I've been diagnosing for the past day or so some issues with an Exchange 2019 server related to Antimalware filtering/scanning. This was disabled on our server, I enabled it, and restarted the transport service per the Microsoft docs:
- https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antimalware-protection/antimalware-procedures?view=exchserver-2019#use-the-exchange-management-shell-to-enable-or-disable-malware-filtering-on-mailbox-servers
- https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antimalware-protection/download-antimalware-updates?view=exchserver-2019
In Event Viewer, however, we're getting some logs that indicate this isn't working:
Event 6031, FIPFS: MS Filtering Engine Update process has successfully downloaded updates for Microsoft.
Event 6034, FIPFS: MS Filtering Engine Update process is testing the Microsoft scan engine update
Event 6035, FIPFS: MS Filtering Engine Update process was unsuccessful in testing an engine update.
Engine: Microsoft
It looks like it fails for some reason and logs "MS Filtering Engine Update process was unsuccessful in testing an engine update."
Then the process repeats and we can see it trying again:
Event 7003, FIPFS: MS Filtering Engine Update process has successfully scheduled all update jobs.
Event 6024, FIPFS: MS Filtering Engine Update process is checking for new engine updates.
Scan Engine: Microsoft
Update Path: http://amupdatedl.microsoft.com/server/amupdate
Event 6030, FIPFS: MS Filtering Engine Update process is attempting to download a scan engine update.
Scan Engine: Microsoft
Update Path: http://amupdatedl.microsoft.com/server/amupdate.
Event 6031, FIPFS: MS Filtering Engine Update process has successfully downloaded updates for Microsoft.
Event 6034, FIPFS: MS Filtering Engine Update process is testing the Microsoft scan engine update
Event 6035, FIPFS: MS Filtering Engine Update process was unsuccessful in testing an engine update.
Engine: Microsoft
The configuration settings look fine and we've allowed both amupdatedl.microsoft.com and forefrontdl.microsoft.com through the firewall. (It appears that's working because it says downloaded successfully in the Event Viewer logs.)
Any ideas / help would be much appreciated! Thank you!
Edit: One other note, it does seem to be trying to download and use some of the scan engine updates as evidenced by this staging folder here with recent timestamps.
I also found some other resources that suggested a permissions issue, but I checked and Network Service has full permissions to E:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Data
Things I've looked at:
- https://social.technet.microsoft.com/Forums/en-US/832e155e-054a-4e1c-8ce0-41a778abe8ff/exchange-2016-cu11-antimalware-automatic-update-fails?forum=Exch2016MFSM
- http://www.networksteve.com/exchange/topic.php/Error_of_Get-EngineUpdateInformation_in_Exchange_2013/?TopicId=56872&Posts=3
- https://martijnwestera.blogspot.com/2015/08/exchange-2013-built-in-anti-malware-ms.html
- https://www.reddit.com/r/exchangeserver/comments/2kvxj5/updating_antimalware_engine_in_ex2013cu6/
- https://docs.microsoft.com/en-us/archive/blogs/ehlro/exchange-2013-malware-engine-updates-troubleshooting
- https://social.technet.microsoft.com/Forums/lync/en-US/09b9b26e-5898-42de-958d-ab967398bab8/error-id-6027-ms-filtering-engine-update-process-was-unsuccessful-in-contacting-the-primary-update?forum=exchangesvrgeneral
- https://docs.microsoft.com/en-us/exchange/download-engine-and-definition-updates-exchange-2013-help?redirectedfrom=MSDN
Got this event since the 8th of December on 2 Exchange 2016 and 2 Exchange 2019 Servers. Looks like a common problem with both download paths. No Updates since then. Engine : Microsoft LastChecked : 12.10.2021 11:42:51 +01:00 LastUpdated : 12.08.2021 01:13:24 +01:00 EngineVersion : 1.1.18700.4 SignatureVersion : 1.353.2243.0 SignatureDateTime : 12.07.2021 06:41:19 +01:00 UpdateVersion : 2112070009 UpdateStatus : UpdateAttemptFailed
14th of december: I opened a MS Ticket. Let's see..
I have done some research, here are many things cause this issue, you could use FPSDiag.exe (E:\Exchange Server\FIP-FS\bin) to generate a log to analyse this error.
In addition, I have found a similar thread and there are some discussions on this issue for your reference and hope it is helpful to you.
Related blog: Problem z aktualizacją Antimalware w Exchange 2013
good news: since this morning the updates are working again. Maybe because of my post on the exchange team blog or because of my MS Ticket. Look for yourself. Everythings fine :)
Had this issue (FIPS-FS Scan Process Failed errors (0x80010105) and Application Error on scanningprocess.exe (0xc0000005)) and in addition to running the https://aka.ms/ResetScanEngineVersion script provided by Microsoft I also ran the official HealthChecker script at https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
This revealed that the Visual C++ 2013 Redistributable package had been removed from the server, an Exchange prerequisite - once reinstalled, the malware scanner component worked properly again :)
https://docs.microsoft.com/en-us/exchange/exchange-2013-prerequisites-exchange-2013-help