skip to Main Content

Exchange mail flow breaks (Disable AntiMalwareScanning)

Mail flow seems not to be working and the mail queue is getting bigger. If you see these issues, disable AntiMalWareScanning for now on the on-premises Exchange Servers and restart the Microsoft Exchange Server Transport Service.

Update: Microsoft releases a patch. See the part Solution to Exchange mail flow breaks.

Introduction

The mail flow is not working and you can check the error in Event Viewer.

Error
The FIP-FS “Microsoft” Scan Engine failed to load. PID: 9244, Error Code: 0x80004005. Error Description: Can’t convert “2201010005” to long.

Exchange mail flow breaks Event 5300 FIPFS

Get mail queue

Run Exchange Management Shell as administrator and check the queue.

[PS] C:\>Get-ExchangeServer | Get-Queue

MICROSOFT RELEASED A PATCH FOR THE EMAIL STUCK IN TRANSPORT QUEUE. SKIP TO THE SOLUTION DOWN BELOW!!

Fix for Exchange mail flow breaks

There are two ways to fix the Exchange mail flow:

  1. Disable anti malware scanning (1a+2a)
  2. Bypass anti malware filtering (2a+2b)

Both methods will work. Choose one of these options and follow the steps below.

1a. Disable AntiMalWareScanning

In Exchange Management Shell, run the command to disable AntiMalware Scanning on the Exchange Server on-premises.

Note: This command can take a minute or more. Leave it running till it’s successfully run.

[PS] C:\>& $env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1

WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Anti-malware scanning is successfully disabled. Please restart MSExchangeTransport for the changes to take effect.

Note: To re-enable malware filtering, use Enable-Antimalwarescanning.ps1 instead of Disable-Antimalwarescanning.ps1.

You can find the script Disable-AntiMalWareScanning.ps1 in File Explorer.

Exchange mail flow breaks Disable-AntiMalwareScanning

1b. Bypass anti malware filtering

In Exchange Management Shell, run the command to bypass anti malware filtering on the Exchange Servers on-premises.

[PS] C:\>Get-ExchangeServer | % {Set-MalwareFilteringServer -BypassFiltering $true -Identity $_.Name}

2a. Verify AntiMalwareScanning is disabled

To verify that malware filtering is disabled, run the Get-TransportAgent cmdlet and confirm that it returns a value of False.

[PS] C:\>Get-ExchangeServer | % {Get-TransportAgent "Malware Agent"}

Identity       Enabled  Priority
--------       -------  --------
Malware Agent  False    5

2b. Verify bypass filtering is disabled

To verify that malware bypass filtering is disabled, run the Get-MalwareFilteringServer cmdlet and confirm that it returns a value of True.

[PS] C:\>Get-ExchangeServer | % {Get-MalwareFilteringServer}

Name      ForceRescan BypassFiltering DeferWaitTime DeferAttempts UpdateFrequency PrimaryUpdatePath
----      ----------- --------------- ------------- ------------- --------------- -----------------
EX01-2019 False       True            5             3             30              http://amupdatedl.microsoft.com/server/amupdate

3. Restart Exchange Server Transport Service

Restart the Microsoft Exchange Server Transport service.

[PS] C:\>Restart-Service MSExchangeTransport

Restart the Microsoft Exchange Server Transport service on all Exchange Servers.

[PS] C:\>Get-ExchangeServer | % {Get-Service -ServiceName MSExchangeTransport | Restart-Service -Force}

Read more: Restart Exchange Server services through PowerShell »

The queue will start to process the mail.

Solution to Exchange mail flow breaks

Microsoft did release a patch and you can run that in your environment.

Implementation of the solution requires customer actions. These actions can be automated with the scan engine reset script from https://aka.ms/ResetScanEngineVersion or they can be performed manually.

Important: Whether you perform the steps automatically or manually, they must be performed on every Exchange 2016 and Exchange 2019 server in your organization.

If you use the automated script, you can run it on multiple servers in parallel. We recommend starting with the servers in your environment that have the largest queues. You can use Get-Queue to view queue size and determine which queues are the largest.

Note: If you previously disabled or bypassed antimalware scanning as a mitigation for this issue, we recommend that you re-enable it after performing the steps below.

1a. Automated Solution

Download the ResetScanEngineVersion.ps1 PowerShell script and place it on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one.

  1. Run Exchange Management Shell as administrator
  2. Run Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  3. Change the path to the scripts folder
  4. Run the script .\ResetScanEngineVersion.ps1

Important: Run the .\ResetScanEngineVersion.ps1 PowerShell script on each Exchange Server.

