top 200 commentsshow all 460
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]runningntwrkgeek 243 points244 points  (6 children)

Thanks /r/sysadmin! Because of this, I checked my onprem 2019 and discovered we are impacted by this.

I'm now working on it before I get phone calls.

[–]EPHEBOX 121 points122 points  (5 children)

Once you've finished testing go ahead and send an "outage update" email to everyone. Potentially nobody noticed but it's free PR for the IT department.

[–]runningntwrkgeek 68 points69 points  (3 children)

I sent one out at 12:30 am to the entire company. Started with a request that coworkers be extra cautious due to one layer of security being disabled, followed with a tldr, then a more detailed explanation.

Sometimes it's nice to let management know that just because things are working, it doesn't mean I'm not doing anything

[–]brianmarcotte 141 points142 points 322 (14 children)

Here’s what I did:

Check queues

Get-Queue  

Set filter to bypass

Get-ExchangeServer | % {Set-MalwareFilteringServer -BypassFiltering $true -Identity $_.Name}  

Restart Transport service

$ExchangeServers = Get-ExchangeServer | Select -ExpandProperty Name

$ExchangeServers | % {Get-Service -ComputerName $_ -ServiceName MSExchangeTransport | Restart-Service -Force}  

If ForEach takes too long, then just manually restart the service in services.msc

 

Check queues

Get-Queue  

Queues should start to process messages

 

I'll check the malware filter upon my return to see if MS has addressed the issue with an update

Get-ExchangeServer | Get-Queue

To check queues on all transport servers.

Just quick and dirty, but does the job for an urgent issue on New Year’s Eve. Our servers are still behind a third-party mail filter, so I’m ok leaving this MS filter off until they get their shit together.

[–]killerpm/dev/null - No Escape 17 points18 points  (1 child)

Thanks! This saved me on a hungover new years day. Sigh.. haha

[–]DeptOfOne 6 points7 points  (0 children)

Thank you my friend. I have been working on this for the past 3 hours. Did I mention I'm on Vacation and got called in for this? I owe you a drink my friend.

[–]guynamedjosh92 6 points7 points  (4 children)

Thank you! We tried this, but for some reason we have over 216k messages stuck in the queues of our 6 servers in the "Ready" status... Waiting on a Microsoft engineer to get on the phone with us to see why our queues aren't clearing fast enough (if it weren't for us receiving emails slowly, we'd say it's not fixed at all).

[–]tourneytalk24 9 points10 points  (3 children)

See if you have any mail flow rules that check attachments. If you do, disable them and see if that clears it.

[–]guynamedjosh92 4 points5 points  (2 children)

Yup, that's exactly what it was. We had zip files still being looked at. Once we disabled that and restarted the services, our servers cleared the queues within a minute. Where were you around noon? Haha. Hope you had a great new year (besides this mess) lol.

[–]pauljdavis 2 points3 points  (0 children)

Great notes. That's an awesome comment - thanks for helping the community that way! Happy New Year!

[–]ceno666 63 points64 points  (17 children)

Just got the same problem here, are we sure it is a bad update or do we have a Year2k22 Bug situation?

The FIP-FS "Microsoft" Scan Engine failed to load. PID: 7948, Error Code: 0x80004005. Error Description: Can't convert "2201010002" to long.

[–]ceno666 32 points33 points  (9 children)

check last comment, the plot thickens

https://techcommunity.microsoft.com/t5/exchange-team-blog/december-2021-exchange-server-cumulative-updates-postponed/bc-p/3049189/highlight/true#M31885

[–]FST-LANEJack of All Trades[S] 81 points82 points  (8 children)

TL DR; “a signed long is not big enough for a 6 digit date + 4 digits time or serial number”.

So for those of us who are too young to remember the Y2K scare, welcome to “Y2K22”!

The “long” data type allows for values up to 2,147,483,647. It appears that Microsoft uses the first two numbers of the update version to denote the year of the update. So when the year was 2021, the first two numbers were “21”, and everything was fine. Now that it’s 2022 (GMT), the update version, converted to a “long” would be 2,201,01,001 - - which is above the maximum value of the “long” data type. @Microsoft: If you change it to an ‘unsigned long’, then the max value is 4,294,967,295 and we’ll be able to sleep easy until the year 2043!

[–]ceno666 18 points19 points  (0 children)

lol yeah i can remember, seems like it took 22 more years to get me called out of sleep for this shit

[–]iamsplendid 32 points33 points  (1 child)

to detonate the year of the update

The typo is so accurate for this 🤣

[–]FST-LANEJack of All Trades[S] 11 points12 points  (0 children)

Lmfao. Fixed. I think it was all those fireworks my neighbors were setting off!

[–]disclosure5 15 points16 points  (0 children)

!remindme 21 years

[–]AgentSmith27IT Manager 3 points4 points  (2 children)

All they would have to do is treat it as a string, break it apart and cast each of the parts as an integer. Its crazy they were using long ints to begin with.

[–]FST-LANEJack of All Trades[S] 13 points14 points  (0 children)

Well, you just confirmed that the newer 220202002 update is also broken. Maybe you’re right; it’s a Y2k22 bug.

[–]JustSayTomato 13 points14 points  (5 children)

This is one of the first things I noticed when I started combing through Event Viewer. How in the hell did this ever get released? Especially on New Years Eve!?

[–]FST-LANEJack of All Trades[S] 8 points9 points  (3 children)

Probably automated. The version is based on the date in GMT.

