This post is the continuation of my VSAPI posts, but the first one that goes into troubleshooting. Please see part 1, part 2 and part 3 for architecture details.
The VSAPI is relatively simple, however due to the complex interactions with Independent Software Vendors (ISVs), it can sometimes be difficult to determine if problems are Information Store or vendor related. In this posting we'll take a look at the facilities available to help diagnose what is happening and some scenarios and the logic of breaking down the problem.
Performance Monitor Counters
In Exchange 2000, the VSAPI received several performance monitor counters allowing an administrator to monitor the status of the VSAPI interface.
Of the counters available the primary one our Support Team will look at when potentially dealing with a virus scanning issue is ‘MSExchangeIS\Virus Scan Queue Length’. This counter indicates the number of items currently in the Virus Scanning queue waiting for an available thread to pickup the next item and submit it to the virus scanning DLL. A consistently high number of items in the queue represents either a mis-configured value for scanning threads or a problem with the virus scanning DLL. Items will remain in the queue until a virus scanning thread picks up the item and submits it to the vendor or until a service restart clears the queue. Each item is handled in the context of a single thread. This thread performs the operation of picking up the next item to scan, calling into the vendor’s DLL to perform the scan, and waiting on the return result from the vendor before potentially deleting, quarantining the item or releasing it to the client.
Other relevant perfmon counters:
|
Counter |
Description |
|
Virus Scan Bytes Scanned |
Total number of bytes of data processed by the virus scanner. |
|
Virus Scan Files Cleaned |
This number represents the number of attachments that has been cleaned by the virus scanning engine and in accordance with the above, marked as CLEANED. It is a cumulative value reset after each restart of the process. |
|
Virus Scan Files Cleaned/sec |
This is the rate at which the virus scanning engine is removing identifiable problems in messages and marking the items a CLEANED. |
|
Virus Scan Files Quarantined |
This is the total number of attachments that have been scanned and marked as PRESENT. When this occurs the Store disallows access to the entire message until a later scan determines the message is now safe. |
|
Virus Scan Files Quarantined/sec |
This is the rate at which attachments are being scanned and marked as PRESENT. |
|
Virus Scan Files Scanned |
This is the total number of attachments that has been processed by the virus scanning engine since the start of a service. |
|
Virus Scan Files Scanned/sec |
This is the rate at which attachments are being scanned. |
|
Virus Scan Folder scanned in Background |
This is the total number of folders (and associated content) that has been evaluated and potentially scanned by the virus scanning engine. |
|
Virus Scan Messages Cleaned |
This is the total number of messages identified as having a problem and successfully cleaned since the process was started. |
|
Virus Scan Messages Cleaned/sec |
This is the rate at which message are being cleaned. |
|
Virus Scan Messages Deleted |
Introduced in VSAPI 2.5 was the ability for a vendor to request a message be deleted from the system. This is the total number of messages that was removed per the virus scanning engine request since the process was started. |
|
Virus Scan Messages Deleted/sec |
This is the rate at which messages are being deleted from the system per the virus scanning engine request. |
|
Virus Scan Messages Processed |
This is cumulatively the number of messages either cleaned, deleted, or quarantined since the process started. |
|
Virus Scan Messages Processed/sec |
This is the rate at which messages are processed regardless of resulting status (PRESENT, CLEANED, NOT_PRESENT) |
|
Virus Scan Messages Quarantined |
This is the total number of messages quarantined since the process was started. |
|
Virus Scan Messages Quarantined/sec |
This is the rate at which messages are being quarantined. |
|
Virus Scan Messages in Background |
This is the total number of messages that has been scanned in the background since the process was started. |
Baselining performance is a KEY element of troubleshooting performance issues when they are encountered. The baseline analysis establishes the expected, predictable results of a system and allows for comparisons to be made. Establishing baseline performance over time also allows for the development of triggers. For example, you may know from your baseline that no more than 3 messages per day are quarantined via virus scanning interface. Using this information, create a perfmon trigger to alert when more than 6 messages are quarantined per day. This would give you an early indication of a potential outbreak of virus messages in the environment.
In next post - event logging and few troubleshooting scenarios!
- Jeremy Kelly