Microsoft has issued an emergency solution for a flaw that is preventing email delivery on on-premise Microsoft Exchange servers in the year 2022.
Exchange administrators throughout the world realized that their servers were no longer transmitting email as the year 2022 rolled in and the clock struck midnight. After further investigation, they discovered that mail was becoming stuck in the queue, with one of the following errors appearing in the Windows event log.
Log Name: Application Source: FIPFS Logged: 1/1/2022 1:03:42 AM Event ID: 5300 Level: Error Computer: server1.contoso.com Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long.
Log Name: Application Source: FIPFS Logged: 1/1/2022 11:47:16 AM Event ID: 1106 Level: Error Computer: server1.contoso.com Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.
These issues are caused by Microsoft Exchange attempting to store the data in a signed int32 variable when validating the version of the FIP-FS antivirus scanning engine.
This variable, however, can only hold a maximum value of 2,147,483,647, which is less than the new date value of 2,201,010,001 for midnight on January 1st, 2022.
As a result, when Microsoft Exchange tries to validate the AV scanning version, a flaw occurs, causing the malware engine to crash.
In a blog post, Microsoft said that “the version validation done against the signature file is causing the malware engine to malfunction, resulting in messages being stuck in transport queues.”
Microsoft provided temporary fix
While working on an update that would automatically cure the problem, Microsoft has provided a temporary workaround that requires client action.
‘Reset-ScanEngineVersion.ps1’ is a PowerShell script that fixes the problem. When the script is run, it will stop the Microsoft Filtering Management and Microsoft Exchange Transport services, delete the old antivirus engine files, download the new antivirus engine, and restart the services.
Follow these steps on each on-premise Microsoft Exchange server in your organization to utilize the automated script to apply the fix:
- https://aka.ms/ResetScanEngineVersion.ps1 is the URL for the Reset-ScanEngineVersion.ps1 script.
- Open an elevated Exchange Management Shell in a command prompt.
- Set-ExecutionPolicy -ExecutionPolicy RemoteSigned modifies the execution policy for PowerShell scripts.
- Execute the script.
- If you previously disabled the scanning engine, use the Enable-AntimalwareScanning.ps1 script to re-enable it.
Microsoft warns that this process may take some time, depending on the organization’s size.
Microsoft has also provided steps that admins can use to update the scanning engine manually.
Microsoft claims that email will begin to deliver again after running the script, but it may take some time depending on the amount of email that was stuck in the queue.
Microsoft further clarifies that the new antivirus scanning engine will have version number 2112330001, which refers to a date that does not exist, and that administrators should be unconcerned.
“Microsoft fully supports the newly upgraded scanning engine. The scanning engine version was not rolled back; rather, it was rolled forward into this new sequence, as we need to work on this sequence in the long run “Microsoft described the situation.
“In this new sequence, the scanning engine will continue to receive updates.”
Updated on 1/32/22 to update the maximum value of the int32 variable.