Forum Discussion
Exchange Server Mail Stuck on Queue due to Microsoft Bug 01/01/2022
SABBIRRUBAYAT - just a note that it's not a cyber attack, it's an int32 conversion issue with the date code of the 2022 signatures that Microsoft still hasn't fixed.
I had also originally disabled malware scanning using the disable scripts last night to get things working, but the problem with this is that the malware definitions/engines are never updated for the FIP-FS service when you do that...it's better to set all your servers to bypass scanning instead. I had tried this last night before the internet blew up (this is for 2013 but same thing for 2016/2019 - https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help). The problem with that article is it doesn't say to restart the transport service after running the bypass command - but you have to do that for it to take effect.
If you do it this way, mailflow will work and your definitions will continue to be updated so that hopefully when Microsoft fixes this your servers will be updated so that when you remove the bypass things continue to work (rather than re-enabling scanning, then waiting for the engines to update which takes a long time/breaks your mail flow again).
I only ran the two steps below, and the email started to flow after.
1. Disable-Antimalwarescanning.ps1
2. restart the transport service
I did not run Set-MalwareFilteringServer <ServerIdentity> - BypassFiltering $true instead of the above two.
Will the next Exchange patch release installation re·vert
the antimalware agent back "on," as on the default installation, and again we have to disable the agent?
- SABBIRRUBAYATJan 03, 2022Brass ContributorHopefully yes
- stopnikJan 01, 2022Copper ContributorIt’s one or the other, not both - I personally recommend bypassing instead of full disable so you’re still receiving updates. Your malware scanning will stay on bypass for each exchange server until you set it back to disabled and restart the transport services again. But it’s entirely up to you on what you do…
I can’t believe Microsoft support hasn’t released anything official about this at this point.- Corbett_EndersJan 02, 2022Copper ContributorHow funny that IF this was a cyber attack (which it is not) that your recommendation is to bypass/disable filtering.
If it was a cyberattack, I think you’d want to leave filtering enabled even if it meant no mail flowing for a while…- SABBIRRUBAYATJan 03, 2022Brass ContributorApologize for my mistake identifying as cyber attack . Actually the behavior pattern was like that . anyway lucky it was a bog not an attack