NOD32 Caused Server Crash

Hi. I apologize in advance for the length and if this isn't the right place to post this.

I'm currently doing a 30 day eval for the Enterprise version for my company. It hasn't been going well. My first instinct is to say forget it and try something else, but the sorry state of the AV industry and the rave reviews of NOD32 are making me tough it out. Since this is apparently the only reliable, online avenue for support, here it goes.

The latest issue is that I finally got NOD32 on a server yesterday and immediately noticed what I can only call stuttering. The server load hasn't really increased, ram is good, the server just stops responding for about a second, and then it comes back for about 10, and then just stops for a second again.

The worst thing was last night. Apparently (near as I can tell) NOD32 and Windows Backup (SBS2003) aren't really compatible. The end result was a horribly crashed server. I tried to remote in from off site and couldn't get in. When I got onsite, the server was running very slowly. yet again, ram was fine, CPU wasn't pegged, it was just running very slowly. On top of that, all major system services were crashed IIS, sysmon, terminal services, ticket granting, etc. In other words it was just a very slow, useless shell.

Checked the event viewer and again, it all started when the backup started. Below are the unique entries I could pull out of the event viewer, many of them were repeated many, many times.

Is this just a matter of adding exclusions for the named files? I'm very hesitant to try this again. Oh, and there were no "custom" settings. Everything was left in its initial install configuration.

Event Viewer:

The Windows Server Update Services Server experienced an error while attempting to write to the log file.

7096.329

System.IO.IOException: The process cannot access the file "C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log" because it is being used by another process.

at System.IO.__Error.WinIOError(Int32 errorCode, String str)

at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath, Boolean bFromProxy)

at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)

at Microsoft.UpdateServices.Internal.TraceLogger.OpenFile()

at Microsoft.UpdateServices.Internal.TraceLogger.WriteLine(String message)

-----------

One of the System Attendant's task is blocked.

Function: COffLineABScanTask::Work

----------

wuaueng.dll (864) SUS20ClientDataStore: An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf.

--------

Process STORE.EXE (PID=3432). All the DS Servers in domain are not responding.

--------

LDAP Bind was unsuccessful on directory ahem.local for distinguished name ''. Directory returned error:[0x34] Unavailable.

-------

Process MAD.EXE (PID=294. All Domain Controller Servers in use are not responding:

ahem.local

------

LDAP Bind was unsuccessful on directory ahem.local for distinguished name ''. Directory returned error:[0x51] Server Down.

-------

The Win32 API call 'DsGetDCNameW' returned error code [0x862] The specified component could not be found in the configuration information. The service could not be initialized. Make sure that the operating system was installed properly.

-------

Process MAD.EXE (PID=294. All Global Catalog Servers in use are not responding:

ahem.local

-----

Microsoft Exchange System Attendant failed to read the membership of group 'cn=Exchange Domain Servers,cn=Users,dc=ahem,dc=local'. Error code '8007203a'.

Please check whether the local computer is a member of the group. If it is not, stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.

-----

The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.

----

tcpsvcs (3112) An attempt to move the file "C:\WINDOWS\System32\dhcp\j50.log" to "C:\WINDOWS\System32\dhcp\j50052AC.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The move file operation will fail with error -1032 (0xfffffbf.

-----

tcpsvcs (3112) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032.

-----

tcpsvcs (3112) The logfile sequence in "C:\WINDOWS\System32\dhcp\" has been halted due to a fatal error. No further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore from backup.

-----

tcpsvcs (3112) The backup has been stopped because it was halted by the client or the connection with the client failed.

-----

tcpsvcs (3112) An attempt to delete the file "C:\WINDOWS\System32\dhcp\backup\temp\dhcp.mdb" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf.

------

Could not connect to the monitoring database. This can occur when there are multiple connections to the database. Wait a short period of time, and then try again. If this error persists, run the Monitoring Configuration Wizard, and select Reinstall monitoring features.

------

ntfrs (580) An attempt to move the file "c:\windows\ntfrs\jet\log\edb.log" to "c:\windows\ntfrs\jet\log\edb0031E.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The move file operation will fail with error -1032 (0xfffffbf.

-----

ntfrs (580) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032.

-----

ntfrs (580) The logfile sequence in "c:\windows\ntfrs\jet\log\" has been halted due to a fatal error. No further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore from backup.

----

ntfrs (580) Unable to rollback operation #66235 on database c:\windows\ntfrs\jet\ntfrs.jdb. Error: -510. All future database updates will be rejected.

 

I'm also evaluating NOD32. Yes, there are lots of exclusions to set up especially for SBS. Here's one thread that lists them:

https://www.wilderssecurity.com/showthread.php?t=199701

Mark

 

Tech support has finally gotten back to me in a way. I called them complaining about the lack of response, and suddenly the emails started flowing to the tune of about 1 a day. Phone support typically defers to email, which is understandable. They, at this point, have no reason for the crash. Apparently they don't think that exclusions are the issue. I have just pointed the original situtaiton out to them again to reemphisize that it was complaining about specific files.

In the mean time I will take a look at the link and see whats there. You would (at least I would) expect a commercial grade project to come preconfigured for something like that, especially if the results are going to be this disasterous.

So far this is feeling like working with open source software, where the author just doesn't know because it works for him, and your left supporting yourself (with the help of others) on forums. Not that i'm against open source.

Thanks for the response.