Run the script on each Exchange server in your organization. You can run this script on multiple servers in parallel. After the script has completed, you will see the following output:

[PS] C:\>Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
[PS] C:\>cd C:\scripts
[PS] C:\scripts>.\Reset-ScanEngineVersion.ps1
EX01-2019 Stopping services...
EX01-2019 Removing Microsoft engine folder...
EX01-2019 Emptying metadata folder...
EX01-2019 Starting services...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
EX01-2019 Starting engine update...
Running as EXOIP\administrator.
--------
Connecting to EX01-2019.exoip.local.
Dispatched remote command. Start-EngineUpdate -UpdatePath http://amupdatedl.microsoft.com/server/amupdate
--------

Note: Do you get the error “Cannot stop process” in relation to the updateservice.exe located in the FIP-FS? Ensure that the account you sign in to the Exchange Server has Debug programs user rights under the Local Group Policy. Otherwise, the process will not terminate, and the script fails to run.

1b. Manual Solution

You can can also manually perform steps to resolve the issue and restore service. To manually resolve this issue, you must perform the following steps on each Exchange server in your organization:

Remove existing engine and metadata

  1. Stop the Microsoft Filtering Management service. When prompted to also stop the Microsoft Exchange Transport service, click Yes.
  2. Use Task Manager to ensure that updateservice.exe is not running.
  3. Delete the following folder: %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\amd64\Microsoft.
  4. Remove all files from the following folder: %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\metadata.

Update to latest engine

  1. Start the Microsoft Filtering Management service and the Microsoft Exchange Transport service.
  2. Open the Exchange Management Shell.
  3. Navigate to the Scripts folder (%ProgramFiles%\Microsoft\Exchange Server\V15\Scripts).
  4. Run .\Update-MalwareFilteringServer.ps1 <server FQDN>
[PS] C:\>cd "$env:ProgramFiles\Microsoft\Exchange Server\V15\Scripts"
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\Update-MalwareFilteringServer.ps1 EX01-2019

Running as EXOIP\administrator.
--------
Connecting to EX01-2019.
Dispatched remote command. Start-EngineUpdate -UpdatePath http://amupdatedl.microsoft.com/server/amupdate
--------

2. Verify engine update info

  1. Start Exchange Management Shell.
  2. Run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell.
  3. Run Get-EngineUpdateInformation and verify the UpdateVersion information is 2112330001 or higher.

Note: Run the Get-EngineUpdateInformation cmdlet and verify the UpdateVersion information is 2112330001 or higher.

[PS] C:\>Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell

[PS] C:\>Get-EngineUpdateInformation


Engine            : Microsoft
LastChecked       : 01/02/2022 08:22:33 AM +01:00
LastUpdated       : 01/02/2022 08:22:41 AM +01:00
EngineVersion     : 1.1.18800.4
SignatureVersion  : 1.355.1227.0
SignatureDateTime : 01/01/2022 12:29:06 PM +01:00
UpdateVersion     : 2112330001
UpdateStatus      : UpdateAttemptSuccessful

Filter the Application log on the Event sources: FIPFS.

3. Re-enable anti malware scanning

If you did apply the fix before that Microsoft published a solution, enable anti malware scanning. If you did not apply any fix and you immediately applied the solution, you don’t have to re-enable anti malware scanning because it’s enabled by default.

Did you disable anti malware scanning? Run the command below and restart the Microsoft Exchange Transport Service.

[PS] C:\>& $env:ExchangeInstallPath\Scripts\Enable-AntimalwareScanning.ps1

Anti-malware engines are updating. This may take a few minutes.
Checking for engines updated after 12/26/2021 8:31:11 AM.
Updating Microsoft. Last updated : 1/2/2022 8:22:41 AM
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Anti-malware scanning is successfully enabled. Please restart MSExchangeTransport for the changes to take effect.

Did you bypass anti malware scanning? Run the command below and restart the Microsoft Exchange Transport Service.

[PS] C:\>Get-ExchangeServer | % {Set-MalwareFilteringServer -BypassFiltering $false -Identity $_.Name}

4. Verify mail flow and FIPFS error events not present

After updating the engine, we also recommend that you verify that mail flow is working and that FIPFS error events are not present in the Application event log.

Exchange mail flow breaks Event 6036 FIPFS

Test and verify that mail flow works:

Important: Do you see FIPFS errors in the event log and the email are still stuck in the queue/mail flow is not working after running the ResetScanEngineVersion.ps1 PowerShell script? RESTART THE EXCHANGE SERVER.

Latest updates

Update: Microsoft pushed an agent update, but it’s not yet working. So keep anti-malware scanning disabled.

Update1: Updated screenshot with how to check the event viewer for the issue.

