Event 6398 and Forefront Server Security


Customers may get this issue from time to time on every Sharepoint WFE server except one whenever the antivirus applications on the servers successfully update their antivirus definitions.

This only happens when more than one load-balanced Sharepoint WFE is involved and configured to update at exactly the same time and the antivirus application is configured to update at the same time on all servers.


Event ID 6398 from Source Windows SharePoint Services 3 on agent computer SharepointN2.contoso.com has triggered this Alert Description : The Execute method of job definition Microsoft.SharePoint.Administration.SPAntivirusJobDefinition (ID 1ce16aea-f6b5-43e6-9d6c-015a44627fce) threw an exception.

More information is included below.

An update conflict has occurred, and you must re-try this action. The object SPWebService Parent=SPFarm Name=SHAREPOINT_PRODUCTION_ConfigDB is being updated by CONTOSO\SQLAdmin, in the OWSTIMER process, on machine SharepointN1.  View the tracing log for more information about the conflict. Hostname=SharepointN2.contoso.com

Time Received: Tue Mar 23 17:09:21 GMT+0100 (CET) 2010


In the case where the WFE’s have 3rd party antivirus applications this is effectively a cosmetic issue, the antivirus updates by the antivirus application on the servers are not affected but the reporting of the updated status to the main Sharepoint config database is delayed by 5 minutes per server.

I.e. if 3 servers are involved and they all try to report the updated status of the antivirus definitions at the same time, one will succeed and two will fail and report the 6398 event. 
5 minutes later those two will retry and one will succeed and the other will log 6398. 
The last server will then retry 5 minutes later and succeed.


See also http://social.technet.microsoft.com/Forums/en-US/forefrontSharePoint/thread/7f83dcbb-a7aa-4946-92f9-d0cbafa8f9a0

Configuring Forefront Server Security polling interval:

Skip to main content