| Emails crashing virus engines [message #148397] |
Tue, 07 July 2020 11:54  |
opcodekerio
Messages: 15
Registered: February 2020
|
|
|
|
Hi
i have two customers where normal incoming mails crashing the virus engines.
Build ist : 21.6 20200204
Patch 1-4 ist installed
It seems that this happens more often with this sender (about 1-2 times a month).
Most of the time the e-mails can be delivered after a new processing.
The not correctly processed e-mails come from a relatively large mail hoster, so we exclude an error on the sender side.
The EML files are readable without problems in Outlook.
Now comes the bang, somehow the emails from these senders manage to crash the GFi scan engine
Does anybody have the same problem?
br, opcodekerio
|
|
|
|
|
|
| Re: Emails crashing virus engines [message #148412 is a reply to message #148398] |
Fri, 10 July 2020 08:58  |
opcodekerio
Messages: 15
Registered: February 2020
|
|
|
|
Hi Ian,
unbelievable, here the two Server configurations.
Server 1
What is the OS? 2008R2 server
Is MailEssentials instaled in SMTP or Exchange mode? SMTP
What AVs are enabled/licensed? all
What error do you see in the eventlog?
The emails end up in the Quarantine as failed to process? failed
Are desktop AVs excluded from scanning GFI folders? No other AV installed
Server 2
OS: Win SBS 2011 Std. also Win 2008 R2
Mode: Exchange
GFI AV: Liz: Avira, BitDefender, Kaspersky, Cyren, Sophos. Aktiviert: Avira und BitDefender
Error Log: Wie in der vorherigen E-Mail, keine weitern in Bezug auf GFi
E-Mails Landen unter FaildMails im GFI Verzeichnis
|
|
|
|
| Re: Emails crashing virus engines [message #148413 is a reply to message #148398] |
Fri, 10 July 2020 09:06 |
opcodekerio
Messages: 15
Registered: February 2020
|
|
|
|
and some information about the mails
Name der fehlerhaften Anwendung: GFIScanM.exe, Version: 21.6.11004.18, Zeitstempel: 0x5e391946
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x2474c73b
ID des fehlerhaften Prozesses: 0x1ad4
Startzeit der fehlerhaften Anwendung: 0x01d653fa109b7070
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\GFI\MailEssentials\EmailSecurity\GFIScanM.exe
Pfad des fehlerhaften Moduls: unknown
Berichtskennung: 8a8ad5c6-c044-11ea-960d-000c2932c7bf
Und
Name der fehlerhaften Anwendung: GFIScanM.exe, Version: 21.6.11004.18, Zeitstempel: 0x5e391946
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0xe874b701
ID des fehlerhaften Prozesses: 0x14f4
Startzeit der fehlerhaften Anwendung: 0x01d654516a002a41
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\GFI\MailEssentials\EmailSecurity\GFIScanM.exe
Pfad des fehlerhaften Moduls: unknown
Berichtskennung: baaa2246-c044-11ea-960d-000c2932c7bf
|
|
|
|
|
|
| Re: Emails crashing virus engines [message #148477 is a reply to message #148415] |
Fri, 24 July 2020 12:47 |
Paul Brause
Messages: 13
Registered: April 2019
Location: Germany
|
|
|
|
Hallo opcodekerio,
I had this issue 6 month ago, a lot of mails were failing and while processing them the ScanEngie Service was stopped too.
I raised a ticket at that time but the issue could not be found.
This issue seems to be fix with an update of the Avira scan engine: https://forums.gfi.com/index.php?t=msg&th=38252&star t=0&
Currently I still encounter failed mails nearly everyday.
As a workaround I rename failed incomming mails to .eml and put them in the Pickup folder of the exchange server.
For outgoing mails I have this error mostly when peolpe answering to failed mails I have delivered to them by the workaround.
Then it helps to remove the "unscanable" content (most times the signature of the sender).
The other outgoing failed mails have failed due to a certain attachment, but this not very often.
Just now I have checked my eventviewer and found a lot of errors of the chrashing "gfiscans.exe".
I'm using a 2008R2 in SMTP mode too.
German UI, Avira and BitDefender enable only.
Very similar to your setup.
Currently I set up a new Windows 2012R2 server in order to move the GFI ME installation.
I don't know how long it will take, but I will let you know about the result.
Mit freundlichen Grüßen
Paul Brause
|
|
|
|
|
|
| Re: Emails crashing virus engines [message #148484 is a reply to message #148478] |
Mon, 27 July 2020 07:54 |
Paul Brause
Messages: 13
Registered: April 2019
Location: Germany
|
|
|
|
No, retries fail too.
I use GFI ME as perimeter SMTP-Server.
I put the incomming failed mails which are not SPAM from the DMZ ..\EmailSecurity\FailedMails into the folder ..\TransportRoles\Pickup of our internal Exchange server.
|
|
|
|
| Re: Emails crashing virus engines [message #148493 is a reply to message #148484] |
Tue, 28 July 2020 12:42 |
Paul Brause
Messages: 13
Registered: April 2019
Location: Germany
|
|
|
|
I've just checked it again:
The "AV Scan Engie" fails when reprocessing one of the failed mails.
Same Error message as opcodekerio:
Name der fehlerhaften Anwendung: GFIScanM.exe, Version: 21.6.11004.18, Zeitstempel: 0x5e391946
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x830000e7
ID des fehlerhaften Prozesses: 0xd94
Startzeit der fehlerhaften Anwendung: 0x01d663ece217e2fa
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\GFI\MailEssentials\EmailSecurity\GFIScanM.exe
Pfad des fehlerhaften Moduls: unknown
Berichtskennung: 1e834a42-d097-11ea-acf4-00155d63f802
|
|
|
|
|
|
 Re: Emails crashing virus engines [message #148550 is a reply to message #148503] |
Tue, 11 August 2020 11:55 |
Paul Brause
Messages: 13
Registered: April 2019
Location: Germany
|
|
|
|
After creating a ticket that provided a sample file and the support could not recreate the problem, I moved GFI ME to a 2012R2 server.
The sample file as well as other previously failed mails could be processed without any errors.
While some of these mails have not been quarantined the others were filtered by th email-exploit-engine (Malformed File Extension (High alert)).
My recommendation to opcodekerio is: upgrade the OS of the Server from your customers
I've exported the GFI ME settings with meconfigmgr.exe from the old and imported it on the new server after a fresh install of GFI ME 21.6 Build 20200204.
The new server was preinstalled with 2012R2 latest patches installed and IIS with SMTP.
I used the same IP and computername as the old server and set up the SMTP server to the same settings (a bit tricky).
I hade to make an entry into the hosts file in order to select the correct IP address in the SMTP server.
Afterwards I just swapped the network connection from the old to the new server.
Most of the ME settings have been taken over except of:
* the logging (Protokollierungsoptionen) for every filter was not enabled anymore
* SPAM tag settings were different (I don't use it anyway)
* unfortunately all search folders were not present anymore!
Beside these issues, I have to admit that the move went without any major complications.
|
|
|
|
Members
Search
Help
Register
Login
Home