Update2: Downloaded the latest MS Filtering Engine Update: Update Version:2201010006, it’s still not working.

MS Filtering Engine Update process has successfully committed and handed off updates for Microsoft
Last Checked:2022-01-01T12:05:10Z
Last Updated:2022-01-01T12:05:18Z
Engine Version:1.1.18800.4
Signature Version:”1.355.1234.0″
Update Version:2201010006
Last Definition Update:‎2022‎-‎01‎-‎01T05:20:29.000Z
Update Path:http://amupdatedl.microsoft.com/server/amupdate

Update3: Added both the options on how to disable anti malware scanning or bypass anti malware filtering.

Update4: MS Filtering Engine update will not fix this issue. You don’t have to check for engine updates. Implement this fix and wait for a proper fix release by Microsoft.

Update5: Microsoft Product Manager sent me a message, and they are working on a fix. The fix will be released with how-to instructions. Stay tuned.

Update6: You can wait for the Microsoft patch if you have enough disk space and don’t mind that Exchange Server will deliver the messages later. If not, apply the fix and patch later when Microsoft releases.

Update7: Microsoft Exchange Server expiration message is by default 48 hours (2 days). If a message remains in the queue for longer than this period of time, the message is returned to the sender as a permanent failure.

You can change that value between 1-90 days. The problem is that the longer days you set, the more messages will stay, the larger the mail queue will become. It means you have to keep adding more disk space.

I recommend running the above fix. But, if you do not want to disable the anti malware scanning, it’s better to expand the message expiration timeout in the Transport Server. Just to be safe.

In the below example, it’s 2 days.

[PS] C:\>Get-TransportServer | select Name,MessageExpirationTimeout

Name      MessageExpirationTimeout
----      ------------------------
EX01-2019 2.00:00:00

Change it to 4 days (or another value).

[PS] C:\>Set-TransportServer -Identity EX01-2019 -MessageExpirationTimeout 4.00:00:00

Update8: Microsoft patch is OUT! Run the automated or manual solution. I recommend the automated solution first.

Update9: If you applied the fix before the solution, don’t forget to re-enable antimalware scanning and restart the Microsoft Exchange Transport Service.

Update10: Updated screenshot with how to check the event viewer after applying the solution.

Update11: The mail.que database got larger in size, and it will not shrink automatically. This happened because the Exchange Server kept the mail in the queue, and the messages didn’t get released before the fix/solution. It can take a lot of space, and I recommend making it smaller by removing the mail.que database. After that, Exchange Server will automatically create a new mail.que database.

Read more: Mail.que file large in size Exchange Server »

Update12: If you didn’t have enough disk space on the OS drive or ran out of disk space because of the mail.que database was filling up, it’s now an excellent time to move the mail.que database to another drive. This way, the OS drive will stay active and not give you performance issues.

Read more: Move mail queue to another location in Exchange Server »

Update13: Added articles to test mail flow internal/inbound/outbound.

Update14: Some admins mention that an Exchange Server reboot is required after applying the Solution. After that, the mail queue gets empty/mail flow starts working.

Update15: Running the Update-MalwareFilteringServer.ps1 cmdlet shows: Error starting the anti-malware engine update. To fix this error, run the below steps:

  1. Run Exchange Management Shell as administrator
  2. Run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
  3. Run Start-EngineUpdate
  4. Run Get-EngineUpdateInformation

Update 16: Only Exchange Server 2016 and Exchange Server 2019 are affected. The Exchange Edge Transport server is not affected by this Microsoft Exchange Y2K22 bug.

Update 17: UpdateVersion is now on 2112330003. Added to the article that it needs to show UpdateVersion 2112330001 or higher.

Update 18: Some admins mention that Exchange Server 2013 is also affected and some say it’s not. This is not true and the mail transport will work. But, you have to run the same script automatically or manually.

If your Exchange 2013 server took the antimalware update and it is now on version starting with “22…” you should use the automated or manual steps in this blog post to get your server on an engine version “21…” to continue getting the antimalware updates. Without taking action your server will not get any future antimalware updates.

Update19: Added to run Set-ExecutionPolicy -ExecutionPolicy RemoteSigned in Exchange Management Shell before running the script.

Update20: The definition download takes 30-45 minutes (maybe slower depending on Internet speed), so allow for some time.

Update21: Added solution to updateservice.exe access denied error when running the script.

Subscribe to the newsletter and stay up to date with the latest IT tips and tricks.

Did this article help you? Share this article with your network and help them too.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 141 Comments

  1. Hi Ali, I have never seen such a great website. It’s maintained and easy to follow. You always help me and other colleagues out. Please do never stop otherwise we will really lose the best. Much thanks!!