[–]JustSayTomato 2 points3 points  (2 children)

Right, but don’t these patches get any sort of internal testing before they’re released to the masses? It’s bad enough we’ve got Windows Updates that fuck up everything. Those at least require user intervention or a GPO before they install. This is code that updates and installs automatically.

[–]FST-LANEJack of All Trades[S] 6 points7 points  (1 child)

Probably not, since they’re just “signature” updates and not software updates; probably based on an automated “A.I.” that is constantly tweaking the signatures based on malware it sees in the wild. And it’s not even anything within the payload of the update that’s problematic in this case; it’s simply the version number on the update. Lol.

[–]jrdiver 7 points8 points  (0 children)

It probably worked fine when tested before midnight

[–]brokenvcenter 268 points269 points  (61 children)

Hello friend. Same thing. Set-MalwareFilteringServer -BypassFiltering $True -identity <server name>

Queues starting clearing.

[–]FST-LANEJack of All Trades[S] 84 points85 points  (27 children)

Thanks. Glad I’m not the only one.

I did something similar to restore mail flow for now by running the Disable-AntiMalwareScanning.ps1 script from the Scripts folder in the Exchange install directory and restarting the transport service.

[–]brokenvcenter 26 points27 points  (10 children)

Can confirm Disable-AntimalwareScanning.ps1 -forcerestart does the trick. 2013 seems to be unaffected.

[–]TraditionalWealth293 7 points8 points  (0 children)

Can confirm this worked on Exchange 2016 CU22. Had to run it on all DAG members, FYI.

[–]FST-LANEJack of All Trades[S] 42 points43 points  (1 child)

“Security by Antiquity” 😉

[–]brokenvcenter 22 points23 points  (0 children)

Availability by Antiquity!

[–]tranceandsoul 3 points4 points  (4 children)

Thanks!!! What are the risks of having this disabled?

[–]the_bushman924 2 points3 points  (0 children)

https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help

The question we all want to know! I haven't disabled anything until this can be answered. Thankfully, I have understandable clients.

[–]Snowman25_ 2 points3 points  (2 children)

Isn't the name pretty self-explanatory?

[–]UDP161 69 points70 points  (6 children)

THANK YOU. What in the absolute hell Microsoft!? On New Years Eve!? First place I check is Reddit and you guys save my life before we even get an engineer on the phone. Thank god for that premium support…

[–]sykophreak 19 points20 points  (2 children)

I wish I’d checked Reddit first. I spent a good hour troubleshooting it and figured out the fix before checking here.

[–]BrFrancis 11 points12 points  (1 child)

In other news, FireEye ETP and EX don't do this... Nor does.. -check list- any other email anti-malware vendor...

So... Happy new years

[–]patrynmaster 14 points15 points  (0 children)

HANK YOU. What in the absolute hell Microsoft!? On New Years Eve!? First place I check is Reddit and

& $env:ExchangeInstallPath\Scripts\Disable-Antimalwarescanning.ps1

[–]fluxboxuk 2 points3 points  (0 children)

Confirmed as working on Exchange 2016... MS premier support have confirmed its a known issue, but no known fix as yet !

[–]pssssn 32 points33 points  (1 child)

Anyone coming across this, restart the Microsoft Exchange Transport service after setting this value.

[–]Intros9Jack of All Trades 4 points5 points  (0 children)

Yep, this and the above command got us working again.

Merry New Year!

[–]dickielaw88 15 points16 points  (3 children)

I did this command, but my queue seems to be stuck. Any ideas how to get it moving again? Edit: After a restart the queue cleared.

[–]its_the_revolutionIT Manager 13 points14 points  (1 child)

It takes up to 10 min to process

https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help

"Bypassing or restoring malware filtering doesn't require you to restart any services. However, changes to the setting may take up to 10 minutes to take effect."

[–]ComGuards 8 points9 points  (0 children)

But then running the script results in the following output (At least on 2016):

WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport

Anti-malware scanning is successfully disabled. Please restart MSExchangeTransport for the changes to take effect.

Classic Microsoft =P.

[–]torbar203whatever 5 points6 points  (0 children)

https://www.reddit.com/r/sysadmin/comments/rt91z6/exchange_2019_antimalware_bad_update/hqtt5ib/

I found a transport rule was keeping things stuck in the submission queue

[–]Remarkable_Point_179 4 points5 points  (1 child)

Seems to apply to all versions of Exchange any CU, we have the latest patched, same issue, does look like a Y22 issues, disabling malware clears the queue and mail flows after transport restart, I am now working through all the exchange severs we support which is a lot.

[–]hack819 29 points30 points  (1 child)

I should have checked here before spending the last hour screwing with exchange. Thanks for the heads up.

[–]JeepMunkee 74 points75 points  (3 children)

Yep. All email stopped processing on my on prem 2016 at 645pm. I spent like 40 mins rebooting and stressing out. Thanks for your post! FML. lol

[–]FST-LANEJack of All Trades[S] 49 points50 points  (1 child)

Leave it to big corporations like Microsoft to screw us at the most inconvenient time! Happy New Year! 🥳 🙄

[–]JeepMunkee 5 points6 points  (0 children)

Happy Fucking New Year! 😁

[–]FrankyHugo 20 points21 points  (1 child)

Thanks MS for the Y2K22 bug, great job sleep is so overrated.Thanks guys for giving a sollution for the problem

[–]bugalouInfrastructure Architect 17 points18 points  (7 children)

This crap just brought down all of our alerting in the middle of new years eve. I am in the hospitality/entertainment industry so pretty much the worse time ever.

