SBS 2003 problems

After running an SBS 2003 (SP1) server for the last 2 years without any problems I recently installed Nod32 2.7 and after approx 4 hours the server crashed.

On investgation I found that the file monitor AMON was causing the problem.

Approx 2 hours after enabling AMON I get the following errors:-

DHCP - cant move log file from dhcp because its in use by another process.(not exact message)
Lots of DHCP Jet database errors in system log

Exchange - an attempt to open file mdb for read/write access failed because its in use by another process.(not exact message)

one of the system attendants tasks is blocked

Licenesing SBCore - licence store for the client access licenses is not valid.

DNS-The DNS server timed out attemting an active directory operation.

The server becomes almost unusable until I disable AMON - everthing returns back to normal and system attendant reports "one of the system attendants task has recovered after a long delay."

I have excluded exchange from being scanned and also dhcp folder but it makes no difference.

The server is a standard install with No additional or bespoke software running.
Previously it was running Symantec Corp which uninstalled without any problems.

Any suggestions welcome.

 

Fisrt, I'll say that we use NOD32 2.7 on our SBS2003 server, and we have installed it on loads of clients' servers, with nary a problem. There are some things to check:

1. (Won't apply to you at this time) Do NOT install NOD32 v3 on an SBS. It just isn't suitable right now, for lots of reasons. Let's hope Eset sort out the major issues soon.

2. While NOD32 v2.7 should auto-disable it's IMON module on an SBS, make sure it has done. Disable it manually if not. You can - and should - install NOD32 for Exchange (that's the XMON module) on your SBS.

3. Make sure your Symantec s/w has been properly and fully uninstalled. I wouldn't be surprised if this is the cause of your problems, but that said I have replaced Symantec's offerings with NOD32 on a number of servers, again without problem.

4. There are in fact a large number of exclusions that should be configured for any anti-virus, not just for NOD32. Try working through all of the following to see if that helps...

* Exchange*
Exchange Server Database = C:\Program Files\Exchsrvr\Mdbdata (check location)
Exchange MTA files = C:\Program Files\Exchsrvr\Mtadata
Exchange Message tracking log files = C:\Program Files\Exchsrvr\server_name.log
Exchange SMTP Mailroot = C:\Program Files\Exchsrvr\Mailroot
Exchange working files = C:\Program Files\Exchsrvr\Mdbdata
C:\Program Files\Exchsrvr\Conndata
Site Replication Service (not normally used in SBS but should be excluded anyway) =
C:\Program Files\Exchsrvr\srsdata

*IIS related Exclusions*
IIS System Files = C:\WINDOWS\system32\inetsrv
IIS Compression Folder = C:\WINDOWS\IIS Temporary Compressed Files

*Domain Controller related exclusions*
Active Directory database files = C:\WINDOWS\NTDS
SYSVOL C:\WINDOWS\SYSVOL
NTFRS Database Files = C:\WINDOWS\ntfrs

*Windows SharePoint Services*
Temporary SharePoint space = C:\windows\temp\Frontpagetempdir

*Service Related Data Bases*
DHCP Database Store = C:\WINDOWS\system32\dhcp
WINS Database Store = C:\WINDOWS\system32\wins
X:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Data
X:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Data
X:\Program Files\Microsoft SQL Server\MSSQL\Data

*Additional Exclusions*
Removable Storage Database (used by SBS Backup) = C:\Windows\System32\ntmsdata
SBS POP3 connector Failed Mail = C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
SBS POP3 connector Incoming Mail = C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail
Windows Update Store = C:\WINDOWS\SoftwareDistribution\DataStore
X:\urlcache
X:\pagefile.sys

*AV Progam Exclusions*
x:\Folder where AV puts quarrentined files
X:\<AV application folder>

*Desktop Folder Exclusions*
These folders need to be excluded in the desktops and notebooks clients.
Windows Update Store = C:\WINDOWS\SoftwareDistribution\DataStore

*SBS Licensing Exclusions*
File - %windir%\system32\licstr.cpa
Folder - %windir%\windows\system32\lls
NOTE: Run the License Wiz and backup the licenses to a secure folder.