  2. I tried to run the script to “ResetScanEngineVersion.ps1” and the process updateservice.exe did not stop, I tried to stop this process and receive “Access Denied”.

    What I need to do to sto this process and update the Scan Engine?

  3. We found your article yesterday and it fixed our 2016 Hybrid Exchange Server within minutes.
    Thank you Ali!
    Matt

  4. Thanks ALI!! My 2019 server had this issue right away and couldn’t get what was going on until I found your article. Thanks for the Great Article. I manage several exchange servers, so thank you.

  5. When a message in the Submission queue reach MessageExpirationTimeout, is this logged somewhere?
    I would very much like to find out what messages were lost.

  6. Thanks for this post, i will follow, i have a client with DAG, for now the oficcial script FIX not work for us, only disabling the Antimalware services is fixing the issue.

    Thanks Ali

  7. Exchange Sever 2016 CU22,

    Just update to 2112330013, but still have Event ID: 1106,
    Done with 1a, 1b, and reboot, hmmmm same , Stuck emails,

    any idea?
    ———————————————–
    Engine : Microsoft
    LastChecked : 01/04/2022 04:17:26 PM +08:00
    LastUpdated : 01/04/2022 04:10:30 PM +08:00
    EngineVersion : 1.1.18800.4
    SignatureVersion : 1.355.1377.0
    SignatureDateTime : 01/04/2022 05:36:20 AM +08:00
    UpdateVersion : 2112330013
    UpdateStatus : UpdateAttemptNoUpdate
    ——————————
    Log Name: Application
    Source: Microsoft-Filtering-FIPFS
    Date: 1/4/2022 5:58:35 PM
    Event ID: 1106
    Task Category: None
    Level: Error
    Keywords:
    User: SYSTEM
    Computer: XXX
    Description:
    The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error
    Event Xml:

    1106
    0
    2
    0
    0
    0x8000000000000000

    32922329

    Application
    XXX

    0x80004005
    Unspecified error

  8. Dear Ali,

    I had this issue in my Exchange, so I bypassed the filtering. Now, I want to apply the fix released my Microsoft and enable the filtering again but the problem is I do not have an internet connection on my server to download the latest antimalware engine update. what should be done in this case ?

  9. Exchange 2013 did not break the mailflow, but antimalware updates are not coming through anymore. In our case 2201010009 was the last one.

    The automatic or manual solution has to be applied to 2013 Exchange servers as well if they installed the 220101* engine update, otherwise the 2013 server will not get new antimalwareupdates.

  10. This procedure also works for Exchange 2016. Note: I received FIPFS errors until the update status changed to completed.

  11. hi, I am getting this error both manually running or automatic solution
    D:\exchangeserver\scripts\Update-MalwareFilteringServer.ps1: An error occurred when starting the anti-malware engine update.
    Location Line: 1 Character: 1
    + .\Update-MalwareFilteringServer.ps1 ex02.domain.com
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo: NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId: Microsoft.PowerShell.Commands.WriteErrorException,Update-MalwareFilteringServer.ps1

    anyone can help please. Thanks

  12. Thanks for your post about this mail flow. It helped us in an efficient way.
    By the way, many thanks to your tweet which was my first read about this problem,
    So, Thanks !
    Happy New Year and keep safe.

    Ber

  13. Hello,

    I ran the script. The engines are successfully updated. But when enable the AntimalwareScanning, the FIPFS error, appear again.

    A FIP-FS Scan process returned error 0x84004003 PID: 19816 Msg: Scanning Process caught exception:
    Stream ID:
    ScanID: {FA185D1D-7B0E-483C-8F23-CBF4FC81F2A7}
    (0x84004003) Unknown error 2214608899. Failed to meet engine bias criteria (Available) for filter type (Malware):
    Selected engine(s): Microsoft
    Available engine(s):
    Offline engine(s): ID: {fa185d1d-7b0e-483c-8f23-cbf4fc81f2a7}

    1. After rebooting the server, tried to enable AntimalwareScanning again and the error is not appear.
      So, it’s look like, sometimes, just restarting the service is not enough.

      1. Same for me, after running the MS fix and re-enabling the Antimalware Scanner, the submission queue started to grow again. Rebooting the server resolved this second issue: Unknown error 2214608899. Failed to meet engine bias criteria (Available) for filter type (Malware)

  14. I have tried the Script for Update and disabled Malware and enabled Bypass Filtering. But my Mails stay in outgoing connector. What should i do? Incoming Mails are working.

