The Exchange server is beeping, and / or you are getting the following Symantec Mail Security for Microsoft Exchange (SMSMSE) events: 110, 168, 68, and 167, in Windows Application Event log

Article:TECH90273  |  Created: 2008-01-18  |  Updated: 2014-07-25  |  Article URL http://www.symantec.com/docs/TECH90273
Article Type
Technical Solution


Issue



The Exchange server is beeping, and / or you are getting the following events or a combination thereof in the Windows Application Event log:

Event ID 110 - The process SAVFMSESp.exe failed to start (0xC009008A).
Event ID 168 - The process SAVFMSESp.exe was restarted.
Event ID 68 - Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a LiveUpdate to retrieve the latest virus definitions.
Event ID 167 - The process SAVFMSESp.exe terminated unexpectedly.

Symptoms 

  • Users are unable to retrieve messages with attachments from Exchange
  • Email during this period may be "lost".  Please see the following article for details: Exchange 2003 Email Not Delivered (Dropped) When Symantec Mail Security for Exchange (SMSMSE) Returns Error Message "This message has been set as bad mail on the SMTP server"
  • If the option "Scan message bodies" is checked under Scans > Auto-Protect > Advanced Scanning Options in the SMSMSE console, users may be unable to view any message bodies in Outlook.
  • The following Symantec Mail Security for Microsoft Exchange events are examples of the entries found in the Windows Application Event log:

      ===========================================================

      Event ID 110 - The process SAVFMSESp.exe failed to start (0xC009008A).

       

      Date: 10/27/2003 Source: Symantec Mail Security

      Time: 11:22PM Category: <?>

      Type: Error Event ID: 110

      User: N/A

      Computer: EXSRVR01

       

      Description:

      The process SAVFMSESp.exe failed to start (0xC009008A).

      =============================================================

       

      ===========================================================

      Event ID 168 - The process SAVFMSESp.exe was restarted.

       

      Date: 10/27/2003 Source: Symantec Mail Security

      Time: 11:22PM Category: <?>

      Type: Error Event ID: 68

      User: N/A

      Computer: EXSRVR01

       

      Description:

      Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a LiveUpdate to retrieve the latest virus definitions.

      =============================================================

       

      ===========================================================

      Event ID 68 - Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a LiveUpdate to retrieve the latest virus definitions.

       

      Date: 10/27/2003 Source: Symantec Mail Security

      Time: 11:22PM Category: (5)

      Type: Error Event ID: 167

      User: N/A

      Computer: EXSRVR01

       

      Description:

      The process SAVFMSESp.exe terminated unexpectedly.

      =============================================================

       

      =============================================================

      Event ID 167 - The process SAVFMSESp.exe terminated unexpectedly.

       

      Date: 10/27/2003 Source: Symantec Mail Security

      Time: 11:22PM Category: (5)

      Type: Error Event ID: 168

      User: N/A

      Computer: EXSRVR01

       

      Description:

      The process SAVFMSESp.exe was restarted.

      =============================================================


       
       
  • The file Usage.dat does not contain entries for SAVFMSE_SP processes.

Default path for Usage.dat:
Windows 2003 x86 - C:\Program Files\Common Files\Symantec Shared\VirusDefs
Windows 2003 x64 - C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32
Windows 2008 - C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32


Cause



This is most commonly caused by corruption in the Virus Definitions.


Solution



If you are running SMSMSE 6.5, read this article to determine if your conditions match:  Symantec Mail Security for Microsoft Exchange (SMSMSE) 6.5 Experiences Virus Definition Loading Failure Due to Rollback Failure Resulting in Exchange Server Beeping and Windows Events: 110, 168, 68, and 167.

If you are running SMSMSE 6.5 with settings imported from SMSMSE 6.0, read this article:  Event IDs 68 and 110 entries appear in the Application Event log after importing a Symantec Mail Security for Microsoft Exchange 6.0 settings file into Symantec Mail Security for Microsoft Exchange 6.5.

