How to troubleshoot Symantec Mail Security for Microsoft Exchange (SMSMSE) When Symantec Premium AntiSpam (SPA) fails to detect SPAM or effectiveness is low

Article:TECH85367  |  Created: 2007-01-06  |  Updated: 2014-03-14  |  Article URL http://www.symantec.com/docs/TECH85367
Article Type
Technical Solution


Issue



The Symantec Premium AntiSpam (SPA) component of Symantec Mail Security for Microsoft Exchange (SMSMSE) is not detecting spam emails or the effectiveness is low.


Solution



To troubleshoot this issue perform the following tasks in this order:

A. Fix possible license problems.

B. Enable and Configure Premium AntiSpam.

C. Fix possible ruleset accumulation issues - SMSMSE 6.5.2 and earlier.

D. Check for conduit hang issue.

E. Reset IIS to reset the Premium AntiSpam event sync within Exchange 2003.

F. Confirm Whitelisting with Exchange 2007/2010 and SMSMSE 6.5.1 and earlier.

G. Confirm transport agent priority for Exchange 2007/2010.

H. Confirm authenticated Exchange servers with SMSMSE 6.5.1 and earlier.

I. Remove all existing SPA rules and download new ones

J. Invalid records under the Allowed Senders list.

 

A. Fix possible license problems

1. Stop the following Windows services:

Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility Service

2. Open Windows Explorer to the following directory:

32-bit Operating System: <Drive:>Program Files\Common Files\Symantec Shared\Licenses
64-bit Operating System: <Drive:>Program Files (x86)\Common Files\Symantec Shared\Licenses
 
3. Open each SLF file and copy the Premium AntiSpam and Anti-Virus licenses to a temporary directory.

These licenses have one or both of the following XML nodes present:

<name>SAVFMSE Virus Definitions</name>
<name>Brightmail AntiSpam Content</name>

4. Remove the file SPALicense.slf from the following directory:

32-bit Operating System: <Drive:>Program Files\Symantec\SMSMSE\<version>\Server\SpamPrevention
64-bit Operating System: <Drive:>Program Files (x86)\Symantec\SMSMSE\<version>\Server\SpamPrevention
where <version> is replaced with the version of SMSMSE installed.  The following is an example for 6.5 on a 64-bit operating system:

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\SpamPrevention

5. Remove the files cert.pm and cert.pem, if they exist, from the following directory: 

32-bit Operating System: <Drive:>Program Files\Symantec\SMSMSE\<version>\Server\etc
64-bit Operating System: <Drive:>Program Files (x86)\Symantec\SMSMSE\<version>\Server\etc
where <version> is replaced with the version of SMSMSE installed.  The following is an example for 6.5 on a 64-bit operating system:

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\etc

6. Remove all the .slf files, if they exist, from the following directory:

32-bit Operating System: <Drive:>Program Files\Symantec\SMSMSE\<version>\Server\UPLOADS
64-bit Operating System: <Drive:>Program Files (x86)\Symantec\SMSMSE\<version>\Server\UPLOADS
where <version> is replaced with the version of SMSMSE installed.  The following is an example for 6.5 on a 64-bit operating system:

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\UPLOADS

 7. Start the following Windows services:

Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility Service

8. Install the SPA and Anti-virus licenses previously saved.

a. Open the SMSMSE Administration console.
b. On the left menu choose Admin > Licensing.
c. Once on the Licensing screen click Browse... and browse to the license file location.
d. After selecting the license file click Install.
e. Check the license status at the top of the licensing screen to verify that the license was installed and accepted.
f. If the license includes SPA, the following prompt may be seen:


Symantec Premium AntiSpam license installed on the server <your server name>. Enable and configure Premium AntiSpam to activate the service.

 

B. Enable and Configure Premium AntiSpam 

a. Open the SMSMSE Administration console.
b. Click the Policies tab.
c. In the middle pane click Premium AntiSpam Settings.
d. Check the checkbox Enable Symantec Premium AntiSpam.
e. Check the checkbox Reject the message under the section If message is Spam.
f. Click the Deploy Changes button.

