Microsoft Exchange server admins has a rude awakening on the 1st January when their Exchange Servers failed with the error “FIP-FS Scan Engine failed to load – Can’t Convert “2201010001” to long (2022/01/01 00:00 UTC)“.  Microsoft has now released an official fix to unblock the mail queues.

The problem relates to a date check failure in the malware scanner with the change of the new year due to the version checking performed against the signature file causing the malware engine to crash, resulting in messages being stuck in transport queues.

Microsoft has now released a fix for the issue, which can be performed both manually or via an automated script.

To do it manually:

Remove existing engine and metadata
1. Stop the Microsoft Filtering Management service.  When prompted to also stop the Microsoft Exchange Transport service, click Yes.
2. Use Task Manager to ensure that updateservice.exe is not running.
3. Delete the following folder: %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\amd64\Microsoft.
4. Remove all files from the following folder: %ProgramFiles%\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\metadata.

Update to latest engine
1. Start the Microsoft Filtering Management service and the Microsoft Exchange Transport service.
2. Open the Exchange Management Shell, navigate to the Scripts folder (%ProgramFiles%\Microsoft\Exchange Server\V15\Scripts), and run Update-MalwareFilteringServer.ps1 <server FQDN>.

Verify engine update info
1. In the Exchange Management Shell, run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell.
2. Run Get-EngineUpdateInformation and verify the UpdateVersion information is 2112330001.

After updating the engine, Microsoft also recommend that you verify that mail flow is working and that FIPFS error events are not present in the Application event log.

Microsoft has also released a script at  https://aka.ms/ResetScanEngineVersion that automates the process and can be run in parallel over all your servers.

Read all the associated detail at Microsoft here.

Comments