Update 16-11-2020 - Issue still persists. Currently see the same behaviour on an Exchange 2016 CU18 server and a fresh Exchange 2013 Cu23 build.
Travelling to see different customers from one side of Canada to the other is always interesting. This post is written whilst in Vancouver and is from a reported customer issue waaaaay out East.
The Exchange admins pointed out that they were consistently running into an issue when they applied an Exchange Cumulative Update (CU) to a server. The 3rd party file system anti-virus client then started to run rampant and spawn multiple processes consuming all of the resources on the Exchange server.
Being the clever cookies that they are, the Exchange admins were able to determine what was causing the issue. What they noted was that the Exchange CU install was adding a Null path statement in as an system environment variable. We can easily see this in a couple of ways.
Opening up system properties, and clicking on Environment Variables shows the below. Note the highlighted section and the space between the semi colons.
This is also visible using the cmd prompt. Again note the space at the start of the path statement.
The above screen shots were taken from an Exchange 2013 CU20 server which was installed on Windows Server 2012 R2.
I also checked my additional Exchange 2010, 2013 and 2016 servers and only noted this issue on Exchange 2013 and 2016 servers. Exchange 2010 installed onto Windows 2012 did not have a null path statement. The below is from that Exchange 2010 system – note there is no null path statement and Exchange is installed into the V14 folder.
Workaround
To address the issue the customer was manually remediating the path variable by removing the null entry and restarting the server. This must be checked and verified after each server install or CU update.
The issue is also meant to be corrected in an updated version of the anti-virus client, which is currently being evaluated and rolled out in their enterprise.
Cheers,
Rhoderick