[–]FST-LANEJack of All Trades[S] 20 points21 points  (4 children)

I was also a bit confused that my monitoring system was calling my phone when I hadn’t seen any email alerts (it escalates to phone call if I don’t acknowledge the alerts that comes through via email). But that’s the downside of email alerts; if ANYTHING that the mail server relies on goes down, it takes email alerts down with it.

My monitoring system calls a simple PowerShell script that I wrote which interacts with the Twilio API to call my cell phone and do some text-to-speech with the alert. On my cell phone, I set that contact to bypass “do not disturb” mode and a custom alarm ringtone, so even when I’m hibernating, it will wake me / give me a heart attack.

[–]anonymous_commentor 4 points5 points  (2 children)

Check out Mailive. External, you set up a forwarding rule and it watches round trip times. Completely external.

[–]FST-LANEJack of All Trades[S] 2 points3 points  (1 child)

MailflowMonitoring.com and Tools.HornetSecurity.com look promising too; and they’re free.

[–]Bleakbrux 2 points3 points  (0 children)

Yeah my alerting too. We are office365 Exchange online apart from on premises alerts.

I didn't notice until like 4pm that there had been zero alerts from anything.

Only noticed as Veeam backup notifications didn't hit the mailbox and Firewall port scan Alerts were non existent which never happens.

Thought it was Just blissfully quiet. Turns out There was a Microsoft induced shit storm going down. Should of known better.

Thank god for exchange online and mimecast. It's nice to know these days that an exchange VM going pop only really affects IT.

I didn't get the alert to say the alerting had gone down, clearly.

[–]T101M850Director of Technical Services 16 points17 points  (0 children)

Popped some champagne and migrated from the desk to the couch to watch Miley and Pete with the wife...Cue slack exploding my phone with 800 messages.

Finservice company, so year end is kind of a big deal.

[–]dickielaw88 48 points49 points  (0 children)

Our 2016 server is affected also. Damn Microsoft. Having this happen on new years eve? First Betty White, and now this. Hoping for a better 2022!

[–]pingsandchickenwingsSysadmin 15 points16 points  (0 children)

Amazing you saved my new years, friend. My appreciation.

[–]SithLordDooku 15 points16 points  (3 children)

Update: My submission queue didn't clear because I had a transport rule that was still using the Filtering services. This is after I bypassed filtering and disabled it. I needed to disable the transport rule in order to get the email flowing. The event ID you are looking for is 4010.

Transport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '<2~~0220101132702.87329ce2ee2dc006@mail.com~~\>' Rule ID 'cd3d85a6-0c77-4d49-988b-88928b8a73aa' Predicate '' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: 'Exception of type 'Microsoft.Filtering.ScanAbortedException' was thrown.'. See inner exception for details ---> Microsoft.Filtering.ScanAbortedException: Exception of type 'Microsoft.Filtering.ScanAbortedException' was thrown.

Get-transportrule -identify <Rule ID>

disable the transport rule.

[–]KingDoggles 2 points3 points  (0 children)

Thanks for this. This was necessary in our environment as well.

I ended up disabling all of the rules for now (mostly audit stuff that is on by default).

[–]HJForsythe 46 points47 points  (9 children)

It's good that they just raised licensing pricing 10% again. Maybe they can hire some people that aren't fucking idiots with the extra money. I don't see a single mention of this anywhere official on Microsoft's end. Did they seriously push out this update and then leave for the weekend? What is happening at that company? I can't really put into words how hopeless it feels to be someone responsible for running this stuff.

[–]disclosure5 17 points18 points  (4 children)

I don't see a single mention of this anywhere official on Microsoft's end.

I definitely remember these sort of things when people tell me they want to use products like this so they can get stellar MS support. I can near guarantee if I logged paid support case this morning they would have emailed and asked for logs and then be weeks away from responding again.

[–]xirsteon 20 points21 points  (1 child)

Kindly do the needful, run the Healthchecker.ps1 script, send us the report and REVERT back.

[–]bill-m 5 points6 points  (0 children)

This comment needs a trigger warning. Bad flashback.

[–]172pilotsteve 9 points10 points  (1 child)

We have premier support and opened a SEV-A at about 04:00 GMT.. They did confirm that it was a systemic problem. We were able to figure out the workaround on our own, but after 2 hours they did provide the same recommendation. I still have the ticket open with them but haven't received another update from them.. I'm expecting a call in the next hour if they follow through with what they told me.

[–]SheeEttinSysadmin 7 points8 points  (0 children)

They did confirm that it was a systemic problem.

What is, their product quality issues?

[–]TumsFestivalEveryDay 3 points4 points  (0 children)

Especially considering there's been some really unacceptable EXOL downtime lately and they never determined any root cause other than their "we dunno, we're examining our useless telemetry to make sure this doesn't happen again" hand-wave.

[–]the_bushman924 10 points11 points  (9 children)

Serious question though. Why are you guys feeling so comfortable with disabling your anti-malware software. I'm going through the same thing and thankfully getting by with, "Waiting on an official fix from Microsoft". Not sure how long this will last without hearing from them but some random articles suggest Cyber attack and others like this thread suggest bad updates. I see everyone bypassing anti-malware and I'm still hesitant to even give that a whirl in an abundance of caution. Anyone else else on the same boat and can counter with a more concrete response besides what OP is saying. I do believe it's on the right track but why is disabling the anti-malware the first thing that comes to mind as a good workaround? Thanks!