For more information on SPA in SMSMSE see the following article: Overview of Premium AntiSpam in Symantec Mail Security for Microsoft Exchange.

C. Fix possible ruleset accumulation issues - SMSMSE 6.5.2 and earlier

See the following article to address this issue: Symantec Mail Security for Microsoft Exchange (SMSMSE) does not detect and block SPAM when BM_Rulesets directories accumulate.

D. Check for conduit hang issue

There are situations where the process that downloads rules from Symantec hangs.  See this article for details on this issue and solutions: AntiSpam Rules Are Not Updated When conduit.exe Hangs And AntiSpam Effectiveness Drops.

 

E. Reset IIS to reset the Premium AntiSpam event sync within Exchange 2003

1. On the Windows taskbar, click Start > Run.
2. In the Run dialog box, in the Open text box, type iisreset.exe /restart
3. Click OK.
 

F. Confirm Whitelisting with Exchange 2007/2010 and SMSMSE 6.5.1 and earlier

Messages not Scanned for Spam When Marked by Microsoft Exchange with an AntiSpam X-Header. Transport Agent Debug Log Shows Message: "Whitelisted by other, bypass SPA"

G. Confirm transport agent priority for Exchange 2007/2010

Spam is Not Detected When Symantec Mail Security for Microsoft Exchange (SMSMSE) Transport Agents are Low Priority

H. Confirm authenticated Exchange servers with SMSMSE 6.5.1 and earlier

Spam from authenticated SMTP servers is not detected by Symantec Premium AntiSpam in Symantec Mail Security for Microsoft Exchange (SMSMSE)

I. Remove all existing SPA rules and download new ones

How to remove all Symantec Premium AntiSpam (SPA) rules for troubleshooting purposes

J. Invalid records under the Allowed Senders list.

         Emails are not getting scanned by Premium Antispam (SPA) when invalid format email address is added to Allowed Senders list.

 

 

 Step by step instructions to accomplish points A,C,D and H in one procedure:

 1. Stop the Symantec Mail security for Microsoft Exchange Service:

  • Go to Start > Run and type in services.msc
  • Select Symantec Mail Security for Microsoft Exchange, right click and select stop.
  • Minimize the services window, we will be coming back here later.

2. Clear up possible licensing problems:

  • Open Windows Explorer to the following directory: 
    • 32-bit Operating System: <Drive:>\Program Files\Common Files\Symantec Shared\Licenses
    • 64-bit Operating System: <Drive:>\Program Files (x86)\Common Files\Symantec Shared\Licenses
  • If there are more than 2 licenses here, determine which are your current Mail Security and Premium AntiSpam licenses. Timestamps can be helpful in making this determination
  • Move all of the licenses out of the folder to a convenient location, such as the desktop, we will be using these licenses in a later step.

3. Clear out possible ruleset corruption or accumulated ruleset problems:

  • Open Windows Explorer to the following directory:
    • 32-bit Operating System: <Drive:>\Program Files\Symantec\SMSMSE\<version>\Server
    • 64-bit Operating System: <Drive:>\Program Files (x86)\Symantec\SMSMSE\<version>\Server
  • Delete the following files (if they exist):
    • Any folders whose names start with BM_Ruleset
    • .sequence.0
    • .sequence.2
    • blrm
    • hashes

4. Restart the Symantec Mail Security for Microsoft Exchange Service:

  • Maximize the services window, select Mail Security for Microsoft Exchange, right click and choose Start.

5. Reinstall the licenses:

  • Open the SMSMSE Administration console.
  • Navigate to the Admin tab and select Licensing.
  • Browse to and reinstall both licenses.

6. Reset IIS on 32-bit systems or Restart the Microsoft Transport service on 64-bit systems to reset the SMSMSE event sink:

  • Go to Start > Run and type in iisreset and click Ok.

or

  • Restart the Microsoft Exchange Transport service.

7. At this point it is necessary to re-enable Premium AntiSpam, and verify the configuration for actions to take.

 





Article URL http://www.symantec.com/docs/TECH85367


Terms of use for this information are found in Legal Notices