Forefront High CPU utilization or Quarantines with Virus name: ‘Exceeded Internet Timeout’

Today few of my colleagues started to receive emails from Exchange 2007 Server as follows:

FILE QUARANTINED

The original contents of this file have been replaced with this message because of its characteristics.
File name: ‘Body of Message’

Virus name: ‘Exceeded Internet Timeout’

Since we have an Edge Transport Server that has forefront server security installed, I tried to login to the server to check the logs. The CPU is at its peak and the server is inaccessible. After a long wait, I finally managed to get in there, but I am still unable to open Services or Event Log.

I checked the Hub Transport server and all the outbound emails are in the queue. The Edge Transport server is not processing inbound or outbound emails. I did a hard reset and still 100% CPU utilization.

When I managed to get the Services console open, I stopped the following services in this order.

  1. Microsoft Exchange Transport
  2. FSCController

Then the server started to behave normally. On the Application Event Log, the following entries appear.

  • The execution time of agent ‘FSE Routing Agent’ exceeded 300000 (milliseconds) while handling event ‘OnSubmittedMessage’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message.
  • Transport scan exceeded the allowed scan time limit.
  • At least one of the engines that is in use is slated to be discontinued. You need to take immediate action to prevent a reduction in malware/spam protection. Details can be found at: http://go.microsoft.com/fwlink/?LinkId=165685.

After a few minutes of search on Bing (http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx), I found out that Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products.

The AhnLab, CA and Sophos engines will be retired on Dec. 1, 2009.  As of this date, customers will not receive any updates for these retired engines. Any customers running the AhnLab, CA or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman and VirusBuster.

So I had to disable the Forefront Security for Exchange Server.

From a command prompt, navigate to the Forefront Security for Exchange Server installation directory (C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server). Disable Forefront Security dependencies by typing:

FSCUtility /disable

To confirm that the Forefront Security dependencies have been removed, type:

FSCUtility /status

Restart the Exchange services (Microsoft Exchange Transport). Now the emails should go without being scanned.

Do the changes to the engines in Forefront Administrator console. Make sure you do it to the Transport Scan Job as well as Default.

If you think that the scan engines are corrupted, you can delete the folders at “C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\Data\Engines\x86″ So the next time the Forefront updates according to the schedule, it will get the latest engine and recreate the folders.

After you disable the retired engines in the console, you can enable the Forefront for exchange again.

FSCUtility /enable

Hopefully, the CPU utilization will be normal and the emails are checked for viruses.

Advertisements

4 thoughts on “Forefront High CPU utilization or Quarantines with Virus name: ‘Exceeded Internet Timeout’

  1. Pingback: Virus Support

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s