Blog: Symantec Mail Security

We were trying to update Symantec Mail Security (SMS) for SMTP from v4.0 to v4.1 and the upgrade routine seemed to hang during the ‘Java Liveupdate’ portion.  Server hard-drive activity was heavy at that point and Task Mgr showed the upgrade ‘running’, but we did not seem to be making progress.  We installed a Java-runtime update and found a Symantec Java-liveupdate hotfix, but we ran out of time and had to leave the server @ v4.0  We went back on site Monday ready to uninstall Java Liveupdate, but the add/remove routine behaved similarly – heavy drive paging and the routine showed running, but no progress was occurring (waited 15 minutes).  I found a symantec procedure to manually remove Java Liveupdate and was going thru that, deleting folders, when I came upon ‘C:\Documents and Settings\All Users\Application Data\Symantec\Java Liveupdate’  Before deleting it, I looked inside – it had 1 folder called ‘downloads’, which contained approx 21,000 pattern update folders going back to 2004.  I deleted all these subfolders, which took about 25 minutes.  After that completed, I re-ran the v4.1 upgrade, which ran thru with no problems.  Whether it was the upgrade routine or Jave Liveupdate uninstall, the server was obviously trying to process all these subfolders and choking on them (might have eventually completed if given long enough).  So, when working with Java Liveupdate, it is probably a good idea to look for this downloads folder first and clear it out.

Here are a couple Symantec Mail Security for Exchange tips concerning scanning.  [more]

• Be careful when selecting the “…force rescan before allowing access to information store” option. This forces a rescan of the entire information store every time virus definitions are updated. Depending on how big the information store is, this could take days to complete. And since Symantec usually releases updates at noon, this kicks off on the Exchange server right in the middle of the day.

• If you are going to schedule scans of the information store, but sure to monitor the start and completion times so you can make sure you are not causing performance issues. The logs will report the start of the scan and the end with the following logs.

Notice here it took over a week for the scan to finish. This is an extreme case with a large information store, but even a medium size store could take a couple days to finish.

One of our customers is running Symantec Mail Security for Microsoft Exchange 5.0.  We were having trouble with the service hanging up in a "Starting" state when the server started up.  [more]See below the picture below.

I wanted to delay this service from starting up until the server boot process was further along.  Using the command “sc query”, I was able to see the Service Name: SMSMSE that matched up with the Display name in the services list.

Since the service was hung up, I could not set the service startup type to disabled or manual.  In the service properties, Log On tab, click the disable button to disable the service from starting up for the hardware profile, and reboot the server.  After the server has rebooted, make sure to go back and “Enable” the hardware profile.

While the server was booting up, I connected to the services list of the server from another PC.  This way, I could see which services were starting up towards the end of booting.  One of the last services to start was “Microsoft Exchange Information Store”.  Knowing that, I needed to find the Service Name to match the Display Name.  Using “sc query” again, I found the service name to be MSExchangeIS.

In order to get the SMSMSE service to startup AFTER the MSExchangeIS service started, you have to specify that SMSMSE depends on MSExchangeIS to be started before it can start.  To do this, open regedt32.  Regedit will not work in this case because we have to edit a REG_MULTI_SZ key.  Go to the following location in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Service name>.   The key to edit or add is “DependOnService”.  In this case, I added “MSExchangeIS” to this list so the service would not try to start until this service was started.

After this change was made, the SMSMSE service was delayed long enough for it to be able to startup automatically.

A customer using Symantec Mail Security for Microsoft Exchange 4.6 needed to release an e-mail that was thought to be in the quarantine along with 2500 other items.  When the customer checked the quarantine, the page displayed a heading of 1000 of 2500.  There were no other links to click on to see page 2 or all items.  After other searching, I understood that Symantec is set to only show 1000 items in quarantine, but I could not find a way to change this setting.  Since this was an html based application, I saw that the source page was an .asp file.  Commenting out the following code will always list the entire quarantined items. [more]

File:  D:\Program Files\Symantec\SMSMSE\4.6\Server\ROOT\Quarantine.asp

*** This is where the Maximum display value is coming in.. = 1000
dwMaxDisplay = objSMSMSEGUI.GetQuarantineValue("",QUARANTINE_DISPLAY_LIMIT_ID_STR,RetVal)

*** Comment these lines here as shown with //
//if NumItemsInQuarantine > dwMaxDisplay then
//          dwDisplayCount = dwMaxDisplay
//else
            dwDisplayCount = NumItemsInQuarantine
//end if

*** This is the code part of the code that shows the items in quarantine
' loop through the items up until the maximum display or the total items whichever is larger
for i = 0 to dwDisplayCount - 1