How to Troubleshoot Windows Event Log ID 348/408

Article:TECH82732  |  Created: 2004-01-26  |  Updated: 2014-10-21  |  Article URL http://www.symantec.com/docs/TECH82732
Article Type
Technical Solution


Issue



With SMSMSE version 6.5.4 and earlier the following events may appear in the Windows Application Event log:


Source: MSExchangeTransport 
Event ID:        348
Type: Error 
Description:
A message could not be virus scanned - this operation will be retried later. Internet Message ID <message Id>
Error Code 0x0.

 

Event Type:        Error
Event ID:        348
Event Source:    Symantec Mail Security for Microsoft Exchange
Event Category:                Unscannable
Description:
SMTP scanning failed on the message with subject: <subject> This message has been set as bad mail on the SMTP server.

 With SMSMSE 6.5.5 and later the following events may appear in the Windows Application Event log:

Event Type:      Warning
Event ID:        408

Event Source:    Symantec Mail Security for Microsoft Exchange
Event Category:  Unscannable
Description:
SMTP scanning failed on the message with subject: <subject> This message will be rescanned upon reaching the mailbox only if you have configured rescanning on Mail Security for the mailbox role.

Conditions

  • Transport Virus scanning is enabled.

1. Open regedit.
2. If the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\TransportAVAPI has a value of Enabled then this condition is met.


Environment



  • Exchange 2003

This error message is generated by Transport AVAPI which is specific to the Virus Scanning Application Programming Interface (VSAPI) 2.5. Therefore, this error message will only be observed on Exchange 2003.


Solution



This problem has multiple causes. The following sections are the common causes and fixes. Work from top of this list to bottom, until error message is fixed. 

  • Transport AVAPI prerequisites are not met on the server

 If the either of the following conditions are not met, Event ID 348/408 is logged and email builds up in the Pending Submission queue.

* The Microsoft Exchange Information Store service is started.
* The Mailbox Store or a Public Folder Store is mounted.

  • Named Pipe write times out

Capture a debug view output while the problem occurs.  See the following article on how to do this: How to Obtain a Debug Logs for Symantec Mail Security for Microsoft Exchange (SMSMSE).

If a time out occurs, expect the debug to contain a line: 

0xc0090085 in file ctrlintf.cpp


If this line exists, then consider increasing the SAVMSECRTL time out or increase the number of input threads.
 


WARNING: In the next steps you will edit the Windows registry. We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry keys that are specified. See How to back up the Windows registry for instructions.




To increase the SAVFMSECTRL time out: 

  1. Exit all programs.
  2. On the Windows taskbar, click Start > Run.
  3. In the Run dialog box, type the following:

    regedit
     
  4. Click OK.
     
  5. Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\<version>\Server\Components\NaveCtrlClient
     
  6. In the right pane, double-click the following value:

    CommandSendTimeout
     
  7. In the Value data box, type the following for the DWORD:

    <number of milliseconds >

    where <number of milliseconds > is a number greater than the default value of 5000 milliseconds.
     
  8. Exit the Registry Editor.



To increase the number of input threads available to the Symantec Mail Security process:
 

  1. On the Windows taskbar, click Start > Run.
  2. In the Run dialog box, type the following:

    regedit

     
  3. Click OK.
     
  4. Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\<version>\Server\Components\NaveCtrl
     
  5. In the right pane, double-click the following value:

    InputThreadCount
     
  6. In the Value data box, type the following for the DWORD:

    <number of threads >

    where <number of threads> is a number that you increase by an increment of 2. After each change, restart the Symantec Mail Security service. Continue to increment the number of threads until Event ID 348 no longer appears.
     
  7. Exit the Registry Editor.


 

  • Digitally-signed messages sent to the server

A hotfix is available from Microsoft to address this error situation. Read the following Microsoft Knowledge Base document:
Digitally signed messages remain in the Messages pending submission queue and are not delivered in Exchange Server 2003 SP1 article ID: 843545

For the original release of Exchange 2003, read the following Microsoft Knowledge Base document for details:
Digitally signed messages remain in the Messages pending submission queue and are not delivered in Exchange 2003 article ID: 842801

 

  • Virus Definition corruption causes scan process crashes

If this event is also accompanied by Event ID 167, 168, 110 and 68, the virus definitions are likely corrupt and need to be remediated. For details on this process, see document 'The Exchange server is beeping, and / or you are getting the following SMSMSE events: 110, 168, 68, and 167, in Windows Application Event log.' 







Test for an issue with the Transport AVAPI using the following steps:
 

  1. Open Regedit
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server
  3. Create a new DWORD called UseSMTPTransportSinkForTransportVirusScanning
  4. Set the key to 1
  5. Restart the SMSMSE service
  6. Reset IIS: Go to Start > Run, type: iisreset



If the message was able to be received at that point, it is possible to stop scans that utilize the Transport Avapi.

You can either:

    • Turn off all content filtering rules.
    • Change content filtering rules from "Apply rule to: Incoming Messages" to "Apply rule to: Internal Messages (store)"

However, the best solution would be to repair the Transport Avapi. For more information on this, please contact Microsoft Technical support. 


Supplemental Materials

SourceETrack
Value2236061


Legacy ID



2004102615323554


Article URL http://www.symantec.com/docs/TECH82732


Terms of use for this information are found in Legal Notices