*Terminal Services Licensing Exclusions*
C:\WINDOWS\System32\LServer
(folder should contain the following TS related stuff):
edb.log
edb.chk
res1.log
res2.log
TLSLic.edb
temp.edb

*Also, Refer to the MS KB Articles*
815623
822158
245822
284947

*Per 822158*
The Windows Update or Automatic Update database file
%windir%\SoftwareDistribution\Datastore\datastore.edb

The transaction log files. These files are located in the following folder
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
Note The wildcard character indicates that there may be several files.
. Res1.log
. Res2.log
. Edb.chk
. Tmp.edb

*Per 815623*
In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:
1. Exclude: %systemroot%\sysvol
2. Scan: %systemroot%\sysvol\domain
3. Exclude: %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
4. Scan: %systemroot%\sysvol\domain\Policies
5. Scan: %systemroot%\sysvol\domain\Scripts
6. Exclude: %systemroot%\sysvol\staging
7. Exclude: %systemroot%\sysvol\staging areas
8. Exclude: %systemroot%\sysvol\sysvol

If any one of these folder or files have been moved or placed in a different location, scan or exclude the equivalent element.

DFS
The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares that are mapped to the DFS root and link targets on Windows 2000 or Windows Server 2003-based member computers or domain controllers.

 

spm,

Thanks for that comprehensive list! It reminds me of the list I used years ago for Symantec AV setup. I have a dream that one day, AV vendors will write some kind of configurable exclusion wizard into their server programs....

In the meantime, I cut and pasted your list, and with some editing was able to build a text file that I imported into the configuration editor of ESET Business Version version 3.0 (which I installed under SBS 2003 before I saw your advice not to). To its credit, 3.0 has been running without exclusions on my SBS for two days and not causing any problems. (DHCP here is handled by a router.)

Then, because the configuration editor isn't creating the XML quite right for pushing the exclusion lists, I opened the XML file in an XML editor and replaced 27 occurrences of

<NODE NAME="Exclusion" DELETE="0">

with

<NODE NAME="Exclusion" TYPE="SUBNODE" DELETE="0">

After that change, I was able to push the XML config file onto my SBS server.

Notes on the list:

- I couldn't find a Frontpagetempdir on my system.
- I couldn't find a urlcache on my system.
- I decided not to exclude ESET from itself.
- I couldn't find a LServer folder on my system (Terminal Services licensing).
- The exclusions under 822158 and 815623 should already be covered by folder exclusions listed earlier.
- My drive letters and Windows folder differ in some cases.
- I added two drives that are used to store disk-based backups.
- ESET apparently requires "\*.*" to indicate a folder exclusion.

With those considerations, I came up with this list:

D:\Mail Server\Exchsrvr\MDBDATA\*.*
C:\Program Files\Exchsrvr\Mtadata\*.*
C:\Program Files\Exchsrvr\MCB03.log\*.*
C:\Program Files\Exchsrvr\Mailroot\*.*
C:\Program Files\Exchsrvr\Mdbdata\*.*
C:\Program Files\Exchsrvr\Conndata\*.*
C:\Program Files\Exchsrvr\srsdata\*.*
C:\WINNT\system32\inetsrv\*.*
C:\WINNT\IIS Temporary Compressed Files\*.*
C:\WINNT\NTDS\*.*
C:\WINNT\sysvol\*.*
C:\WINNT\ntfrs\*.*
C:\WINNT\system32\dhcp\*.*
C:\WINNT\system32\wins\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Data\*.*
F:\MSSQL2000\MSSQL\Data\*.*
C:\WINNT\System32\ntmsdata\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail\*.*
C:\WINNT\SoftwareDistribution\DataStore\*.*
C:\pagefile.sys
C:\WINNT\system32\licstr.cpa
C:\WINNT\windows\system32\lls\*.*
G:\*.*
H:\*.*

Finally, I created the following exclusions for workstations. The first two lines are intended to exclude MSDE and SQL Server Express files anywhere on the drive:

C:\*.mdf
C:\*.ldf
C:\WINDOWS\SoftwareDistribution\DataStore\*.*

Mark

 

Hi Mark,

I'm glad you seem to have sorted your problem now. Re your workstation exclusions...

