General discussion


Error: Symantec AV10 on Exchange 2k3 SVR

By PSX ·
About 2 weeks ago my Exchange server started having problems with its file-system Antivirus scanner (Symantec AV 10.0.1, client). Whenever virus scan starts, it starts scanning the file system and all running services then crashes when it gets to "common infection locations (load points)". The error message says "Buffer overrun detected!" then it point to rtvscan.exe as the source. The title of the message box says "Microsoft Visual C++ Runtime Library".

Buffer overflow and problem with AV scanner usually point to either a virus infection or a trojan horse infection. However, I've run multiple AV scans on this system (using scanners other than Symantec's) but nothing was found. I've also ran a couple of rootkit revealers which revealed nothing. A port scan on the system didn't reveal any commonly-known trojan ports.

I thought this might be caused by a corruption in the SAV client software so I completely uninstalled it, rebooted, then reinstall but the problem still persists. I've narrowed the problem down to a couple of things:

1) Everytime the virus scan crashes, it shows that AeLookupSvc was the last item being scanned and it always crashes at this point.

2) A scan of the entire file system plus all running services will NOT fail but as soon as you add Common Loadpoints and Scan for traces of well-known threats, it crashes.

3) AeLookupSvc is a new service introduced in Windows 2003 Server for monitoring application compatibility problems.

Also, this shouldn't have anything to do with my problem with the filesystem AV scanner but my Exchange server is also running Symantec AV for Exchange version 4.62. I've also excluded all necessary folders and files as described in MS and Symantec's guides for AV on Exchange server. My Exchange server has been running fine until about 2 weeks ago.

I really need help with this problem. I'm forced to exclude Common Loadpoints and Scan for traces of well-known threats from my AV scans on this server.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by sgt_shultz In reply to Error: Symantec AV10 on E ...

is this win2k3 sp1?
any thing in the Application Event logs-?

Collapse -

by PSX In reply to Error: Symantec AV10 on E ...

The server is running on Windows 2003 SP1 with all patches installed. Exchange is at version 6.5.7226 (Exchange 2003 SP1). Also the latest version of Blackberry Enterprise server is installed on this server.

When the scan crashes, event number 7011 is logged in the system log with the description:

"Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service."

Nothing shows up in Application log.

Collapse -

by oldyeller In reply to Error: Symantec AV10 on E ...

Hi there...

I'm running the same antivirus and the latest version of Blackberry Enterprise Server, but on a Win2K server without Exchange. I'm getting the exact same error when I run a scan. I've seen several posts on Symantec's support forum regarding the same error, most of them also seem to involve AV 10.0.1 with BES 4. I think these two products don't play to o well together!

Collapse -

by PSX In reply to

Thanks for letting me knkwo that I am not alone in this. I did notice this soon after I upgraded to BES 4.0 server but I didn't think it was BES-related (I noticed the messages about 3 weeks after I've upgraded to BES 4).

I've called Symantec on 3 different occasions but the techs were clueless. One of them even stated that there's nothing else he could do to help. Anyhow, they told me to upgrade to 10.0.1 from 10.0.0, which I did, for my entire domain, but to that didn't fix the problem. There were some other minor suggestions (update a file, etc.) but none of them fixed the problem. None of the Symantec techs have even mentioned anything about BES.

Anyhow, it is definitely good news to know that I am not alone in this. I will have to call Symantec again. Thanks for posting. Please let me know when you find anything else about this problem. I will do the same via comments on this post.

Collapse -

by d_remer In reply to Error: Symantec AV10 on E ...

I am getting the same error with Norton corp v10 and Black Berry on Windows 2003. Have you guys found out a solution to this problem, beside a custom scan workaround?

Thanks for your help

Collapse -

by randyw In reply to Error: Symantec AV10 on E ...

Interesting. I installed BES 4.0 on an Exchange server and I started getting this Buffer Overrun error and it pointed to RTVSCAN.EXE which is from Symantec. I uninstalled BES 4.0 thinking maybe it was something else but then I reinstalled BES 4.0 on our domain controller which also has Symantec 10 and low and behold, now I'm getting that error on the domain controller. Good Stuff!! It's definitely a problem with BES and Symantec interoperability. Problem is now trying to find out where to point the finger.

Collapse -

by nkafer In reply to Error: Symantec AV10 on E ...

I am also implementing a BES 4.0 server running on Windows 2K Server and am experiencing this same error. Has anyone figured out how to fix this problem? I see the mention of a custom scan that excludes Common Loadpoints and scan for traces of well-known threats from the AV scans on this server. Is this the only workaround anyone has found? Were there any other folders (Windows or BES) folders that should be excluded?


Collapse -

by roman In reply to Error: Symantec AV10 on E ...

Hi Guys
I have the same problem with my Win2k Server and BES 3.6. Does anyone find out what to do about this?
I removed all Symantec products, rebooted and reinstalled it and still get the same errors.

What file can I exclude from the scan?


Collapse -

by dkoll In reply to Error: Symantec AV10 on E ...

I've been having the same issue, and after reading this topic I believe the problem started ocurring after we had installed BES as well. I'm on hold with Symantec right now (45 min wait of course). I have one quick question... what is a common loadpoint? If Symantec can't provide me with a solution, does this scan workaround work, and do I just need to exclude the Common Loadpoints (whatever that is) and the BES folder? Thanks for your help.

Collapse -

by PSX In reply to

Wow! So many people are having this problem. It puzzles me why both RIM and Symantec haven't known about this problem.

I've tried calling Symantec on two different occasions since finding out that this problem is related to BES but other projects pulled me away before I could get a good answer (the long hold time definitely does not help). I will take it up with RIM and see what answer they could give me.

Back to your question regarding common load points: they are common registry keys and folders that viruses and spyware infect. Common Loadpoints and Scan for traces of well-known threats are two options that will cause the crash (selecting one of the two will also cause SAV10 to crash). Also, there are three ways of installing SAV10 on a server: 1) as a standalone server, 2) as a member client to a SAV10 server, or 3) as a standalone client.

When it is installed as a standalone client, SAV10 will NOT allow you to exclude Common Loadpoints and Scan for traces of well-known threats. When it is installed as its own SAV10 server, it will also prevent you from excluding one of the two options (I forgot which) so the best thing to do (if you want to use the workaround) is to install SAV10 onto the BES server as a client within your SAV Corporate environment then proceed to exclude Common Loadpoints and Scan for traces of well-known threats. Also, don't forget to add all necessary exclusions if you are installing it on an Exchange server.

Related Discussions

Related Forums