Symptoms
The following event messages are logged in the Application Event Log on the server after installing the EdgeSight server:
Event ID: 1200
Event Type: Error
Event Source: RSSH
Event Category: Application
Description: Application 'es_zqueue': Application has crashed.
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00000000 ??:???????? ???
Event ID: 1136
Event Type: Warning
Event Source: RSSH
Event Category: Service
Description: Failed to get state of application 'es_zqueue'. The application may have crashed. COM Error: 800706bf.
Other symptoms include:
• No new or existing devices are reporting up to the EdgeSight server.
• EdgeSight 4.5 (or earlier) Web console shows (Server Settings > Status) “Server Script Host” for application “es_zqueue” as "Stopped" or as "reporting errors".
Note: If you use the EdgeSight 5.0 Web console, the “es_zqueue” application status can be found in (Configure (tab) > Server Status > Server Script Host).
Sample screenshot from the EdgeSight 4.5 Web console:
Cause
The RSSH process is a critical EdgeSight server process and is essentially a scripting engine. It is therefore vulnerable to the script blocking feature of an antivirus application.
Resolution
The site administrator should configure script exclusions on the antivirus software. Refer to the antivirus software vendor’s instructions on script exclusion.
Workaround
In extreme cases, a temporary workaround is to disable the antivirus software's script scanning engine. Citrix recommends the site administrator work with the site’s corporate security team to ensure that the proper security protocols are followed. Disabling any part of an antivirus engine results in a less secure site.
More Information
CTX111062 – Required Antivirus Software Configuration for the EdgeSight Agent
Case study using McAfee:
The ScriptScan component (Scriptscan.dll) scans RSSH (script) to look for viruses. In turn, Scriptproxy.dll may cause an access violation within RSSH. Further, scriptproxy.dll may stop responding and may cause RSSH to stop responding.
If you try to restart the RSSH Admin Service, the same Event IDs (1200, 1136) are logged to the Application Event Log.
Case Study Resolution:
Properly configure McAfee’s script exclusion on your EdgeSight server.
Note that you should consult with your antivirus team and corporate security before performing these steps so that they meet your corporate security requirements.
Also note that the default server installation folders are specified below.
1. Ensure that the following files, which are script hosts, are not subject to script blocking:
• C:\Program Files\Common Files\Citrix\System Monitoring\Server\RSSH\RSshApp.exe
• C:\Program Files\ Common Files\Citrix\System Monitoring\Server\RSSH\RSshSvc.exe
2. Exclude the following folder, which contains the Citrix EdgeSight Web server:
• C:\Program Files\Citrix\System Monitoring\Server
Case Study Workaround:
To temporarily work around script blocking problems, an option is to unregister McAfee’s Scriptproxy.dll file. This action will disable McAfee's script scanning.
To do this, follow these steps:
1. Log on to the computer that is running the EdgeSight server.
2. Click Start > Run, type cmd, and then click OK.
3. At the command prompt, locate the %ProgramFiles%\Network Associates\VirusScan folder.
4. At the command prompt, type regsvr32 /u scriptproxy.dll.
5. Restart the RSSH Admin Service for the changes to take effect.