[–]FST-LANEJack of All Trades[S] 17 points18 points  (1 child)

Turns out it’s not actually a bad update. It’s a bug related to the maximum value of a signed integer. I explained all that in the original post near the bottom.

Personally, I am not concerned with turning off the built-in anti malware component, because we have a third-party filtering solution in front of exchange which catches anything bad.

[–]the_bushman924 5 points6 points  (0 children)

Thanks for creating this post! You've saved a lot of New Year hangover headaches! Agreed on the third party filtering that I have as a first layer of filtering defense. I feel more comfortable knowing this.

[–]elint 10 points11 points  (3 children)

Why are you guys feeling so comfortable with disabling your anti-malware software.

Because it's supplemental and hardly necessary. I've got a spam filter sitting in front of my Exchange server, filtering all inbound/outbound mail. Honestly, it catches most malware before it ever gets to Exchange. Occasionally, when something slips through, more often than not it also slips through Exchange's malware scanner, and fortunately, my user training has been sufficient to keep users from clicking sketchy things. I'd be a lot more afraid of disabling it if it was my only protection, but then you've likely got other problems.

[–]the_bushman924 1 point2 points  (1 child)

Thanks! Same here and good to know! It is more comforting that many of the replies are saying this.

[–]nobody554Sr. Sysadmin 4 points5 points  (1 child)

In our case, we have other solutions in place that help scan for malware and such (external spam/malware filter). Microsoft's scanner would ideally never even see any bad mail because our first line of defense caught it all.

That said, if you want mail to flow before Microsoft fixes their blunder, this is where you outweigh the risks of disabling one control vs keeping any other controls you have in place to protect your environment.

[–]the_bushman924 1 point2 points  (0 children)

Thanks! Good to know. We do have external spam filtering as well. I will take that into consideration.

[–]its_the_revolutionIT Manager 2 points3 points  (0 children)

We use other products from third party vendors like FireEye that focus on sanitizing mail before it arrives to Exchange. I’m confident this filter wouldn’t find much of anything after it goes through those appliances we use.

[–]MarkDePalma 10 points11 points  (8 children)

Got an email flow alert, spent 5 min looking into it and saw the same. Disabling the engine like the others stated (either option) works.

[–]pssssn 4 points5 points  (6 children)

What are you using for this btw? I have a solution, but they don't have the option to repeat alerts, which is annoying.

[–]MarkDePalma 7 points8 points  (4 children)

MX Toolbox integrates into our primary monitoring solution (LogicMonitor). We do external round trip time testing there and then have additional monitors on the transport queues and other things.

[–]ADSWNJ 8 points9 points  (2 children)

Latest rumor I heard (just as a customer)...

  1. "Y2K22" bug confirmed, as discussed in this thread.
  2. Hotfix to be released asap to strip out the offending 2022-serial number sig files.
  3. Temp workaround is to add a 13th month to 2021 for the signatures - i.e. the next sig after 211231nnnn will be 211301nnnn.

So welcome to the 13th month of 2021!

Edit:
Looks like they preferred to go with the 33rd day of December - i.e. 2112330001. Interesting ... only 2 months to fix it if you do this, i.e. before 211299nnnn. Unless they choose to iterate the nnnn in a different manner.

[–]Forgotmyaccount1979 7 points8 points  (0 children)

Oh man, I thought I was going crazy there for a minute.

So glad I popped onto Reddit.

[–]ARDiver86 9 points10 points  (1 child)

Does this affect O365 or just conveniently on-prem instances?

[–]FST-LANEJack of All Trades[S] 11 points12 points  (0 children)

So far, O365 seems to be fine for my tenants.

But perhaps O365 has a delayed update mechanism or something. I wouldn’t put it past Microsoft to push updates to on-prem Exchange first before they push the same updates to the O365 infrastructure.

[–]CompetitionOk1582 7 points8 points  (5 children)

Why didn’t this affect all on premise customers?

[–]jmch783 6 points7 points  (3 children)

I think the malware filter server update URLs are different for each part of the world. So those exchange servers “ahead” of time were impacted first and then once aware of the issue, MSFT took down the update URLs for those regions that hadn’t been updated yet? That appears to have happened to my environment - servers in EU impacted but US based servers not impacted (yet anyway).

[–]JeepMunkee 3 points4 points  (0 children)

My 2016 server in Colorado stopped processing at 545pm MST

[–]172pilotsteve 1 point2 points  (1 child)

I suspect 3rd party malware agents disable the Microsoft ones. A friend supports a large installation that uses Mcafee and it was unaffected.

[–]WaitHonest4926 8 points9 points  (21 children)

Since a couple of minutes Microsoft released Engine 1.1.1880.4 and Sig. 1.355.1224.0 which is working like a charm.

MS Filtering Engine Update process has successfully committed and handed off updates for MicrosoftLast Checked:2022-01-01T08:30:23ZLast Updated:2022-01-01T08:30:39ZEngine Version:1.1.18800.4Signature Version:"1.355.1224.0"Update Version:2201010004Last Definition Update:?2022?-?01?-?01T01:03:32.000ZUpdate Path:http://amupdatedl.microsoft.com/server/amupdate

Cheers and happy new year

Chris

[–]xrtnn 2 points3 points  (1 child)

MS Filtering Engine

update isn't resolving for me

still getting

The FIP-FS "Microsoft" Scan Engine failed to load. PID: 15996, Error Code: 0x80004005. Error Description: Can't convert "2201010003" to long.

