Microsoft released a contingency fix for a bug in 2022 that disrupted email delivery on local Microsoft Exchange servers.

When the year 2022 came and the clock struck midnight, Exchange administrators around the world found that their servers were no longer delivering emails. Upon investigation, they found that emails were stuck in the queue and the Windows event log showed one of the following errors.

Log Name: Application 
Source: FIPFS 
Logged: 1/1/2022 1:03:42 AM 
Event ID: 5300 
Level: Error 
Computer: server1.contoso.com
Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long.
Log Name: Application 
Source: FIPFS 
Logged: 1/1/2022 11:47:16 AM 
Event ID: 1106 
Level: Error 
Computer: server1.contoso.com 
Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.

These errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scan engine and trying to store the date in a signed int32 variable.

However, this variable can only store a maximum value of 2,201,010,001, which is less than the new date value 2,201,010,001 for January 1, 2022 at midnight.

Therefore, if Microsoft Exchange tries to check the AV scan version it would generate an error and crash the malware engine.

“The version check carried out against the signature file causes the malware engine to crash, which means that messages get stuck in transport queues,” explains Microsoft in a blog post.

Microsoft publishes a temporary fix

Microsoft has released a temporary fix that requires customer action while they are working on an update that will fix the problem automatically.

This fix comes in the form of a PowerShell script called ‘Reset-ScanEngineVersion.ps1’. When executed, the script will stop the Microsoft Filtering Management and Microsoft Exchange Transport services, delete older AV engine files, download the new AV engine, and restart the services.

To use the automated script to apply the fix, you can do the following on each local Microsoft Exchange server in your organization:

  1. Download the Reset-ScanEngineVersion.ps1 script from https://aka.ms/ResetScanEngineVersion.
  2. Open an elevated Exchange Management Shell.
  3. Change the execution policy for PowerShell scripts by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.
  4. Run the script.
  5. If you previously disabled the scan engine, enable it again using the Enable-AntimalwareScanning.ps1 Script.

Microsoft warns that this process can take some time, depending on the size of the company.

Microsoft has also provided steps administrators can use to manually update the scan engine.

After running the script, Microsoft says that email delivery will start again, but it may take some time depending on the amount of emails that have gotten stuck in the queue.

Microsoft also states that the new AV scan engine will have the version number 2112330001pointing to a date that does not exist and that administrators shouldn’t be concerned about.

“The newly updated scan engine is fully supported by Microsoft. Although we have long-term work on this sequence, the version of the scan engine has not been rolled back, but moved to this new sequence,” said Microsoft.

“The scan engine continues to receive updates in this new order.”

Source link

Leave a Reply