Event ID: 5 followed by Event ID: 103 can indicate exclusions not properly set within a Symantec corporate edition product

Article:TECH82356  |  Created: 2004-01-22  |  Updated: 2013-10-22  |  Article URL http://www.symantec.com/docs/TECH82356
Article Type
Technical Solution


Environment

Issue



A Microsoft Exchange server has Symantec Mail Security 4.x and a Symantec corporate edition product installed. A review of the Application log in the Event viewer shows entries for Event ID: 5 with Event Source: Norton AntiVirus. Event ID: 103 with Event Source: Symantec Mail Security follows this entry. These entries appear multiple times.

The Symantec corporate edition product installed is one of the following:
Norton AntiVirus Corporate Edition 7.x
Symantec AntiVirus Corporate Edition 8.x
Symantec AntiVirus Corporate Edition 9.x


Solution



The presence of these entries in the Application log can indicate exclusions for Microsoft Exchange are not properly set within the Symantec corporate edition product. To ensure exclusions are set properly go to the appropriate document in the following section.

To set up exclusions when a Symantec corporate edition product and a Symantec exchange product are installed
Preventing Norton AntiVirus Corporate Edition from scanning the Microsoft Exchange directory structure
Preventing Symantec AntiVirus Corporate Edition 8.x from scanning the Microsoft Exchange directory structure
Preventing Symantec AntiVirus Corporate Edition 9.x from scanning the Microsoft Exchange directory structure

For additional information on best practices for Symantec corporate edition products see the documents listed in the References: section. This section found near the bottom of the page.



References
Additional information is found in the following Symantec Knowledge base documents:


Best practice for Norton AntiVirus Corporate Edition real-time protection on Microsoft Exchange Server
Best practices for Symantec AntiVirus Corporate Edition 8.x RealTime Protection on a Microsoft Exchange Server
Best practices for Symantec AntiVirus Corporate Edition 9.x Auto-Protect on a Microsoft Exchange server\
Considerations on installing Symantec or Norton AntiVirus Corporate Edition on mail servers



Technical Information
When Symantec Mail Security 4.x for Microsoft Exchange prepares to scan an item, it copies the item to a Temp directory. The location for the Temp directory is found in the documents above. The Symantec corporate edition product will detect viral email before the Symantec exchange product can scan it. The corporate edition product either quarantines or deletes the message. When the Symantec exchange product attempts to access the message in the Temp directory it is gone. The Event ID noted above messages are entered in the Application log.


This sequence of events may cause other problems and cause an event id pattern such as:

Event ID Category Source
5 None Norton Antivirus
45 Unscannable Symantec Mail Security for Microsoft Exchange
103 Quarantine Symantec Mail Security for Microsoft Exchange
168 Service Symantec Mail Security for Microsoft Exchange
168 Service Symantec Mail Security for Microsoft Exchange
218 Unscannable Symantec Mail Security for Microsoft Exchange


Note: SAVFMSESp.exe will be automatically restarted, so no intervention is necessary for event id 168.




The following is an example of the Application log:

"Event Type: Error
Event Source: Norton AntiVirus
Event Category: None
Event ID: 5
Date: 1/01/1600
Time: 12:49:10 PM
User: N/A
Computer: EXCHANGE
Description:
Virus Found!Virus name: W32.Erkez.B@mm in File: D:\Program Files\Symantec\SMSMSE\4.5\Server\Temp\VAPFEB8.tmp by: Realtime Protection scan. Action: Quarantine succeeded : Access denied.

Event Type: Error
Event Source: Symantec Mail Security for Microsoft Exchange
Event Category: Quarantine
Event ID: 103
Date: 1/01/1600
Time: 12:49:11 PM
User: N/A
Computer: EXCHANGE
Description:
Failed to quarantine attachment named "virus.pif" in message with subject "Delivery Status Notification (Failure)" in "SMTP (EXCHANGE -{82EE9A08-92A2-47D5-8F61-47C07EF700AD})".

Event Type: Warning
Event Source: Symantec Mail Security for Microsoft Exchange
Event Category: Service
Event ID: 168
Date: 1/01/1600
Time: 12:49:13 PM
User: N/A
Computer: EXCHANGE
Description:
The process SAVFMSESp.exe was restarted.

Event Type: Warning
Event Source: Symantec Mail Security for Microsoft Exchange
Event Category: Service
Event ID: 168
Date: 1/01/1600
Time: 12:49:14 PM
User: N/A
Computer: EXCHANGE
Description:
The process SAVFMSESp.exe was restarted.

Event Type: Warning
Event Source: Symantec Mail Security for Microsoft Exchange
Event Category: Unscannable
Event ID: 218
Date: 1/01/1600
Time: 12:49:51 PM
User: N/A
Computer: EXCHANGE
Description:
The attachment "virus.pif" located in message with subject "Delivery Status Notification (Failure)", located in SMTP has violated the following policy settings: Policy: Standard
SubPolicy: Exception SubPolicy
Rule: Unscannable File Rule
The following actions were taken on it:
The attachment "virus.pif" was Denied Access for the following reason(s):
Scan Engine Failure (0x80004005)"




Legacy ID



2004062209101054


Article URL http://www.symantec.com/docs/TECH82356


Terms of use for this information are found in Legal Notices