus scanner?

This question is answered

We have been noticing that whne our servers reboot for maintenance we will get an alert that the MS Exchange Information Store is not starring.  When we look into it further we notice these event logs:

Event Type: Error
Event Source: MSExchangeIS
Event Category: Virus Scanning
Event ID: 9565
Date:  10/4/2010
Time:  3:57:22 AM
User:  N/A
Computer: EXCHANGE
Description:
Invalid virus scanner configuration. Unable to start virus scanner.
Check the following parameter: Library.

We do not want to use this component.  We will follow the steps to disable the registry value for the virus scanner and we will then be able to start the IS.  We do not have the email scanner or exchange server components installed on these servers.  However if the server reboots again the issue will come back.  Is there something in KES I am missing here? 

Verified Answer
  • We had the same issue and after weeks with kaseya and avg support never got a good answer besides 'that shouldn't be happening'. We also have a script that checks against the registry key that is changed and if needbe changes it back so that the is can start. A real annoyance definitely and not a fix but we're not comfortable not having antivirus on our exchange servers since most of our clients on have 1 server and is thus their file/print as well.

  • I did, but I'm getting the same event log error over and over and over and over.

    So I guess get this Registry key gets created regardless if you use the KES Exchange Module or not.

All Replies
  • i've found that installing KES in it's current form on any exchange server will install VSAPI information store virus scanning hooks...even if you specify to not install any server components...this will cause the problem you are describing...and it will also break most other Exchange AV/Spam software.

    our solution is to never install KES on an exchange server as most of our exchange servers use Forefront Security for exchange....and we have had serious exchange service and forefront service stability issues on every server that has Forefront and KES installed.

    it's not much of a solution...but that's all we have been able to come up with thus far.

    hope this helps

  • This is something that has happened before (you can find information on the old Boards http://forum.kaseya.com/showthread.php?t=12070 & http://forum.kaseya.com/showthread.php?t=11881 ). I made a monitor set that looks for Event ID 9565, Immediately runs a script to set the Exchange AV Registry Key back to 0, and sends an email for people to investigate...

    As for what PDSConsulting said, I'm starting to agree as we spent the time to remove AVG from all Exchange servers along w/ manually removing the Exchange Options... and reinstalling with NO exchange Option... only to see this popping up again.

  • We had the same issue and after weeks with kaseya and avg support never got a good answer besides 'that shouldn't be happening'. We also have a script that checks against the registry key that is changed and if needbe changes it back so that the is can start. A real annoyance definitely and not a fix but we're not comfortable not having antivirus on our exchange servers since most of our clients on have 1 server and is thus their file/print as well.

  • Thanks for all of the advice everyone.  We went ahead and created a monitor to look for the Application Event ID 8565 and a script to change the registry value and start MSExchangeIS.  So far it is working perfectly.  I wonder if the new KES (Kaspersky) will resolve this?



    [edited by: qjimenez at 7:15 AM (GMT -7) on 10-7-2010] sp
  • Do you mind sharing that monitor and script?  We got 3 servers I have to manually reboot and watch for that registry key on Sunday mornings after patch reboot.

  • Script Name: Fix KES MSExchangeIS AV Issues

    Script Description:

    IF Service is Running

      Parameter 1 : MSExchangeIS

    THEN

    ELSE

      Set Registry Value

        Parameter 1 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan\Enabled

        Parameter 2 : 0

        Parameter 3 : REG_DWORD

            OS Type : 0

      Execute Shell Command - (Continue on Fail)

        Parameter 1 : reg add "HKLM\SYSTEM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan" /v Enabled /t REG_DWORD /d 0 /f

        Parameter 2 : 1

            OS Type : 0

      Execute Shell Command

        Parameter 1 : reg add "HKLM\SYSTEM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan" /v Enabled /t REG_DWORD /d 0 /f

        Parameter 2 : 0

            OS Type : 0

      Execute Shell Command

        Parameter 1 : net start "MSExchangeIS" /Y

        Parameter 2 : 0

            OS Type : 0

      Execute Shell Command

        Parameter 1 : net start "MSExchangeIS" /Y

        Parameter 2 : 1

            OS Type : 0

  • Here's the fun part, for us: I have pretty much that script already, but... the VirusScan registry setting keeps getting reset to '1'. We've run the script over and over and OVER again. Sigh...

  • I'm really sorry to everyone that this has happened.  AVG have told me this will be fixed in v10

    Currently it can be fixed by deleting (manually or with a custom agent proc) this registry key - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MSExchangeIS\VirusScan

  • Thanks Jeff for the fix and being open about the issue.

    Will upload the monitoring set and Remediation script to the Knowledge exchange as soon as Brendan lets me know how I can upload the files.

  • community.kaseya.com/.../3146.aspx

  • Hi Guys;

    Bad news, deleting the key is a VERY VERY BAD idea, deleting the key went fine until the server was rebooted and then the Information Store would not mount. You either have to re-add the key to fix it or uninstall/reinstall AVG. I have noticed one download before I have removed the above posted Scripted fix and will look into a fix the week if I can.

    Jeff would appreciate if you could Kick the guy from AVG and if they can come up with a better solution that actually works that would be great.

  • @HardKnow, did you have the Exchange module enabled in your original AVG install when you deleted the key?



    [edited by: skaufmann at 9:40 AM (GMT -8) on 12-9-2010] clarified question
  • BUMP

    Was hoping to see if anyone else has experienced issues with deleting this key? Searching the net it seems deleting the key is the proper solution for failed installs of an AV program when VS API is enabled from the previous AV install.

    It's clear that AV apps that enable VS API, when uninstalled, don't disable/remove the key. Setting the key value to 0 is just temporary until next reboot as previous posts note. It would make sense that deleting the key would fix the problem as the key shouldn't exist if there isn't a VS API support AV app installed.

  • I did, but I'm getting the same event log error over and over and over and over.

    So I guess get this Registry key gets created regardless if you use the KES Exchange Module or not.

  • Hi All,

                   AVG for Microsoft Exchange must register itself with the Microsoft Exchange Information Store by creating the following registry key and it will automatically enable particular time intervals .

    You can fix this issues two ways increase OpenRetryDelay values or Disable AVG on Exchange server

     To increase the OpenRetryDelay value:

    1. Start Registry Editor (Regedt32.exe).

    2. Locate the OpenRetryDelay value under the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan

    3. On the Edit menu, click DWORD, type 5000, and then click OK (This is a decimal entry).

    4. Quit Registry Editor.

    *5000 =5GB

    If the OpenRetryDelay value does not exist, create it:

    1. Start Registry Editor (Regedt32.exe).

    2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan

    3. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: OpenRetryDelay

    Data Type: REG_DWORD

    Radix: Decimal

    Value: 5000

    4. Quit Registry Editor.

    Thanks