I'd also advise you exclude "C:\Program Files\Microsoft Windows Small Business Server\Clients\SBSClientApps.log" (or, indeed, the whole of the Clients folder), since the log file is read/written to frequently during logon, and can grow quite large. On a couple of workstations here that run EAV 3.0, allowing EAV to scan that file added 5 - 7 minutes to the logon sequence! It's not quite so severe a problem with NOD32 2.7.

 

Hi spm,

Although I hadn't experienced any problems yet, I knew I needed to get these exclusions done to avoid problems going forward.

Thanks for that tip re. the SBSClientApps.log file. Since replacing Trend 3.5 with NOD32 3.0, my logins seem noticeably faster. If this makes them even faster, so much the better.

I hope you don't mind that I blogged my modified version of your list.

Thanks again,

Mark

 

After reading your posts, i'm convinced that the exclusions, or lack of, are what caused my issue (thanks for the link Mark). I cross referenced your lists with the logs from my crash, and they matched up pretty well.

I thought I'd mention that there was one other file that NOD32 had problems with that isn't in your list:
C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log

I'm probably just going to exclude "C:\Program Files\Update Services\LogFiles\*.*"

 

Just an update for anyone who might come here looking for solutions.

I blew 7 hours experimenting with NOD32 last Saturday.

The exclusion list that was posted stopped the crashing. It didn't stop the massive slow down of the server.

After watching a few system monitors, the problem was the file C:\Program Files\Microsoft Windows Small Business Server\Support\ConfigurationHelper_Policy.log. This is a large (222mb) text file that was getting scanned by NOD32 about once every thirty seconds, causing system utilization to shoot up to 100% for about 20 seconds, bringing the system to an almost complete halt. Excluding the entire directory brought system performance back to what you would expect it to be.

 

Oops, that should be C:\WINNT\system32\lls\*.*

 

Kurto,

Thanks for the hard work. Interesting, I don't have that file on my SBS2003 machine. However, since I was getting errors on some files even after excluding them, and for genearal performance reasons, I've disabled NOD32's option to scan all extensions, so .log files should no longer be scanner. Here's a related blog entry:

http://blogs.mcbsys.com/mark/post/Comparing-NOD32-Version-27-to-Version-30.aspx

Currently I'm trying to figure out why the server will no longer let me connect using Remote Desktop (RDP). What system monitors were you using to track down your issues? AMON is only telling me that it is scanning ati2drad.dll (a display driver); its scanned file count doesn't seem to increase even when I open other programs on the server.

Mark

 

I've got the folder and file exclusions added, but for some reason, when I open AMON, it's constantly scanning NOD*.tmp files. What is the correct syntax for excluding an extention? Neither *.tmp nor .tmp seem to have any effect on my server. I'm running 2.7 on an SBS 2003 Server.

Thanks!

 

Go to AMON setup -> Detection page -> Extensions. There, select "Scan all files" and add the excluded extensions using the Add button. You should probably add each of the following:

EDB
EML
TMP

 

Another approach is to go to AMON, click on Setup, go to the Detections tab, click on the Extensions button, and UNcheck "Scan all files". A long list of extensions that WILL be scanned should appear. Make sure that .TMP is not in the list.

If you want to exclude some extensions from your scheduled scans ("NOD32"), you have to do a similar step when you set up the scan.

Mark

 

Thanks, I'll do that. So is the Exclusions tab only useful for excluding whole folders?

 

In 2.7, you can set it to exclude a file. I think wildcards are allowed. But when you set it to exclude a file, the option to exclude subfolders is grayed out; in other words, it will only exclude the file in one folder.