[–]JudeCPer 1 point2 points  (7 children)

Updated with that signature, still fails. Error Description: Can't convert "2201010004" to long

[–]DogResponsible8491 1 point2 points  (3 children)

process has successfully committed

I'm still getting the FIPFS error after this update.

The FIP-FS "Microsoft" Scan Engine failed to load. PID: 17860, Error Code: 0x80004005. Error Description: Can't convert "2201010005" to long.

[–]reddi-tom 23 points24 points  (2 children)

After troubleshooting over 1.5 hours, opened Reddit and of course you guys have a workaround. Gotta love Reddit r/sysadmin 🥰

GMT+1 BTW, mailflow stopped around 2AM

[–]hakan_loob44I do computery type stuff 2 points3 points  (0 children)

6am here. Noticed that I didn't have any email from onprem since last night. Figured that wasn't right. Spent 20min poking around then I figured that this had to be something MS fucked up and didn't post yet. That's when I came right to r/sysadmin. Reddit saves the day again.

[–]absoludicrous 7 points8 points  (0 children)

I saw the entries in Event Viewer and figured this couldn’t have affected only us. Disabling the filter helped get mail flowing again. Thank you all for this thread.

Anyone have any links from Microsoft? Maybe next year?

[–]briskik 7 points8 points  (1 child)

You guys are the best. Still took me 2 hours worth of troubleshooting to realize to come here

[–]ThreshOP 3 points4 points  (0 children)

Yepp same here. Thought for sure it was something dumb in my environment, Google wasn't showing any results yet, sysadmin saves once again.

[–]appar1tions 5 points6 points  (6 children)

I'm getting:

C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Update-MalwareFilteringServer.ps1 : Error starting the anti-malware engine update.

Anyone else having this issue?

Edit: I get this using the script AND the manual method.

[–]OrangeFluffyBunny 3 points4 points  (2 children)

Try manually with Start-EngineUpdate -UpdatePath https://forefrontdl.microsoft.com/server/scanengineupdate/

And a lot of patience as many are probably downloading it. It went from UpdateStatus UpdateInProgress to UpdateAttemptNoUpdate and now has UpdateVersion as 2112330001 instead of 2201010009

[–]appar1tions 2 points3 points  (0 children)

Edit: Thanks for this! I'd give you gold if I could.

For everyone else running into the same issue:

  1. Run Exchange Management Shell as administrator
  2. Run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
  3. Run Start-EngineUpdate -Verbose
  4. Run Get-EngineUpdateInformation

[–]OrangeFluffyBunny 2 points3 points  (1 child)

Yes same here. I’m still looking for the cause but I can’t find any. I’m looking at Exchange Management Shell now, mabe it’s not invoking Exchange commands properly.

[–]Impossible_Rush_2722 6 points7 points  (0 children)

Dude, love you right now. Though I called my sysadmin to help us do this for a few servers, woke him up, he might hate you…. But I love you!

[–]172pilotsteve 5 points6 points  (3 children)

FYI - Somewhere in these comments was someone having problems with mail delays even after disabling the malware filter as everyone is doing. I was having the same problem, with mail delays up to 45 minutes with thousands of messages in queue even while they were [slowly] flowing.

I can report that after disabling (unchecking) my transport rules under the mail flow tab, my mail is flowing fast again. Hopefully this will help someone else who may also have transport rules.

[–]innovationcynic 6 points7 points  (2 children)

I wonder if someone could calculate the total cost in terms of hours spent across all companies and the cost per hour of that labor for fixing this.

Not that Microsoft would ever pay it, of course, but this would be interesting to know.

[–]FST-LANEJack of All Trades[S] 2 points3 points  (0 children)

With the sheer amount of activity this post on Reddit received, it’s just a drop in the ocean as to how many system administrators were actually inconvenienced by this. In my circles alone, I’m hearing from folks who are asking me if I heard about this; and when I asked if they saw the post in r/sysadmin they said they weren’t aware of that subreddit (or something said they didn’t know what a Reddit even was, lol).

[–]happiAdmin 4 points5 points  (0 children)

Tnx guys, command and Transport service restart worked for me as well. Sigh.

[–]Justicefruitpies 4 points5 points  (0 children)

I love you all! Seriously, whoever jumped on this saved a day with my family.

[–]freemantech757 4 points5 points  (0 children)

Really saved myself and my team a huge headache. Many thanks for bringing this light and to the entire reddit community for coming together to work through it when many of us have yet to hear a word from Microsoft.

If I could give all the awards I would!

[–]B5565 5 points6 points  (0 children)

I was able to get my team on this and mail flow back up before midnight. Overall, we got it going before anyone actually noticed.

Thanks r/Sysadmin !

[–]marek1712Netadmin 3 points4 points  (0 children)

the version number now starts with “21” again, to stay within the limits of the ‘long’ data type, for example: “2112330001”. So, Happy December 33, 2021! 😉

This is so dumb my head hurts ;) But I guess they didn't want to make drastic changes during the weekend. Just checked my buddy's Exchange. Thankfully not affected since he uses 3rd party antimalware.

[–]arjen4life 5 points6 points  (0 children)

Fuck you, Microsoft.

Sorry. Just had to vent.

[–]Prancer_TruckstickSysadmin 9 points10 points  (4 children)

Jesus Christ, losing my mind around 9 PM trying to figure out why our queues weren't clearing... Disabling malware filtering did the trick for now.

