Exchange 2016:- Symantec IPS issues
Symantec on a Windows Server just like ESET works great. When you throw Exchange 2016 or Exchange 2019 into the mix, things get more complicated with both products.
If you are not aware, when you are running an anti-virus product, you need to add the exclusions for processes and folders as outlined in the Microsoft documentation.
Having said that, even with the exclusions, this is not enough in my book to ensure a smooth running Exchange environment. Intrusion Prevention (IPS) seems to cause havoc on Exchange servers and here are some of my findings:
- Cannot copy Cumulative updates or any files from Microsoft
- Cannot install Cumulative updates as the install just fails or locks up
- The Exchange 2019 or Exchange 2016 servers lose access to Active Directory and log Event ID 2070
- Transport service keeps stopping and causes mail queues
- Network copy speeds are extremely slow
Here are some of the images on what I am referring to:
Invalid Signature File on a legitimate ISO file.
One of the many .exe processes throwing out errors even though they are whitelisted in Symantec.
By going through each component to see which one was causing it, the culprit was IPS as mentioned. Logging a call with Symantec only yields a blame game as they say Microsoft are at fault, showing them that by disabling IPS everything above stops, the moment you add IPS back, you get all the blocks and events logging.
I don’t have an update on how to fix this yet but when I do I will update this article.
This recently happened in the wake of the Exchange attacks that happened beginning of March so something must have changed in the application code. Yes IPS does wonders in a sense that it blocks Ransomware attempts etc. but it causes havoc with Exchange in the long run. If you need to just remove this component, you can head over to control panel and open up “Programs and Features” and then click on Symantec and then select the change button and you can remove the component as shown below that is causing the issue:
Select the last option and it will put a red X next to that feature and then you can click next 3x times until starts with the removal. It does not prompt for reboot but I like to reboot after making this kind of change.
Hope it helps.