Virus Scan queue length beyond warning threshold

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-04-20

The Microsoft® Exchange Server Analyzer Tool includes a performance data collection engine that is used to query performance counter objects on computers that are running Exchange 2000 Server or Exchange Server 2003. The performance data collection engine collects data from the Virus Scan Queue Length performance counter of the MSExchangeIS performance object to analyze performance data.

If the Exchange Server Analyzer determines that the 90th percentile value for the Virus Scan Queue Length counter is greater than 5 during the sample time slice, the Exchange Server Analyzer displays a warning.

The Virus Scan Queue Length performance counter indicates the current number of outstanding requests that are queued for virus scanning.

This warning indicates that performance may become an issue for this server. The performance issues could be related to the following:

  • Decreased server performance, usually caused by an emerging CPU bottleneck.

  • Higher than usual server load.

  • An out-of-date virus scanning engine.

  • An incorrectly configured virus scanning engine.

To address this warning, take the following steps:

  • Look for updates to your virus engine.

  • Consider re-installing the virus scanning software.

  • Examine the configuration of your virus scanning engine for the correct thread configuration, file level exclusions, etc. See Microsoft Knowledge Base article 823166, "Overview of Exchange Server 2003 and antivirus software" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=823166).

  • Use the Performance Monitor (Perfmon.msc) tool to identify if the emerging bottleneck is caused by an increase load on the server or whether the server is undersized. If the server load has increased, identify the source of the load and reduce it. If the server has insufficient resources, increase the necessary resources or move users off the server.

Removing Processor Bottlenecks

There are many ways to address processor bottlenecks on your Exchange server:

  • First, review the applications or tasks that are causing load on the server. Determine if the application should be using the processor time that it is or if there might be an issue with the process.

  • If a non-Exchange application is not important to that server, run that application on another server. If you can, move server roles to other computers also. For example, if the Inetinfo process is using lots of CPU utilization, consider adding front-end servers to assume responsibility of the protocol work that Inetinfo performs. You can also move public folder access to a dedicated public folder server. Finally, if a server performs lots of distribution list expansions, you can reduce CPU utilization by moving distribution list expansion to a dedicated distribution-list expansion server.

  • Add more or faster processors to the server if you can. Also, enable hyper-threading if it is supported by the processors. You can enable hyper-threading by configuring the system BIOS. For more information, see the computer manufacturer's Help documentation.

  • If increasing the processing power is not a workable option, you must reduce the load on the processors. To reduce the overall effect on the server, make sure that I/O-intensive, CPU-intensive, or memory-consuming tasks occur outside ordinary operation hours.

  • Make sure that CPU-intensive tasks, such as backup and maintenance, occur during off-peak hours. Also make sure and that these tasks are performed in a staged manner. Staging a task means setting different start times, and preferably end times, for each task. Staging the maintenance and backup of databases or storage groups also lessens the effect of these resource-intensive tasks.

For More Information