[–]MarkDePalma 7 points8 points  (3 children)

The real answer is to rollback to the previous engine version and disable updates. That is what I am looking into. Transport rules can still be affected by this issue depending on if the rules need to invoke FIPS.

[–]Prancer_TruckstickSysadmin 4 points5 points  (2 children)

That's a good point, keep oneself protected somewhat until a correctly formed definition becomes available. If you do find a way to roll back the definitions and disable updates, let me know, I'd appreciate it.

[–]MarkDePalma 8 points9 points  (0 children)

As soon as I figure out a way I'll post a little write-up.

[–]PublicEntertainer 10 points11 points  (0 children)

u/FST-LANE Thank you so much for posting this. You saved me from working most of the night!!

[–]justingscu 2 points3 points  (0 children)

Yep just ruined my night almost :) I had to bypass malware engine and stop it’s service and restart transport service to get email to flow (all 3 servers had the same error!!)

[–]maxnor1 4 points5 points  (0 children)

Thank you for sharing this! I'm glad it happend on the 31th, so my hope isn't destroyed that 2022 all will be better.

[–]Hasslemoffz 3 points4 points  (0 children)

As usual, when Microsoft fucks us up, the community steps in.
Thanks for the thread guys, saved me a nasty few hours debugging this morning.

[–]MusicWallaby 2 points3 points  (4 children)

How can it be nearly 12 hours later and nothing at all anywhere from Microsoft?

[–]praetorfenixSysadmin 4 points5 points  (1 child)

How else they gonna up those O365 numbers?

[–]rottenrealm 2 points3 points  (0 children)

kinda 'let those onprem freaks cry for a while"

[–]techblackops 4 points5 points  (9 children)

Disabling antimalware solved the mailflow issue for me, but I've got a separate (appears related) issue with the exchange admin center login. I get the error below. Certs are good and our main cert was just renewed about a month ago.

HMACProvider.GetCertificates:protectionCertificates.Length<1

Any ideas?

[–]mypuppysunny 3 points4 points  (0 children)

Thank you for everyone that posted on here and the post author. If it weren't for this community I would feel pretty alone and screwed sometimes.

[–]vikinickDevOps 2 points3 points  (0 children)

Why is it storing a version number as a LONG AND NOT A STRING? It makes sense if it was doing like an increment count 1, 2, 3 but anything more complicated than that just toss it in a goddamn string.

I'm actually rationally mad at the engineering choices made by the developers.

[–]rswwalker 4 points5 points  (2 children)

That’s just fabulously bad programming using a signed variable to store unsigned data. Did they have interns writing code for Exchange server?

[–]elint 2 points3 points  (1 child)

That’s just fabulously bad programming using a signed variable to store unsigned data.

Personally, I don't think a version string like this should be stored as a signed/unsigned variable at all. It's a concatenation of several numbers and doesn't really require any sort of math. Store it as a string.

[–]Sad-Butterscotch5919 3 points4 points  (2 children)

If disabling malware transport agent does not fix it for you, look for 4010 events. Copy the transport rule ID and run a get-transportrule -identity <ruleID>. Disable that transport rule that is shown. (Seems to happen with any rule that scans attachments.) Restart transport service on all servers.

[–]tourneytalk24 2 points3 points  (0 children)

I am not sure if it has been posted but if you have any mail flow rules that check attachments, you will want to disable those as well. The rules checking for attachments seem to use a common mechanism. We initially disabled the anti-malware scanning but still had backed up queues until finally discovering the rule was also an issue.

Happy New Year!

[–]SaunteringOctopus 2 points3 points  (0 children)

I just got a call an hour ago saying email wasn't working and started tearing my hair our to figure out why. Luckily I happened to stumble into this post. Thank you so much.

[–]_LB 2 points3 points  (0 children)

These are the days that I am so happy to be a subscriber of this subreddit. Thanks for all the info, you have saved my day and a lot of troubles tomorrow.

Happy Y2K22 everybody, stay safe and healthy!

[–]sedition666 3 points4 points  (0 children)

I was lucky and walked into this when it already had fixes up. Still lost 7.5 hours of my weekend to this clusterfuck. Cheers Microsoft.

[–]chillyhellion 9 points10 points  (1 child)

Microsoft and broken updates. Name a more iconic duo.

[–]Wasteway 7 points8 points  (0 children)

What a freaking joke. Come on MSFT, what in the actual hell. Much thanks to all of those who found this first and posted on how to fix it. You saved the rest of us tons of time!

[–]Young-G0ku 2 points3 points  (1 child)

Wish I found this before spending an hour scratching my head, thanks Microsoft haha.

[–]praetorfenixSysadmin 1 point2 points  (0 children)

Did same thing. Came to Reddit to see if I was nuts.

[–]Steven20221978 2 points3 points  (0 children)

Great work. Happened just as we were making global firewall changes so lots of finger pointing this saved me

[–]RiceeeChrispiesJack of All Trades 2 points3 points  (3 children)

Updated filtering engine signature to 1.355.1234.0 (released this morning) but email stops flowing when re-enabling Antimalware scanning and restarting transport service - still with the same error.

Anyone experiencing this? UK based.

Edit: Reading into it, guess we’ve got to wait from the boffins at MS. Sounds like just a signature update won’t fix..

[–]disclosure5 6 points7 points  (2 children)

I sure hope that "fix" doesn't look like a three hour Cumulative Update.

[–]RiceeeChrispiesJack of All Trades 4 points5 points  (1 child)

Oh, it’s Microsoft Exchange - you can almost guarantee it will be. Because every important security update requires you to basically reinstall Exchange, ‘tis the only way.