  15. Hi,

    I tried with the fix from MS, but don’t work. Need to ByPass… The update -> Failed.
    Maybe MS servers are down…
    after 4 reboot from Exchange server still not work.
    Tried manually too -> no way
    Will wait until MS release a KB or SU for Echange…

  16. I have done as mentioned in your article but when i am not able to update the engine. I tired manually updating but that also does not work. how to fix this ?
    Engine : Microsoft
    LastChecked : 01-03-2022 12:18:40 PM +03:00
    LastUpdated : 05-22-2020 03:42:35 PM +03:00
    EngineVersion : 1.1.17000.7
    SignatureVersion : 1.315.1197.0
    SignatureDateTime : 05-22-2020 10:21:15 AM +03:00
    UpdateVersion : 2005220003
    UpdateStatus : UpdateAttemptFailed

    1. Same here buddy,

      Tried the script (automatic) also manual. I do also get the UpdateAttemptFailed.
      Exchange 2016

    2. It worked now.

      I did the following:

      1.Stop de Microsoft Filtering Management Service
      2.Stop de Microsoft Exchange Transport Service
      3.Stop de Background Intelligent Transfer Service
      4.Execute the Fix script.
      5.The version did not update to 2112330001 zoals beschreven it still said 2112330003

      But no more UpdateAttemptFailed anymore.

    3. It looks like you were never getting the updates to begin with.
      LastUpdated : 05-22-2020 03:42:35 PM +03:00
      The version of the engine is very old as well
      2005220003

      I am guessing your servers cannot access the internet or the update site. If you are not seeing the queuing messages you are probably ok.

  17. Thank your for your detailed blog. It worked like a charm on 2016 and 2019 exchange servers. As always: be patient with your exchange servers, download takes a little time. And don’t forget to activate your transport rules after this, if you had some for attachments.

  18. Many thanks after applying this patch issue resolved all mails in queue got cleared instantly make sure to reboot and apply on all exchange nodes.

  19. i have exchange 2013 cu23 in a DAG setup and i have this exact problem. So i think 2013 could be affected by this too

  20. Mail didn’t work and there was panic. The first thing I did was to visit your website alitajran.com because I knew that you will have the answer.

    Everything works fine and mail flows. Microsoft should kiss you because you help so many!!

    Thanks and happy new year!

  21. Ali, Thanks for your post.
    1. Run Enable-AntimalwareScanning.ps1 PowerShell script
    2. Verify that antimalware scanning is enabled
    3. Reboot the Exchange Server (Important)
    4. Check mail queue messages
    5. Test mail flow
    That worked for me.
    Step 3 was very very important.

  22. Had a great break and didn’t look at any emails … When I did noticed no emails since 31st .. Checked other customers – same result
    Found your blog post Ali !
    What a result .. mine and customers servers back up and running delivering and sending email.
    Thanks MS for screwing up mine and many other’s breaks !!

  23. After updating to version 2112330001, it still didn’t work even after a reboot. However, this morning after updating to version 2112330002 and REBOOTING, we’re all back to normal.

    Thanks for this post.

  24. Hi,
    I trying to use the automatic script but I have problem with download scan engines :/ Goes to max 84932811 / 179030563 and stuck 🙁 anyone has the same to?

      1. I know that it takes some time, but it definitely stucking in diffrent moments of downloading. Sometimes 100mb sometimes 800mb but never end download of full 179030563 :/

  25. Important caveat: if you enable .\Enable-AntimalwareScanning.ps1 before running the update scripts like I did – then you may find that the queues don’t empty even though you will appear to be updated, you have to run it again so you get the following line” updating Microsoft” then restart the transport service – only then did the queue empty on a few of my servers – hope that helps someone

    [PS] E:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\Enable-AntimalwareScanning.ps1
    Anti-malware engines are updating. This may take a few minutes.
    Checking for engines updated after 2021-12-26 4:33:14 PM.
    Updating Microsoft. Last updated : 2022-01-02 4:19:13 PM <<< here
    WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport

  26. Thanks Ali,
    I had to reboot exchange 2016 to get mail flowing. Now I get the following error running Get-EngineUpdateInformation The term ‘Get-EngineUpdateInformation’ is not recognized as the name of a cmdlet”.
    Any Ideas? It worked after running script, re-enabling antimalware by script, then command stopped working after reboot.

    1. I already have added this in the article:

      1. Run Exchange Management Shell as administrator
      2. Run the command: Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
      3. Run the command: Get-EngineUpdateInformation

      You get this message because you didn’t add the PSSnapin, which is required to run the Get-EngineUpdateInformation cmdlet. The script did add that, and that’s why it worked for you after running the script.

