Microsoft Exchange servers installed on site at customers’ premises can no longer deliver e-mail since January 1, 2022. The reason? A year 2022 bug located in the FIP-FS anti-spam scan engine.
Microsoft has just published an emergency patch to resolve this year 2022 bug that affects Exchange servers installed on site. “Verifying the version performed against the signature file crashes the malware engine, causing messages to hang in transport queues,” Microsoft explains in a blog post.
Microsoft has released an interim fix that requires customer intervention while working on an update that automatically corrects the problem. This temporary fix comes in the form of a PowerShell script named “Reset-ScanEngineVersion.ps1”. When executed, the script stops the Microsoft Filtering Management and Microsoft Exchange Transport services, removes the old AV engine files, downloads the new AV engine, and restarts the services.
To use the automated script to apply the fix, you can perform the following steps on each on-premises Microsoft Exchange server in your organization:
- Download the Reset-ScanEngineVersion.ps1 script from https://aka.ms/ResetScanEngineVersion .
- Open an elevated Exchange Management Shell.
- Change the PowerShell script execution policy by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.
- Run the script.
- If you previously disabled the scan engine, re-enable it using the Enable-AntimalwareScanning.ps1 script.
After running the script, Microsoft reports that emails will start to be delivered again, but it may take some time depending on the amount of emails that were stuck in the queue. Microsoft also explains that the new AV crawl engine will have the version number 2112330001, which refers to a date that does not exist and that admins need not be concerned about.
Microsoft Exchange Servers installed on-site at customer no longer issue email since 1 st January 2022. The reason? A year 2022 bug located in the FIP-FS anti-spam scan engine.
Beginning with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious emails. It is a bug in this filter which blocks the delivery of emails.
The bug therefore also affects Exchange Server 2016 and Exchange Server 2019.
At Bleeping Computer , Joseph Roosen, security researcher and Exchange administrator, explains that this problem is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647 .
However, the dates of 2022 have a minimum value of 201 010 001, a number greater than the maximum value that can be stored in the signed int32 variable, which causes the scan engine to fail and the mail to not be delivered. .
Microsoft will therefore have to release an update to Exchange Server using a larger variable to contain the date, in order to officially correct this bug.
An unofficial workaround exists
But some administrators of the affected on-premises Exchange servers have discovered that it is possible to disable the FIP-FS scanning engine to allow emails to resume delivery.
To disable the FIP-FS scanning engine, you can run the following PowerShell commands on the Exchange server: Set-MalwareFilteringServer -Identity -BypassFiltering $ true .
After restarting the MSExchangeTransport service, mail delivery begins again normally. Unfortunately, with this unofficial fix, distributed mail will no longer be scanned by Microsoft’s engine, resulting in an increase in the number of malicious and spam emails reaching users.
Microsoft has confirmed that it is working on a fix and hopes to have more information to communicate soon.