Versions / Builds AffectedGFI MailEssentials 2012 and higher
Problem SummaryWhen an antivirus engine enabled, the gfiscanm.exe process will crash constantly (around 2-3 times a second) and in some cases will throw errors about delays with the gfiavroutingagent.
TT / JIRAID801
How to IdentifyWhen the GFI MailEssentials EmailSecurity function and the GFI MailEssentials Bitdefender engine are enabled, mailflow will halt and constant crashes of gfiscanm.exe or faulting ntdll.dll will be listed. It may also show up in the application event viewer like this:
The execution time of agent 'GfiAvRoutingAgent' exceeded 90000 milliseconds while handling event 'OnSubmittedMessage' for message with InternetMessageId: 'Not Available'. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message.
Once the GFI MailEssentials Bitdefender engine is disabled and the AV scanning engine service is restarted, mailflow will go back to normal.
"info ","BitDefender","EngineFolder [C:\Program Files (x86)\GFI\MailEssentials\Antivirus\avx]"
"error ","BitDefender","CBitDefenderScanner::InitVSEngine - Failed to load Loader DLL [C:\Program Files (x86)\GFI\MailEssentials\Antivirus\avx\gfibitdefenderldr.dll]. Error"
"error ","BitDefender","Failed to initialize scanning engine: 0x8007007E"
"info ","BitDefender","Scanning Engine successfully uninitialized."
"info ","BitDefender","Logging Session Ended"
"error ","SCore","Scan: Calling [Virus Scanning Engine]...ok"
"error ","SCore","Scan: final result(CRITICAL)"
"info ","Virus Scanning Engine","Process: calling [Vipre Engine]...ok"
"info ","Virus Scanning Engine","ERROR: Process: calling [BitDefender Engine] - plugin is not initialized, failing..."
The Microsoft Windows EventViewer will show something similar to:
Event id 1000
Faulting Aplpication GFIScanM.exe
Faulting Module ntdll.dll 6.1.7601.18229
Exception Code 0x00033bc2
Faulting Process is 0x1b14
One important hint is that under GFI MailEssentials\EmailSecurity\Virus Scanning Engines\Bitdefender\Bitdefender Version Information\Build, instead of the current year some old build number is shown (quite common is 220.127.116.110 2007).
Workaround / Fix DetailsConfirm the crashes/warnings in the application event viewer, then disable the Bitdefender engine.
Verify the definition that Bitdefender is currently running (If the definition is in the 500,000 to 600,000 you must follow the article to Manually Purge the definitions)
-Article name "How to manually update Bitdefender definitions"
Verify that Hardware firewall or content filter has proper exclusions in place for:
If the customer has an antivirus or file based software, make sure the proper exclusions are in place.
Verify Customer is on MailEssentials 2014 build 20140308 or later
1. navigate to ...GFI\MailEssentials\Antivirus\AVX\ and ...\GFI\MailEssentials\Antivirus\backup\AVX\ folders, sort the files by Date modified and replace the 2007 files with new ones from a test installation (important are the bdcore.dll and libfn.dll )
2. navigate to ...\GFI\MailEssentials\Updater\avx folder and delete the _current_revision.txt file
3. trigger manual updates from the configuration UI to update the affected engine
Same solution applies to the rest of engines.
Required ActionsApply above solution and attach article to case.