Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems with GroupShield 6.0 on Exchange 2000 Clustered 2

Status
Not open for further replies.
Mar 10, 2004
3
US
We are currently experiencing issues on our Exchange cluster after upgrading from GroupShield 5.2 to 6.0. After 10 days of GS 6.0 being in production, the Exchange servers have essentially hung and forced us to do a manual failover 7 times now.

The servers are still 100% up, the services are all hot, and all looks well, but clients cannot connect to the Exchange servers and/or get very long delays (upwards of 5 minutes) before Exchange will respond, only to hang again.

Initially, we were seeing very high CPU utilization via the RPCService that relies on GS (50-75%), however, not even that is a constant anymore (sometimes it's as low as 10% during these 'outages')

We were originally able to blame the outages on excessive number of viruses coming through the system recently, but we can't use that as a crutch anymore :)

We're working with NAI to help get some solutions (i.e. secret hotfixes) but at this stage I'm ready to yank out 6.0 and put 5.2 back on since I know it's stable. 6.0 is a good product, but I don't know if it's ready for primetime or not.

Has anyone else experienced this or would like to share other GS 6.0 woes in their production environment? For frame of reference we're running on Dell PowerEdge servers (6650s) in an Active/Passive configuration. The server also has 7.1 enterprise and ePO agent version 3.1.1.184.

Thank you very much!

-blissfulnoise
 
Hi.

I've also upgraded my GS from 5.2 to 6.0 and i've experienced a lot of strange problems, ex. 100% Cpu, GS frontend with JRE problems, etc.

In my case i've uninstalled all AV products (Vs7.10; epo agent and GShield). Then I've cleaned Network Associates registry entries from HKLM.

After that i've made a Groupshield clean install, i've installed VS 7.10 (With NAI and Microsoft recomended exclusions) and everythig went fine.

 
what are the registry keys to clean ?

I have been having no luck w/ 6.0 and i'm going back to 5.2
 
Hi there,

We're experiencing the exact same issues - are you aware of any patches or fixes yet?

This is causing us serious problems, so any advice would be appreciated.

Thanks,
Adrian.

a.wheway@leeds.ac.uk
 
Just for a follow up we have received virtually 0 support from NAI on this.

We are now actually running on ScanMail from Trend Micro on our primary exchange server. I don't like the interface as much as GS but it's not bringing down the server which is a very good thing.

We still have GS 6.0 running on our Exchange Messaging server (it also is a public folder replication spot) and it's doing the same thing that our cluster did. So apparently this isn't exclusive to clustering solutions.

If anyone can get a straight answer out of NAI regarding the fact that their product does not apparently work in a large number of distributions (check their own forums too) please post here. Otherwise I'd recommend settling on 5.2 for the time being for everyone whose thinking of upgrading or giving another vendor a call... one that is a bit more active in supporting their products.

Going and hacking their products off of the server manually is not a solution I want from a provider like NAI. If I've gotta go and clean slate my exchange server, it's sure not going to be to put the same product that caused the original heartache back on.
 
Another follow-up, I agree with the assesment that the 6.0 is not ready for primetime, I am going back to the 5.2 as well at this stage. The functionality is just not there in 6.0. I feel that the 5.2 had better real features that 6.0 does not have. Sure 6.0 has some nice bells and whistled, but I am not trying to go there when it comes to a virus outbreak.

For those of you not using E-policy orchestrator by macafee - I highly recommend it. It has saved us once or twice.

We seem to have a consensus here, any people out there all for the 6.0?

q
 
I recently had plans on going to Groupshield 6.0 but got talked out of because of feedback from these forums and with Network Associates Tech Support even admitting there are problems with 6.0 but can be fixed with a hotfix. I called NAI Tech Support to ask them the best method to uninstall Groupshield 5.2, could I do it with just Add/Remove programs? Or do I have to do a manual uninstall from Registry (I'll get to my point in a minute). During this conversation he tried to talk me into going to 6.0 (after I told him I was going with a Sophos product) and his response was, "You should go to 6.0 but there are some problems that can be fixed with a hotfix". Did not have a warm feeling about this product. My whole idea is I need the virus product not to forward warnings to the Recipient that Groupshield has found a virus but has replaced it with its own attachment. Apparently Groupshield 6.0 does this but from the sound of this forum all of you are having nightmares. Thankfully I did not have to deal with this. Now back to my point. The Tech Support told me I could simply use the Add/Remove programs to remove 5.2. Taking their advise, they were wrong. I had to painfully remove a bunch of registry entries which can be scary. I have had lots of Tech Support calls with these people and they always seem to give you the wrong info and steer you in the wrong direction. I would recommend Sophos. Good product and excellent Tech Support.