If you are running SMSMSE 6.5.2 or higher, read this article to determine if an operating system library is missing: Symantec Mail Security for Exchange (SMSMSE) Processes Cannot Start. Windows Application Event Log Contains Event IDs 110, 168, 68, and 167 When Library C:\windows\syswow64\MSVCP71.dll is Missing.

If the server has a high resource usage load read this article:  Symantec Mail Security for Exchange (SMSMSE) Processes Cannot Start. Windows Application Event Log Contains Event IDs 110, 168, 68, and 167 When Copying Virus Definitions Takes a Long Time.

NOTE:  SMSMSE has added data consistency checks into the product to ensure that invalid definitions do not cause an outage.  Read this article for the details:  About Virus Definition Update Codes in Symantec Mail Security for Microsoft Exchange (SMSMSE).  It is recommended that you upgrade to one of the following versions to avoid this situation:

  • 6.0.13 or higher
  • 6.5.6 or higher

Repair the corrupted Virus Definitions with Intelligent Updater
 

    1. Stop the Symantec Mail Security for Microsoft Exchange service.
    2. Delete the corrupted virus definitions from the Hawking Structure:

      Windows 2008

      C:\ProgramData\Symantec\Definitions\VirusDefs
      C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32

      Windows 2003 32-bit

      C:\Program Files\Common Files\Symantec Shared\VirusDefs

      Windows 2003 64-bit

      C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32

    3. Download the latest Intelligent Updater from http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=gw (this is an EXE file).
    4. Double-click the EXE file you downloaded and run the Intelligent Updater.
    5. Restart the SMSMSE service.
    6. If this does not fix the problem, proceed with the next section.

 

Uninstall of Symantec Mail Security for Exchange/LiveUpdate AntiVirus Definition Directories
 

    NOTE: If you are running Symantec AntiVirus version of less than 10.1.x, this procedure may require that you reinstall Symantec AntiVirus as well.  Please contact your Symantec AntiVirus technical support for more information.  If you are running Symantec Endpoint Protection, or backup Exec or any other software which is using that liveupdate.  Please make sure that you contact Symantec Technical Support before removing Symantec Liveupdate.

        1. Export the settings via the File menu.
        2. Open Add and Remove Programs in Windows and remove Symantec Mail Security for Microsoft Exchange.

Note: If you have any errors when performing the above steps, please refer to the manual removal instructions for your specific version of Symantec Mail Security for Microsoft Exchange.  Manual removal instructions for Symantec Mail Security for Microsoft Exchange

3. Remove the Antivirus definition files.

Remove the LiveUpdate Hawking files and the SMSMSE Hawking files:

Windows 2008

C:\ProgramData\Symantec\Definitions\VirusDefs
C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32

Windows 2003 32-bit

C:\Program Files\Common Files\Symantec Shared\VirusDefs

Windows 2003 64-bit

C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32

NOTE: For more information on virus definition directories see the following article: Virus Definition Update Methods Available for Symantec Mail Security for Microsoft Exchange (SMSMSE).

4.  Reinstall Symantec Mail Security for Microsoft Exchange and import your settings.
 

Technical Information

If after completing the steps to remediate corruption the problem recurs, please contact Symantec Technical Support and provide the following information:

1. Run the SMSMSE GetDiagnostics tool using the script GetDiagnosticsVirusDefs.bat from the following article: How to Use the GetDiagnostics Tool to Gather Diagnostic Data from a Computer Running Symantec Mail Security for Exchange (SMSMSE).

2. If this is a continuing issue turn on debug logging for the virus definition management components.  See this article: How to Enable Debug Logging for Virus Definition Management.


The SMSMSE development team is investigating potential root causes for these definition corruption issues, and what we can do to resolve these problems in the long term.  This data will assist us in that process.


Attachments

symc-defutils.conf (91 Bytes)


Legacy ID



2008091806373854


Article URL http://www.symantec.com/docs/TECH90273


Terms of use for this information are found in Legal Notices