About Virus Definition Update Codes in Symantec Mail Security for Microsoft Exchange (SMSMSE)
| Article:TECH146697 | | | Created: 2010-12-21 | | | Updated: 2012-05-16 | | | Article URL http://www.symantec.com/docs/TECH146697 |
Problem
Symantec Mail Security for Microsoft Exchange (SMSMSE) has added a mechanism to ensure virus definitions are correct before using them. This ability is in the following versions of SMSMSE:
- 6.5.1and higher
- 6.0.12 and higher
This document explains how this mechanism works and error codes associated with it.
Solution
Glossary
- Hawking Structure: These are the virus definitions that are updated by LiveUpdate, as well as what is used by SAV/SEP for virus scanning. Any update method you choose will always update the Hawking structure first. Whenever this location is updated, an event ID 30 is observed in the event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"
SMSMSE Hawking Structure: On 64 bit systems, SMSMSE generates it's own Hawking structure. This acts as a file repository, and is not used directly for virus scanning by any process. LiveUpdate and other definition update methods update this directory. Whenever this location is updated, an event ID 30 is observed in the application event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"
CSAPI: These are the definitions used by SMSMSE directly for virus scanning. After virus definitions are processed into the Hawking structure by your chosen virus definition update method, SMSMSE checks the Hawking structure every 10 minutes for updates, and when a new update is available, copies the definitions into CSAPI. After the definitions are copied to CSAPI, SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.
File Locations
- On 32 bit systems
Hawking Structure: C:\Program Files\Common Files\Symantec Shared\VirusDefs
CSAPI: C:\Program Files\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs
On Windows 2003 x64
Hawking Structure: C:\Program Files(x86)\Common Files\Symantec Shared\VirusDefs. If SAV/SEP is not installed on the system, this location will not exist on this platform with current versions of SMSMSE (6.0.9 and greater)
SMSMSE Hawking Structure: C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32
CSAPI: C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs
On Windows 2008
Hawking Structure: C:\ProgramData\Symantec\Defintions\VirusDefs. If SAV/SEP is not installed on the system, this location will not exist on this platform with current versions of SMSMSE (6.0.9 and greater)
SMSMSE Hawking Structure: C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32
CSAPI: C:\Program Files(x86)\Common Files\Symantec Shared\defintions\AntiVirus
Event IDs
| 6.5.X Event ID |
6.0.X Event ID | Description | Details | Action to Take |
| 399 | 393 | Virus definitions authenticity check failed. Server will try to use previous virus definitions <Directory path of previous virus definition folder> Error code: <error encountered while processing definitions> | If the latest definition inside the Hawking structure is corrupt, SMSMSE identifies a previous set of good definitions, and points to it. This event is written into the Windows application event log indicating the rollback to the previous known good definition set along with the path of valid virus definition directory. | This event will be corrected automatically the next time LiveUpdate runs on its schedule. |
| 400 | 394 | No valid virus definitions are available. Server will attempt to download new virus definitions. Error code: <error encountered while processing definitions> | If all virus definitions at Hawking structure are either corrupt or missing, SMSMSE generates event 400 into Windows event log. SMSMSE will trigger a silent LiveUpdate session to attempt to replace the definitions with a working set after checking the availability of valid content license. | This event will be self correcting, no action is needed unless this event is accompanied by an Event ID 401/395. |
| 401 | 395 | Failed to initialize AV scanner. The virus definitions are either missing or corrupt. Error code: <error encountered while processing definitions> | This event is written only if the previous self-remediation process fails. This event indicates no valid virus definitions are available for the scanner to use in either the Hawking structure or CSAPI. | Follow the steps in the Solution section of document 'The Exchange server is beeping, and / or you are getting the following SMSMSE events: 110, 168, 68, and 167, in Windows Application Event log.' to replace the definitions with a working set. |
|
|
| Description | For additional information about virus definition updates, see Virus Definition Update Methods Available for Symantec Mail Security for Microsoft Exchange (SMSMSE) |
Article URL http://www.symantec.com/docs/TECH146697
Terms of use for this information are found in Legal Notices
Thank you.