We have been noticing that whne our servers reboot for maintenance we will get an alert that the MS Exchange Information Store is not starring. When we look into it further we notice these event logs:
Event Type: ErrorEvent Source: MSExchangeISEvent Category: Virus Scanning Event ID: 9565Date: 10/4/2010Time: 3:57:22 AMUser: N/AComputer: EXCHANGEDescription:Invalid virus scanner configuration. Unable to start virus scanner. Check the following parameter: Library.
We do not want to use this component. We will follow the steps to disable the registry value for the virus scanner and we will then be able to start the IS. We do not have the email scanner or exchange server components installed on these servers. However if the server reboots again the issue will come back. Is there something in KES I am missing here?
We had the same issue and after weeks with kaseya and avg support never got a good answer besides 'that shouldn't be happening'. We also have a script that checks against the registry key that is changed and if needbe changes it back so that the is can start. A real annoyance definitely and not a fix but we're not comfortable not having antivirus on our exchange servers since most of our clients on have 1 server and is thus their file/print as well.
I did, but I'm getting the same event log error over and over and over and over.
So I guess get this Registry key gets created regardless if you use the KES Exchange Module or not.
i've found that installing KES in it's current form on any exchange server will install VSAPI information store virus scanning hooks...even if you specify to not install any server components...this will cause the problem you are describing...and it will also break most other Exchange AV/Spam software.
our solution is to never install KES on an exchange server as most of our exchange servers use Forefront Security for exchange....and we have had serious exchange service and forefront service stability issues on every server that has Forefront and KES installed.
it's not much of a solution...but that's all we have been able to come up with thus far.
hope this helps
This is something that has happened before (you can find information on the old Boards http://forum.kaseya.com/showthread.php?t=12070 & http://forum.kaseya.com/showthread.php?t=11881 ). I made a monitor set that looks for Event ID 9565, Immediately runs a script to set the Exchange AV Registry Key back to 0, and sends an email for people to investigate...
As for what PDSConsulting said, I'm starting to agree as we spent the time to remove AVG from all Exchange servers along w/ manually removing the Exchange Options... and reinstalling with NO exchange Option... only to see this popping up again.
Thanks for all of the advice everyone. We went ahead and created a monitor to look for the Application Event ID 8565 and a script to change the registry value and start MSExchangeIS. So far it is working perfectly. I wonder if the new KES (Kaspersky) will resolve this?
Do you mind sharing that monitor and script? We got 3 servers I have to manually reboot and watch for that registry key on Sunday mornings after patch reboot.
Script Name: Fix KES MSExchangeIS AV Issues
IF Service is Running
Parameter 1 : MSExchangeIS
Set Registry Value
Parameter 1 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan\Enabled
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Execute Shell Command - (Continue on Fail)
Parameter 1 : reg add "HKLM\SYSTEM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan" /v Enabled /t REG_DWORD /d 0 /f
Parameter 2 : 1
Execute Shell Command
Parameter 1 : net start "MSExchangeIS" /Y
Here's the fun part, for us: I have pretty much that script already, but... the VirusScan registry setting keeps getting reset to '1'. We've run the script over and over and OVER again. Sigh...
I'm really sorry to everyone that this has happened. AVG have told me this will be fixed in v10
Currently it can be fixed by deleting (manually or with a custom agent proc) this registry key - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MSExchangeIS\VirusScan
Thanks Jeff for the fix and being open about the issue.
Will upload the monitoring set and Remediation script to the Knowledge exchange as soon as Brendan lets me know how I can upload the files.
Bad news, deleting the key is a VERY VERY BAD idea, deleting the key went fine until the server was rebooted and then the Information Store would not mount. You either have to re-add the key to fix it or uninstall/reinstall AVG. I have noticed one download before I have removed the above posted Scripted fix and will look into a fix the week if I can.
Jeff would appreciate if you could Kick the guy from AVG and if they can come up with a better solution that actually works that would be great.
@HardKnow, did you have the Exchange module enabled in your original AVG install when you deleted the key?
Was hoping to see if anyone else has experienced issues with deleting this key? Searching the net it seems deleting the key is the proper solution for failed installs of an AV program when VS API is enabled from the previous AV install.
It's clear that AV apps that enable VS API, when uninstalled, don't disable/remove the key. Setting the key value to 0 is just temporary until next reboot as previous posts note. It would make sense that deleting the key would fix the problem as the key shouldn't exist if there isn't a VS API support AV app installed.
AVG for Microsoft Exchange must register itself with the Microsoft Exchange Information Store by creating the following registry key and it will automatically enable particular time intervals .
You can fix this issues two ways increase OpenRetryDelay values or Disable AVG on Exchange server
To increase the OpenRetryDelay value:
1. Start Registry Editor (Regedt32.exe).
2. Locate the OpenRetryDelay value under the following key in the registry:
3. On the Edit menu, click DWORD, type 5000, and then click OK (This is a decimal entry).
4. Quit Registry Editor.
If the OpenRetryDelay value does not exist, create it:
2. Locate the following key in the registry:
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: OpenRetryDelay
Data Type: REG_DWORD