Boy, I really hope somebody got fired for that blunder.

[–]SevereMiel 2 points3 points  (0 children)

we are still on exchange 2013 and had the same problem a week ago, when i've patched the server ... disabled the antimalware filter and probleme was solved

[–]dribar 2 points3 points  (0 children)

Fixed my 2019 environment. Much appreciated.

Any news from MS about a patch?

[–]Mister_Big_Stuff 2 points3 points  (0 children)

Thanks for posting about this. Saved my morning by giving me the solution for a crazy issue that would have taken me a long time to figure out myself.

[–]handlebartender 2 points3 points  (1 child)

I've got nothing of value to add here. Just amazed.

Random: although this is shite for users, I imagine there might be a few people over at MS who went from "enjoying the New Year" to "all hands on deck".

[–]FST-LANEJack of All Trades[S] 3 points4 points  (0 children)

...or at least we hope! Lol

[–]boardhoarder 2 points3 points  (0 children)

Thank you to everyone for keeping me sane here!

[–]Theoneandonlyzeke 2 points3 points  (0 children)

Affects 2013 also as it happened to two of our servers already

[–]rob-entre 2 points3 points  (3 children)

The article states that 2013 is affected, but the three clients I have with Exchange 2013 were not affected. They could process mail normally.

For what it’s worth, I don’t think the malware filter has done much of anything on my Exchange deployments, as a standard practice is to put a good filter in front of Exchange. While nice to have the additional scanners on Exchange, you should never depend on them alone.

[–]Tom_Neverwinter 2 points3 points  (0 children)

I was literally 10 minutes from leaving when this hit. FML

[–]pascalbraxalt.binaries 2 points3 points  (0 children)

work called me on the first day of the year because all mails stopped, thank you reddit for figuring out why.

[–]TDSheridan05Windows Admin 2 points3 points  (0 children)

Thank you for finding this. I checked my environment and had almost 20k messages stacked up.

[–]No-Werewolf2037 2 points3 points  (0 children)

You guys just saved me a TON of trouble.. thank you so much.

[–]ThomasTrain87 2 points3 points  (0 children)

Thanks guys - you just saved me a lot of headaches. I knew it was too quiet.

[–]jrazta 2 points3 points  (0 children)

FYI, I attempted the bypass and my queues did not start delivering until I did the disable antimalware script.

4 X Exchange 2016 servers on prem.

[–]DogResponsible8491 2 points3 points  (2 children)

Anyone getting an error after the update from Microshaft?

A FIP-FS Scan process returned error 0x84004003 PID: 19372 Msg: Scanning Process caught exception:

Stream ID: ac004ea7-28e9-4e36-a3ff-30d0cdd3b86c@atl1s07mta1813.xt.local

ScanID: {B9372861-D1FD-47CC-9946-D2AFBC1C9BAA}

(0x84004003) Unknown error 2214608899. Failed to meet engine bias criteria (Available) for filter type (Malware):

Selected engine(s): Microsoft

Available engine(s):

Offline engine(s): ID: {b9372861-d1fd-47cc-9946-d2afbc1c9baa}

[–]RiceeeChrispiesJack of All Trades 4 points5 points  (1 child)

Same error, not working after update. That’s annoying.

Edit: Rebooting server fixed this.

[–]Max171121 2 points3 points  (0 children)

Thanks sysadmin!

The solution (manual) worked for me: https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-transport-queues/ba-p/3049447

Takes 30 minutes! There is no progress bar or something, I checked with: Get-EngineUpdateInformation the progress and version.

Goodluck.

[–]ecar13 5 points6 points  (0 children)

Whoever the fuck predicted Y2K was off by 22 years.

[–]PublicEntertainer 4 points5 points  (0 children)

Thanks so much for sharing this. Microsoft killed my New Years Eve!

[–]DogResponsible8491 3 points4 points  (0 children)

Yes, currently been up half the night trying to find info on this issue.

'The FIP-FS "Microsoft" Scan Engine failed to load. PID: 12128, Error Code: 0x80004005. Error Description: Can't convert "2201010002" to long.'

Got to love Microshaft.

[–]diezeldeez_ 2 points3 points  (0 children)

Because of this post we did not wake up to a barrage of calls in email shit storm. Thank you, very much for posting this.

Edit: people will downvote anything, I was just saying thank you.

[–]pssssn 1 point2 points  (0 children)

Also encountering this, thank you for the post.

[–]itguy3001 1 point2 points  (0 children)

Saved my ass. Thanks!

[–]NeverEv3rGiveUpWindows Admin 1 point2 points  (0 children)

Happy new year! Same thing here guys! We have more than 150 our customers affected.

[–]togenshiJack of All Trades 1 point2 points  (0 children)

Yep affected as well, bypass malware filter until further notice.

[–]BuschLightDrinkn 1 point2 points  (0 children)

Wow. Thank you so much for posting this!! Confirmed PS script worked for us. Great job finding this.

[–]DogResponsible8491 1 point2 points  (0 children)

I've disabled FIPFS, restarted the transport service, bypassed filtering and *still* getting the errors showing and email not being sent.

