As we roll into the new year, many new vulnerabilities are being uncovered, exposing organizations’ critical digital assets to various cyber risks. It seems Microsoft welcomed the year 2022 with a security issue that prevents its Exchange servers from sending and receiving emails. The technology giant recently released a patch to address a security vulnerability affecting email messages to get stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The technology giant stated the issue is related to a date check failure with the change of the year and not an issue with malware scanning, malware engine, or a security-related problem. Microsoft clarified that Edge Transport servers are unaffected by this vulnerability.
“The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. We have now created a solution to address the problem of messages stuck in transport queues on Exchange Server 2016 and Exchange Server 2019 because of a latent date issue in a signature file used by the malware scanning engine within Exchange Server,” Microsoft stated.
The vulnerable applications show the below error message/code when the issue occurs:
- Log Name: Application
Logged: 1/1/2022 1:03:42 AM
Event ID: 5300
- Description: The FIP-FS “Microsoft” Scan Engine failed to load. PID: 23092,
- Error Code: 0x80004005
- Error Description: Can’t convert “2201010001” to long
To fix the issue, Microsoft urged users to download a PowerShell-based scan engine reset script that executes on each Exchange mailbox server used for downloading antimalware updates.
Fixing the Issue Automatically
- Download the script here: https://aka.ms/ResetScanEngineVersion
- Before running the script, change the execution policy for PowerShell scripts by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.
- Run the script on each Exchange mailbox server that downloads antimalware updates in your organization (use elevated Exchange Management Shell).
Fixing the Issue Manually
- Remove existing engine and metadata and stop the Microsoft Filtering Management service.
- Use Task Manager to ensure that updateservice.exe is not running.
- Delete the folder: %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\amd64\Microsoft.
- Remove all files from the folder %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\metadata.
- Update to the latest engine and start the Microsoft Filtering Management service and the Microsoft Exchange Transport service.
- Open the Exchange Management Shell, navigate to the Scripts folder (%ProgramFiles%\Microsoft\Exchange Server\V15\Scripts), and run Update-MalwareFilteringServer.ps1 <server FQDN>
- Verify engine update info in the Exchange Management Shell, run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell.
- Run Get-EngineUpdateInformation and verify the UpdateVersion information is 2112330001.
Microsoft stated the script (patch) might take some time to run, based on the size of the organization and the number of messages queued up.