Forum Discussion

SABBIRRUBAYAT's avatar
SABBIRRUBAYAT
Brass Contributor
Jan 01, 2022
Solved

Exchange Server Mail Stuck on Queue due to Microsoft Bug 01/01/2022

There is a live Bug going on in On premise Exchange. To resolve the issue Please Disable your Antimalware filter just for now so you can start your communication again. Please note that this is not f...
  • LeeMEI's avatar
    LeeMEI
    Jan 01, 2022

    amaltsev Are you sure this is a cyberattack and not a bug?  According to most reports I've read, this is due to a failure converting to a new date and occurred at midnight UTC.

stopnik's avatar
stopnik
Copper Contributor
Jan 01, 2022

SABBIRRUBAYAT - just a note that it's not a cyber attack, it's an int32 conversion issue with the date code of the 2022 signatures that Microsoft still hasn't fixed.

 

I had also originally disabled malware scanning using the disable scripts last night to get things working, but the problem with this is that the malware definitions/engines are never updated for the FIP-FS service when you do that...it's better to set all your servers to bypass scanning instead.  I had tried this last night before the internet blew up (this is for 2013 but same thing for 2016/2019 - https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help).  The problem with that article is it doesn't say to restart the transport service after running the bypass command - but you have to do that for it to take effect. 

 

If you do it this way, mailflow will work and your definitions will continue to be updated so that hopefully when Microsoft fixes this your servers will be updated so that when you remove the bypass things continue to work (rather than re-enabling scanning, then waiting for the engines to update which takes a long time/breaks your mail flow again).

azuser's avatar
azuser
Copper Contributor
Jan 01, 2022

I only ran the two steps below, and the email started to flow after.
1. Disable-Antimalwarescanning.ps1
2. restart the transport service
I did not run Set-MalwareFilteringServer <ServerIdentity> - BypassFiltering $true instead of the above two.

Will the next Exchange patch release installation re·vert
the antimalware agent back "on," as on the default installation, and again we have to disable the agent?

  • SABBIRRUBAYAT's avatar
    SABBIRRUBAYAT
    Brass Contributor
    Jan 03, 2022
    Hopefully yes
  • stopnik's avatar
    stopnik
    Copper Contributor
    Jan 01, 2022
    It’s one or the other, not both - I personally recommend bypassing instead of full disable so you’re still receiving updates. Your malware scanning will stay on bypass for each exchange server until you set it back to disabled and restart the transport services again. But it’s entirely up to you on what you do…

    I can’t believe Microsoft support hasn’t released anything official about this at this point.
    • Corbett_Enders's avatar
      Corbett_Enders
      Copper Contributor
      Jan 02, 2022
      How funny that IF this was a cyber attack (which it is not) that your recommendation is to bypass/disable filtering.

      If it was a cyberattack, I think you’d want to leave filtering enabled even if it meant no mail flowing for a while…
      • SABBIRRUBAYAT's avatar
        SABBIRRUBAYAT
        Brass Contributor
        Jan 03, 2022
        Apologize for my mistake identifying as cyber attack . Actually the behavior pattern was like that . anyway lucky it was a bog not an attack

Resources