      1. Genius, that worked perfectly.

        My other issue since the fix is an eventlog error #74: Process w3wp.exe Connection leak detected for key xyz.local/../../xyzadmin in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1. Do you think this has anything to do with the Microsoft script?

        Thanks

        1. Hi Ali,
          I just closed Exchange Management shell and reopened as Administrator and had to add the snapin again to run Get-EngineUpdateInformation. I Suspect the same happened after I rebooted.

  27. Whew! I arrived at your site after searching for this issue online and found you explanations concise and clear and the fixes were well laid out and accurate. You saved the day for me! I will be following this site for updates. Happy New Year!

  28. Hey Ali, thanks for the info. It´s happening right now in a customer with 2016 but this 2016 was only introduced for the future use of an Hybrid Configuration. They have 2010. One question, I think the antimalware engine was enabled by error when we setup the server so we don´t need it. If I understand correctly, if we just disable the Antimalware Engine, will be fine? Or even with that we need to apply the patch? Thanks!

  29. Fixed by running these command in this order (without need to restart the server)
    1. .\Reset-ScanEngineVersion.ps1
    2. & $env:ExchangeInstallPath\Scripts\Enable-AntimalwareScanning.ps1
    3. Stop-Service MSExchangeTransport
    4. Restart-Service FMS
    5. Start-Service MSExchangeTransport

  30. Thanks guys, have any of you noticed that the emails stop coming in and you have to restart the transport service again?

  31. I’m glad our Exchange Servers 2013 were not affected but I would like to find informations about WHY
    I saw that Microsoft “switched off” the PrimaryUpdatePath around 2022-01-01 17:30 UTC at
    http://forefrontdl.microsoft.com/server/scanengineupdate

    my Servers made the Update before BUT no Mails stuck
    as you can see update version is one starting with 22
    luckily no errors but I have the feeling I should do something to prevent future problems

    [PS] C:\Windows\system32>Get-EngineUpdateInformation

    Engine : Microsoft
    LastChecked : 01.02.2022 09:13:25 +01:00
    LastUpdated : 01.01.2022 06:11:25 +01:00
    EngineVersion : 1.1.18800.4
    SignatureVersion : 1.355.1247.0
    SignatureDateTime : 01.01.2022 12:29:06 +01:00
    UpdateVersion : 2201010009
    UpdateStatus : UpdateAttemptFailed

    1. @GreySlater,
      I am also exactly on the same situation. We have Exchange 2013 on DAG setup and transport looped to third-party email filtering appliance. But still the BypassFiltering is Disabled and AntiMalwareScanning is Enabled. Our mail flow is not affected but the EngineUpdateInformaiton is exacely the same as yours.

      I am not sure I should do anyting at this moment. Did you take any further action, and if so what is the status?

      Thanks!

  32. I disabled the scan with Disable-Antimalwarescanning.ps1 yesterday as workaround, then the mailflow restored.
    After applying the Reset-ScanEngineVersion.ps1 script the update version is 2112330001 which is correct as mentioned in the post.
    When i re-enable malware scan using $env:ExchangeInstallPath\Scripts\Enable-Antimalwarescanning.ps1 and restarting transport with Restart-Service MSExchangeTransport, new mail are stuck again.
    Anyone else experienced this already? I tested on 2 different environments with the same result.

    Event viewer shows event 2203 FIPFS:
    A FIP-FS Scan process returned error 0x84004003 PID: 5480 Msg: Scanning Process caught exception:
    Stream ID:
    ScanID: {D6758B2F-F79A-400D-B5D7-3CD7065C1735}
    (0x84004003) Unknown error 2214608899. Failed to meet engine bias criteria (Available) for filter type (Malware):
    Selected engine(s): Microsoft
    Available engine(s):
    Offline engine(s): ID: {d6758b2f-f79a-400d-b5d7-3cd7065c1735}

    1. 1. Run Enable-AntimalwareScanning.ps1 PowerShell script
      2. Verify that antimalware scanning is enabled
      3. Reboot the Exchange Server (Important)
      4. Check mail queue messages
      5. Test mail flow

      Let us know if that worked.

        1. Just noticed the IMPORTANT reboot.

          After reboot email is flowing both directions with antimalware enabled.

          Many thanks!

          Jason

        1. Thanks Vincent

          I can confirm this – restarting just the ‘Microsoft Filtering Management Service’ is enough

          Chris

    2. Hey Mike,

      Make sure you reboot the server once antimalware has been enabled and the transport service has been restarted.

      Cheers!
      Jason

    3. You should finally restart your Exchange Servers. Without restarting server, my Exchange Server was stuck without mail flow. Many thanks to Ali.