Transport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '[KTKATYL4PFU4.39SHENK9W21W3@BY1PEPF00001B88](mailto:KTKATYL4PFU4.39SHENK9W21W3@BY1PEPF00001B88)' Rule ID '845cc901-be66-401c-9e22-deb0ab244ec1' Predicate 'containsDataClassification' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS data classification failed with error: 'Scan request timed out on the queue:'. See inner exception for details ---> Microsoft.Filtering.ScanQueueTimeoutException: Scan request timed out on the queue:

at Microsoft.Filtering.InteropUtils.ThrowPostScanErrorAsFilteringException(WSM_ReturnCode code, String message)

at Microsoft.Filtering.FilteringService.EndScan(IAsyncResult ar)

at Microsoft.Filtering.FipsDataStreamFilteringService.EndScan(IAsyncResult ar)

at Microsoft.Exchange.MessagingPolicies.Rules.FipsFilteringServiceInvoker.ScanComplete(IFipsDataStreamFilteringService filteringService, ScanCompleteCallback scanCompleteCallback, IAsyncResult asyncResult, ITracer tracer)

--- End of inner exception stack trace ---

at Microsoft.Exchange.MessagingPolicies.Rules.FipsFilteringServiceInvoker.GetDataClassifications(Dictionary`2 classificationsToLookFor, FilteringServiceInvokerRequest filteringServiceInvokerRequest, ITracer tracer, FilteringResults& textExtractionResults)

at Microsoft.Exchange.MessagingPolicies.Rules.BaseTransportRulesEvaluationContext.get_DataClassifications()

at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluationContext.get_DataClassifications()

at Microsoft.Exchange.MessagingPolicies.Rules.MessageProperty.OnGetValue(RulesEvaluationContext baseContext)

at Microsoft.Exchange.MessagingPolicies.Rules.Property.GetValue(RulesEvaluationContext context)

at Microsoft.Exchange.MessagingPolicies.Rules.ContainsDataClassificationPredicate.OnEvaluate(RulesEvaluationContext baseContext)

at Microsoft.Exchange.MessagingPolicies.Rules.PredicateCondition.Evaluate(RulesEvaluationContext context)

at Microsoft.Exchange.MessagingPolicies.Rules.AndCondition.Evaluate(RulesEvaluationContext context)

at Microsoft.Exchange.MessagingPolicies.Rules.RulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext)

at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext). Message-Id:[KTKATYL4PFU4.39SHENK9W21W3@BY1PEPF00001B88](mailto:KTKATYL4PFU4.39SHENK9W21W3@BY1PEPF00001B88)'

[–]SuitAdministrative96 1 point2 points  (0 children)

Our Exchange 2016 was affected. Thanks for this! PS script worked like a charm. Hope MS fixes this soon.

[–]insufficient_fundsWindows Admin 1 point2 points  (0 children)

Thank you jesus! I spent from 11:30-12:30 looking into reports of mail not going out; fortunately for my org, we're entirely on o365, but just have internal servers to act as mail relay for stuff generated by on-prem systems... but still - on just one of our 10ish exchange boxes, i saw 400+ mails queued by 1a. I haven't personally dealt with Exchange issues in literally years... once every 10 weeks on-call, and we almost never get exchange related issues.. geez

[–]jmch783 1 point2 points  (0 children)

Does anyone know if Microsoft has already pulled this update from the URL listed in the primaryupdatepath? For example, our EU based nodes were impacted but US-East nodes appear to be unaffected (as of now). The EU based primaryupdatepath URL is different from the US-East URL.

[–]wirtnix_wolf 1 point2 points  (0 children)

hi, that post saved my day! Thank you folks! is there information about when MS will send correct updates again so the malwarefilter can be activated again?

[–]l337scum 1 point2 points  (0 children)

Disabling Antimalware scanning in the transport agent is the only way to get past this right now. Been following it here: https://twitter.com/JRoosen/status/1477120097747677184

[–]praetorfenixSysadmin 1 point2 points  (0 children)

Holy crap you saved my still half drunk bacon!

[–]carfo 1 point2 points  (0 children)

fuck i learned my lesson. tried to troubleshoot this for hours this morning and of course it's fucking MS. kept asking myself: what changed? sigh. well thanks reddit

[–]PizzaCatLover 1 point2 points  (0 children)

Thanks for the post. We're unaffected because we're on 365, but we have clients who are impacted. Good to know what's going on. Y2K came 22 years late!

[–]bsitko 1 point2 points  (0 children)

Another Microsoft fail in a year full of them. I can confirm the bug on my onprem 2016. I can also confirm that this workaround works.

[–]Swampycore 1 point2 points  (0 children)

Thanks for the info! Restored mail flow before anyone even noticed.

[–]ShakesTech 1 point2 points  (0 children)

Thanks so much disabling worked for me.

[–]The_Great_88 1 point2 points  (0 children)

Thank OP!

Our 9 OnPrem 2016 CU22 all required this to get mail following

<Gibbs style head slap to MS>

[–]carp3tguySysadmin 1 point2 points  (0 children)

Went and checked my Exchange queue after seeing this post and sure enough I’m affected, thanks for posting buddy

[–]DdraigJack of All Trades 1 point2 points  (0 children)

Should have checked this 14 hours ago :D

[–]carpetflyer 1 point2 points  (0 children)

Thank you! You saved me. I thought we hit back pressure and I was increasing disk space of the root drive. Still wasn't working.

[–]Al3nMicL 1 point2 points  (0 children)

I guess being a sys-admin really is a 24/7, 365 day kind of job. Lol

[–]rs-sysa077 1 point2 points  (0 children)

Thanks, nice way to wake up this morning. Appreciate your post. We have mail flowing again and await Microsoft's fix. Good grief.