{"id":801,"date":"2021-10-26T14:06:42","date_gmt":"2021-10-26T18:06:42","guid":{"rendered":"https:\/\/blog.markdepalma.com\/?p=801"},"modified":"2021-10-26T14:09:48","modified_gmt":"2021-10-26T18:09:48","slug":"filteringservicefailureexception-error-microsoft-exchange-messagingpolicies-rules-filteringservicefailureexception-fips-text-extraction-failed-with-error-wsm_error-scanning-process-caught-except","status":"publish","type":"post","link":"https:\/\/blog.markdepalma.com\/?p=801","title":{"rendered":"FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: &#8216;WSM_Error: Scanning Process caught exception: (0x00000005) Access is denied"},"content":{"rendered":"\n<p>For some time we had been seeing these events in the event logs of our Exchange mailbox servers and the &#8216;<strong>UnifiedContent<\/strong>&#8216; directory (related to the Hub Transport role) has been growing:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Log Name:      Application\nSource:        MSExchange Messaging Policies\nDate:          10\/26\/2021 8:08:10 AM\nEvent ID:      4010\nTask Category: Rules\nLevel:         Error\nKeywords:      Classic\nUser:          N\/A\nComputer:      mbx1.domain.com\nDescription:\nTransport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '&lt;1ea41f5d-64ec-424a-b863-19d7fc2cf7d0@journal.report.generator&gt;' Rule ID 'bcdf1c32-0249-4149-a91b-85ecabaeb695' Predicate '' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: 'WSM_Error: Scanning Process caught exception: \nStream ID: &lt;1ea41f5d-64ec-424a-b863-19d7fc2cf7d0@journal.report.generator&gt;\nScanID: {E44453FB-B127-44F8-BEF0-357252C6DAA3}\n(0x00000005) Access is denied.  Failed to open file: T:\\TransportRoles\\data\\Temp\\UnifiedContent\\8bedad9e-130a-490e-be7a-af8a58758231'. See inner exception for details ---&gt; Microsoft.Filtering.FilteringException: WSM_Error: Scanning Process caught exception: \nStream ID: &lt;1ea41f5d-64ec-424a-b863-19d7fc2cf7d0@journal.report.generator&gt;\nScanID: {E44453FB-B127-44F8-BEF0-357252C6DAA3}\n(0x00000005) Access is denied.  Failed to open file: T:\\TransportRoles\\data\\Temp\\UnifiedContent\\8bedad9e-130a-490e-be7a-af8a58758231\n   at Microsoft.Filtering.InteropUtils.ThrowPostScanErrorAsFilteringException(WSM_ReturnCode code, String message)\n   at Microsoft.Filtering.FilteringService.EndScan(IAsyncResult ar)\n   at Microsoft.Filtering.FipsDataStreamFilteringService.EndScan(IAsyncResult ar)\n   at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.TextExtractionComplete(IFipsDataStreamFilteringService textExtractionService, TextExtractionCompleteCallback textExtractionCompleteCallback, IAsyncResult asyncResult)\n   --- End of inner exception stack trace ---\n   at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.GetUnifiedContentResults(FilteringServiceInvokerRequest filteringServiceInvokerRequest)\n   at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetUnifiedContentResults()\n   at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetAttachmentStreamIdentities()\n   at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetAttachmentInfos()\n   at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.get_AttachmentNames()\n   at Microsoft.Exchange.MessagingPolicies.Rules.MessageProperty.OnGetValue(RulesEvaluationContext baseContext)\n   at Microsoft.Exchange.MessagingPolicies.Rules.Property.GetValue(RulesEvaluationContext context)\n   at Microsoft.Exchange.MessagingPolicies.Rules.TextMatchingPredicate.OnEvaluate(RulesEvaluationContext context)\n   at Microsoft.Exchange.MessagingPolicies.Rules.PredicateCondition.Evaluate(RulesEvaluationContext context)\n   at Microsoft.Exchange.MessagingPolicies.Rules.AndCondition.Evaluate(RulesEvaluationContext context)\n   at Microsoft.Exchange.MessagingPolicies.Rules.RulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext)\n   at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext). Message-Id:&lt;1ea41f5d-64ec-424a-b863-19d7fc2cf7d0@journal.report.generator&gt;'\n<\/pre>\n\n\n\n<p>You may notice the &#8216;<strong>T:\\TransportRoles\\data<\/strong>&#8216; path above and this is due to the fact that we have our <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/exchange\/mail-flow\/queues\/relocate-queue-database?view=exchserver-2016\" target=\"_blank\">transport queue database path set to an alternate location<\/a>. It is clear in the error that there is an access issue as it is is stating &#8216;<strong>(0x00000005) Access is denied.  Failed to open file: T:\\TransportRoles\\data\\Temp\\UnifiedContent\\8bedad9e-130a-490e-be7a-af8a58758231<\/strong>&#8216; as the core issue. Looking at the &#8216;<strong>Temp<\/strong>&#8216; directory ACL we saw the current permissions were:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>LocalSystem \u2013 Full Control<\/li><li>Administrators \u2013 Full Control<\/li><li>NetworkService &#8211; Full Control<\/li><\/ul>\n\n\n\n<p>These permissions seem correct at face value, but when we look at the ACL of one of the files we actually found:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>LocalSystem \u2013 Full Control<\/li><li>Administrators \u2013 Full Control<\/li><li>NetworkService &#8211; Full Control<\/li><li>LocalService &#8211; Full Control<\/li><\/ul>\n\n\n\n<p>If you look at a default Exchange installation you will also see the ACL above is how it is set. It seems that when using a <strong>non-default queue database location<\/strong> you are required to set the ACL yourself as it won&#8217;t be set automatically. After fixing the ACL we simply shut down the transport service, cleared the directory, and restarted the transport service:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Stop-Service MSExchangeTransport\nRemove-Item -Path \"T:\\TransportRoles\\data\\Temp\\UnifiedContent\\*\"\nStart-Service MSExchangeTransport<\/pre>\n\n\n\n<p>After this change the &#8216;<strong>UnifiedContent<\/strong>&#8216; directories are no longer growing and the error we started with is no longer appearing in the event log.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For some time we had been seeing these events in the event logs of our Exchange mailbox servers and the &#8216;UnifiedContent&#8216; directory (related to the Hub Transport role) has been growing: Log Name: Application Source: MSExchange Messaging Policies Date: 10\/26\/2021 8:08:10 AM Event ID: 4010 Task Category: Rules Level: Error Keywords: Classic User: N\/A Computer: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,72,67,65,80],"tags":[187,188],"class_list":["post-801","post","type-post","status-publish","format-standard","hentry","category-exchange","category-powershell","category-scripting","category-security","category-windows-server","tag-access-is-denied","tag-unifiedcontent"],"_links":{"self":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=801"}],"version-history":[{"count":5,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/801\/revisions"}],"predecessor-version":[{"id":806,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=\/wp\/v2\/posts\/801\/revisions\/806"}],"wp:attachment":[{"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.markdepalma.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}