  33. EXCHANGE 2019 15.02.0986.005 – Followed each step;

    1.) Disabled antimalware
    2.) Restarted Transport
    3.) Confirmed antimalware state was False
    4.) Email is now sending and receiving properly
    5.) Ran rest antimalware script (Took 10 Minutes on a Gigabit connection to download) finished successfully.
    6.) Verified version is 2112330001
    7.) Changed timeout from 2 days to 4 days
    8.) Enabled antimalware
    9.) Restarted Transport
    10.) Sent test email message.
    11.) Message stuck in queue
    12.) Disabled antimalware
    13.) Restarted Transport
    14.) Email test immediately was relapsed from queue and deliver successfully and reply was received.

    Summary: Stopping the antimalware solves the send and receive issue. Despite updating the scan engine the problem still exists when antimale is enabled. Will wait for a stable fix before I re-enable antimalware. Fortunately we have a frontend advanced threat protection in place.

    Thank you for all the info on this great start to 2022!

    Jason Z

    1. Same here after update:
      Enable-malware script run
      Set-MalwareFilteringServer -BypassFiltering $false

      Mail stuck again in queue and event (each time message comes in queue):
      A FIP-FS Scan process returned error 0x84004003 PID: 22260 Msg: Scanning Process caught exception:
      Stream ID:
      ScanID: {ADA3CC38-9DFF-41E2-8033-71E4016F6CDB}
      (0x84004003) Unknown error 2214608899. Failed to meet engine bias criteria (Available) for filter type (Malware):
      Selected engine(s): Microsoft
      Available engine(s):
      Offline engine(s): ID: {ada3cc38-9dff-41e2-8033-71e4016f6cdb}

      Run script to disable malware scanning, and there is mailflow again (but with Set-MalwareFilteringServer -BypassFiltering $false)

      1. I can confirm as mentioned, that reboot of server is solving all issues after applying the update update script. Run the enable malware script, reboot the server, and all working fine now.

        Thx for your updates on this website, will bookmark it for future!

  34. I’m getting:

    E:\Program Files\Microsoft\Exchange Server\V15\Scripts\Update-MalwareFilteringServer.ps1 : Error starting the anti-malware engine update.

    Anyone else having this issue?

        1. Can you try these steps:

          1. Run Exchange Management Shell as administrator
          2. Run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
          3. Run Start-EngineUpdate
          4. Run Get-EngineUpdateInformation

    1. I’m getting the same error. All paths appear to be correct when called directly.

      Anyone able to get past this?

      1. It seems the command work remotely when calling Update-MalwareFilteringServer.ps1. Run the command from another server and put in your remote destination server.

        Alternatively run it manually

        Add-PSSnapin microsoft.forefront.filtering.management.powershell
        Get-EngineUpdateInformation
        Start-EngineUpdate
        Get-EngineUpdateInformation

  35. Wow! I came upon this post of yours after I exhausted several hours and decided to actually disable the Antimalware scanning.
    Then I saw this. Just wow that you captured it Ali. Thanks!

    1. Microsoft patch is out. Apply the automatic solution or manual solution as mentioned in the article. Don’t forget to re-enable anti-malware scanning.

    1. Microsoft patch is out. Apply the automatic solution or manual solution as mentioned in the article. Don’t forget to re-enable anti-malware scanning.

  36. It worked like a champ for me. Mail flow is working now. Since malware scanning is disabled, what are the risk involved ?

  37. …yes, thank you for the information and the dedication to your craft. I’m sure many people have arrived at your site, as well as others, when researching this issue and breathed a sigh of relief. Relief at having a solution to make things work, but also being able to say, “Hey! It wasn’t me. Microsoft really messed up on this one.”

  38. Dear Ali,
    This is a life savior article. Thanks a lot.
    I ended up disabling the Antimalware agent and email flow working.
    Thanks a lot, but after disabling malware agent, server will in risk? Any advice please

  39. Ali bey merhaba,
    Aşağıda ki gibi bir uyarı alıyoruz, sebebi nedir?
    [PS] C:\Windows\system32>Set-MalwareFilteringServer excserver -BypassFiltering $true
    WARNING: The command completed successfully but no settings of ‘EXCSERVER’ have been modified.

  40. Thanks, I was going crazy trying to figure out why mail was not flowing. Really appreciate your posting. Happy new year!

  41. Thank you. We had the same issue today and I came across this article that provided the fix! We bypassed ours for now to get smtp working again. Figures MS would release something with a bug. Please keep us posted on an update to fix it and how. Thanks again!

  42. We also ran into the same issue and thank you for this article. Our SMTP stopped working and by bypassing it, fixed the issue for now till MS fixes their bug.