For reference, to cleanly uninstall Groupshield 5.2 and Groupshield 6.0 from registry.

(Groupshield 5.2)

(Groupshield 6.0)
 
Where is the informational link for the hotfix? What does it resolve?

Thanks
 
RESOLVED ISSUES

1. RPCSERV.EXE exception at address 67202B19 when running
an On Demand scan of Public folders with Outbreak
Manager enabled. High CPU usage may also occur.

2. RPCSERV.EXE exception at addresses 780c258c and
05675618 caused by Notification messages.

3. This Patch resolves 2 possible issues where RPCSERV.EXE
generated a fatal exception error at address 6410401F
or 64104219. If Network Associates Error Reporting was
enabled, a crash report would also be produced.

4. This Patch resolves an issue where an email address
of the format firstname.lastname@emailaddress.domain
was not recognized as a valid address.

5. This Patch resolves an issue where removing names
from one Policy Group would cause items from another
Policy Group to be removed.

6. Under heavy load conditions a Microsoft Exchange
server with McAfee GroupShield v6.0 installed may
become unresponsive to client requests. This
typically manifests itself as clients dropping
connections, unable to connect or showing messages
at the client similar to "Unable to contact
<servername>, the server has become unresponsive".
Upon viewing the process information via task
manager from the server, RPCServ.exe is consuming
50-100% utilization.

7. This Patch resolves an issue where RPCSERV.EXE
generated a fatal exception error at address 77f486f9
caused by Spam notification. If Network Associates
Error Reporting was enabled, a crash report would
also be produced.

8. This Patch resolves an issue where the Spam score
was not added to the header. If the email that was
sent had a score that was less than the threshold,
the header info was applied.

9. The action "Replace the item with an alert message",
when applied on a zip file containing banned file(s),
previously replaced the banned file(s) with an alert
html file(s) having the name equal to the original
file name. This Patch now uniformly names the alert
files within a zip as "WARNING.HTM". If there are a
number of files replaced in the .ZIP, the file
WARNING.HTM will be prefixed with a number.

10. This Patch resolves an issue where system emails may
cause the scanner to hang when Policies that were
based on Active Directory policies were being used.

11. This Patch resolves an issue where the server became
locked and users were unable to contact Exchange.
 
We have been having the same problem for nearly a month now. We got teh patch1 from NAI and applied it to our Exchaneg cluster. But the problem still existis. Called up NAI support an they acknowledged the Patch1 does not resolve the problem 100%, and many customers have reported problems even after Patch1. The solution given by NIA, Rall back to GS 5.2. Thast what we did on Friday, Exchaneg has been a baby since then. CPU never hit more than 8 - 9% on an average. Bye Bye GS 6.0
 
Unbelievable feedback. I don't believe Network Associates has not corrected the problem by this point. I liked GSE5.2 but you cannot prevent the warning messages from going to the end user. We ended up going to a Sophos Mail Monitor product instead.
 
Just to add to our NAI laments - we installed VirusScan 7.1
on an Exchange server running Groupshield 5.2. THe install
of VS 7.1 hosed the Groupshield alert manager (at a minimum). The uninstall
of Groupshield fails to automate and it appears a manual
uninstall is the only solution. Help ( we are now about
5-6 days into this) is not fast or forthcoming from NAI.
We are pushing for an NAI engineered solution, short
of a complete rebuild, as we have other servers in this
upgrade path. I might add, we were especially careful this time because a previous install in the NetShield-VirusScan/Groupshield enviroment had similiar bad results.
A direct question pre-install to NAI techs on this project was a big "no problem". SURE!

 
In VirusScan7.1 did you exclude your Exchange Server directories? And did you exclude the M:/ drive? Also some other drives you would need to exclude. I know when I had VirusScan Enterprise with Groupshield 5.2 I did not have any problems.
 
We also are having problems with Groupshield 6.0 with all the publically available hot fixes installed. If I try to use VSAPI as my scanning method, then the infected message is sent to the end user with the warning.htm following behind as the next message in the queue. When I change to Transport Scanning, then the infected message is replaced with the alert. Also, if I create an on-demand scan to run once it will start. If I create an on-demand scan to run daily, it will run once, and the next day it will fail within 15 seconds of launch. I spent over two hours on the phone with NAI, eventually they ran their diagnostics program, zipped up a bunch of stuff and I have not heard from them since. Our contract is up in August. What have you heard about CA's products?
 
God bless you all for finding a solution to the RPCServ.exe gobbling up CPU time and making it searchable by google.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top