After enabling a content filtering rule containing a user condition the SMSMSE process SAVFMSESp.exe stop unexpectedly and then restarts repeatedly.  

Mail flow may be impacted.

Conditions

• At least one user condition is enabled for a content filtering rule. To verify if you meet this condition:

1. Open the SMSMSE console.
2. Click Policies > Content Filtering Rules.
3. Make note of all enabled content filtering rules.
4. Right click each enabled content filtering rule, one at a time and then click Edit rule…
5. Click the Users tab.

 In the “SMTP Addresses (one per line)” box, if there are any addresses in the format <name>@<domain>.<suffix> (for example na[email protected]) than the conditions are met to use this feature.

• At least one internal domain is defined that does not correspond to an active directory domain. To verify if this condition is met:

1. Open the SMSMSE console.
2. Navigate to Admin > System Settings.
3. Make note of all entries in the "List of internal domains" box.
4. If any of these entries does not correspond to an actual Active Directory domain, the condition is met.

• Windows Application Event Log contains the following error.

Type :  Error
Event :  1000
Source :  Application Error
Category : Application Crashing Events
Description:
Faulting application name: SAVFMSESp.exe, version: 6.5.2.96, time stamp: 0x4c91c630
Faulting module name: SAVFMSEShared.dll, version: 6.5.2.96, time stamp: 0x4c91c7de
Exception code: 0xc0000005
Fault offset: 0x00038584
Faulting process id: 0x252c
Faulting application start time: 0x01cb7ba6631828e6
Faulting application path: C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\SAVFMSESp.exe
Faulting module path: C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\SAVFMSEShared.dll
Report Id: a2c7b0b0-e799-11df-9109-000c292692af

NOTE:  The faulting module path must be SAVFMSEShare.dll.

• The following events will appear in the Windows Application Event Log:

Type :  Warning
Event :  168
Source :  Symantec Mail Security for Microsoft Exchange
Category : Service
Description:
The process SAVFMSESp.exe was restarted.

Type :  Error
Event :  110
Source :  Symantec Mail Security for Microsoft Exchange
Category : Error
Description:
The process SAVFMSESp.exe failed to start (0xC009008A).

 
Type :  Error
Event :  167
Source :  Symantec Mail Security for Microsoft Exchange
Category : Service
Description:
The process SAVFMSESp.exe terminated unexpectedly.

 Note: The symptoms for this issue are very similar to multiple other root causes. If your symptoms are similar to the above, but do not match exactly, see article 'The Exchange server is beeping, and / or you are getting the following SMSMSE events: 110, 168, 68, and 167, in Windows Application Event log.' for other possible root causes

The SMSMSE scan process attempts to resolve all domains with Active Directory.  When a domain specified is not present or resolvable in Active Directory then the scan process does not handle this error path correctly and stops the process.

This issue is fixed in SMSMSE 6.5.5, upgrade to 6.5.5 to resolve this problem. 

Workaround

Use one of the following workarounds:

• Symantec has released a hotfix for SMSMSE 6.5.2. that addresses this issue. Use the following steps to apply the hotfix:

1. Exit the Symantec Mail Security console.
2. Stop the Symantec Mail Security for Microsoft Exchange and Symantec Mail Security Utility services in the services menu (Start -> All Programs -> Administrative Tools -> Services).
3. Download the attached file 2189821.zip.
4. Open Windows explorer and navigate to:

   32 bit systems: C:\Program Files\Symantec\SMSMSE\6.5\Server
   64 bit systems: c:\Program Files(x86)\Symantec\SMSMSE\6.5\Server

5. Rename the files SAVFMSEShared.dll and SAVFMSEShared64.dll to SAVFMSEshared.old and SAVFMSEShared64.old. 
6. Extract the contents of the zip file into the appropriate directory.
7. Start the following Windows services:

Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility services.

• Remove any domains listed in the "List of internal domains" that do not correspond to your actual Active Directory domain
• Disable any content filtering rules containing a user condition.
• Remove the user conditions from all enabled content filtering rules.