  43. You’re a life saver.
    Watching my queues empty now.
    Great blog.
    Now maybe I can enjoy the rest of my holiday!
    WTF Microsoft??

  44. Does anyone know if setting the BypassFiltering flag to true will also disable 3rd party malware scanners (e.g. ESET Mail Security) running on the transport server?

  45. I only needed to disable any Transport rules that may check mails for Credit card numbers, attachments as they use the same engine, disable these and mail will work… did not have to disable malware scanning completely.

  46. Thanks brother. I was like WTF this morning.

    Your solution was linked on another forum and I appreciate it.

    I used “Disable anti malware scanning (1a+2a)”

  47. Thanks so much for this– it probably saved me some time and some hair that I can’t afford to lose at my age.

  48. Is anyone else seeing messages piled up in their Poison queue from this? I was able to resubmit a bunch of them, but there are quite a few still stuck in there that I can’t get to resubmit (all were received after 1/1/2022 00:00:00).

  49. Is there an official Microsoft page that we can use to track this issue and share it with leadership.

    Thank you for keeping us updated.

    1. No, there is no official Microsoft channel yet. However, I have already sent messages to some of the Exchange product leaders that work for Microsoft Exchange Server.

  50. Hello. Thanks for the article. However, this hasn’t resolved out issue. Any other updates please?

  51. Thanks for the blog post, but I don’t think step 2a is correct. E.g. if you have 10 servers then it will just repeat the same command 10 times rather than doing 10 different commands; it’s not using the output from Get-ExchangeServer as an implicit parameter. Putting that another way, I can’t see a way to run Get-TransportAgent for a specific server. I think that you need to run the command once on each server, i.e. log into each server in turn and run the command locally.

  52. You rock Ali! I was troubleshooting this last night until about 4AM with no luck, this article was a huge help! Thanks for all of your Exchange blog posts!

  53. We ran into this on our tenant about 7pm cst last night and had to figure it out from the logs. After looking at the log files it appeared FIP-FS Scan engine was failing to load because it couldn’t convert the “2201010002” as it considered it to long. Thanks 2022. This caused the it to fail the scan and since transport service is dependent on the antimalware scan it would just give up. Disabling the anti-malware service allowed the transport service to bypass it (after restarting the service) and gives us a temporary fix. Our ticket with Microsoft sat for hours without a response so yeah doesn’t look like they are helping any time soon. Guess we will see what they say on Monday when they actually answer.

  54. Ali – always appreciate all your posts.

    Does this need to be run for EXO services also?> We have a DAG and Hybrid setup with few mailboxes online. I still see the queues pending on hybrid server, other DAG nodes are cleared now

    but I do too many policies on EXO to disable and not sure which one is the breaking flow

    1. You should also run this on the Exchange Hybrid (on-premises server). After that, run the command to verify that anti-malware is disabled/bypassed successfully. Finally, restart the Microsoft Exchange Transport Service on all the Exchange Servers.

  55. Thanks for the post, awesome. One question tho: what‘s the difference between 1a and 1b? I have Transport Rules which do not work anymore after disabling antimalwarescanning described in 1a. I have not tested 1b yet.

  56. Just another ‘thank you’ Ali, as this impacted me and your post was very timely and helpful. Much appreciated!

  57. This is a life savior article. Thanks a lot.
    I ended up disabling the Antimalware agent, I believe Microsoft is still sleeping and didn’t think we’ll make it through to 2022.

    Now we have to wait for them to wake up and maybe release a patch to resolve this urgently as think is somehow putting our servers at risk whether we disable or bypass the MalwareFiltering.

  58. antispam engine below does not work either
    Engine Version:1.1.18800.4
    Signature Version: 1.355.1247.0

  59. Manual updates of the Antimalware is run with following command line. May require EMS in administrator. $env:ExchangeInstallPath\Scripts\Update-MalwareFilteringServer.ps1 -Identity

    Update Details in Event Viewer in Application under ID 6033

  60. The updates probably won’t work until they either change the date format, or they reprogram it to not use the integer type that it currently uses.

  61. I resolved this problem another way ….
    Set-MalwareFilteringServer EXserver -BypassFiltering $true
    and then restart transport service

    get-MalwareFilteringServer EXserver
    Name ForceRescan BypassFiltering DeferWaitTime DeferAttempts UpdateFrequency PrimaryUpdatePath
    —- ———– ————— ————- ————- ————— —————–
    EXserver False True 5 3 30 http://amupdatedl.microsoft.com/server/amupdate

  62. Microsoft is sleeping. That’s why we have your blog. The commands worked perfect and mail queue is empty.

Leave a Reply

Your email address will not be published. Required fields are marked *