Microsoft releases emergency fix to solve email stuck in Exchange on-premises transport queues

At the beginning of the new year, many corporate administrators did not expect that the Microsoft Exchange local mail server would start a direct strike on January 1, 2022.

The reason for this problem turned out to be a problem similar to the millennium bug: Microsoft Exchange components cannot recognize the 2022 string normally. Prior to this, Firefox and Google browsers were still testing whether there would be problems when the version number reached 100.

CVE-2020-16875 PoC

“File:Microsoft Exchange (2019-present).svg” by Microsoft Office team is licensed under CC BY-SA 4.0

The essence of this problem is caused by the Microsoft FIP-FS anti-virus engine. The storage variables of the engine will crash after exceeding the limit, causing all messages to be stuck in the transmission queue.

The FIP-FS antivirus engine is a special malware scanning tool launched by Microsoft. Microsoft Exchange calls the antivirus engine to check the version signature.

In actual work, the date will be stored in the signed int32 variable, but the maximum value that this variable can store is 2147483647, so there is an upper limit.

The corresponding value on January 1, 2022 is 2201010001 over 2147483647, so the entire antivirus engine will crash when storing data.

After the crash occurred, all messages could not be scanned normally and were stuck in the transmission queue, so all server mail in and out was blocked by the card owner.

If the administrator checks the event log, it will be found that the 0x80004005 code engine cannot be loaded, and an error description such as 2201010001 is too long is also prompted.

In response to this problem, Microsoft has launched a script called Reset-ScanEngineVersion.ps1, and enterprise administrators can perform updates through this script tool.

When the script is running, the Microsoft filter management and transmission services will be suspended, and then the script will delete the old antivirus engine files and download the new version of the engine.

This new anti-virus engine file has solved the problem of the upper limit of the value of the variable, so the filter management and transmission service restarted and resumed after execution.

When the problem is solved, the emails in the queue will be resent, but if there are more emails accumulated, it may take longer to send out.

In addition, the antivirus engine version number has now become 2112330001, which is actually a non-existent date, but the administrator does not need to worry that this is intentional by Microsoft. “The newly updated scanning engine is fully supported by Microsoft,” the company outlined. “While we need to work on this sequence longer term, the scanning engine version was not rolled back, rather it was rolled forward into this new sequence. The scanning engine will continue to receive updates in this new sequence.