Symantec Mail Security 6.5 for Microsoft Exchange is installed on an Exchange 2010 or 2013 Mailbox Server. When a manual scan runs, it does not scan any messages; the manual scan starts and stops immediately.

The "Total Messages processed" count shows as 0 even though the mailbox appears in the manual scan settings, and there are messages in the mailbox that was selected for the scan.

Conditions

• Service account does not have Application Impersonation rights in Exchange.

 Perform the following steps to verify if the SMSMSE service account has Application Impersonation rights:

1. Open Exchange Management Shell.
2. Enter the following and hit the Enter key to run it. Replace <serviceAccountName> with the name of the SMSMSE service account:

Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee <serviceAccountName> | fl

The following is an example for the account name of svcsmsme01:

Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee svcsmsmse01 | fl

If the service account does not have Application Impersonation rights then nothing is returned.  

If the service account does have Application Impersonation rights the following is returned:

RunspaceId                   : df38d01a-4aac-40bc-8375-ec3714261b85
User                         : 2k8domain.test/Users/Administrator
AssignmentMethod             : RoleGroup
Identity                     : ApplicationImpersonation-Organization Management-Delegating
EffectiveUserName            : All Group Members
AssignmentChain              :
RoleAssigneeType             : RoleGroup
RoleAssignee                 : 2k8domain.test/Microsoft Exchange Security Groups/Organization Management
Role                         : ApplicationImpersonation
RoleAssignmentDelegationType : DelegatingOrgWide
CustomRecipientWriteScope    :
CustomConfigWriteScope       :
RecipientReadScope           : Organization
ConfigReadScope              : None
RecipientWriteScope          : Organization
ConfigWriteScope             : None
Enabled                      : True
RoleAssigneeName             : Organization Management
IsValid                      : True
ExchangeVersion              : 0.11 (14.0.550.0)
Name                         : ApplicationImpersonation-Organization Management-Delegating
DistinguishedName            : CN=ApplicationImpersonation-Organization Management-Delegating,CN=Role Assignments,CN=RB
                               AC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=2k8domain
                               ,DC=test
Guid                         : 37ba4c00-2aa7-4873-b207-f442c9a40924
ObjectCategory               : 2k8domain.test/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass                  : {top, msExchRoleAssignment}
WhenChanged                  : 2/3/2012 3:18:21 PM
WhenCreated                  : 2/3/2012 3:18:21 PM
WhenChangedUTC               : 2/3/2012 8:18:21 PM
WhenCreatedUTC               : 2/3/2012 8:18:21 PM
OrganizationId               :
OriginatingServer            : Ex2010DC.2k8domain.test
 

To perform a scan of items in the Exchange store requires the ability to impersonate end users so that their mailboxes can be accessed.

Add the Application Impersonation right to the SMSMSE service account.

1. Start Exchange Management Shell.
2. After the command shell loads type the following command at the prompt:

new-ManagementRoleAssignment -name SMSMSE_RBAC  -role ApplicationImpersonation -user <serviceaccount>

NOTE:  Replace <serviceaccount> with the SMSMSE service account information (see below).

3. Type Y to confirm the command and then press Enter.

References
Permissions considerations for the Symantec Mail Security 6.5 for Microsoft Exchange service account

When editing a manual scan in Symantec Mail Security for Microsoft Exchange 6.5 installed on Exchange 2010 mailbox servers, the mailbox and public folder list is not populated.
Error 1609: The service did not start due to a logon failure" When attempting to start the Symantec Mail Security for Exchange 6.5 service



Technical Information

Determine service account for SMSMSE

1. On the Windows taskbar, click Start > Run.
2. Type services.msc, and then click OK.
3. In the right pane right-click the Symantec Mail Security for Microsoft Exchange service, and then click Properties.
4. Click the Log On tab.
5. Make a note of the domain account entered under the This account: field - referred to from this point as "service account."