About Virus Definition Update Codes in Symantec Mail Security for Microsoft Exchange (SMSMSE)
search cancel

About Virus Definition Update Codes in Symantec Mail Security for Microsoft Exchange (SMSMSE)

book

Article ID: 153034

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

Symantec Mail Security for Microsoft Exchange (SMSMSE) has added a mechanism to ensure virus definitions are correct before using them.  This ability is in the following versions of SMSMSE:

  • 6.5.1and higher
  • 6.0.12 and higher
     

This document explains how this mechanism works and error codes associated with it.

Resolution

 

Glossary 

    Hawking Structure: These are the virus definitions that are updated by LiveUpdate, as well as what is used by SAV/SEP for virus scanning. Any update method you choose will always update the Hawking structure first. Whenever this location is updated, an event ID 30 is observed in the event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"

    SMSMSE Hawking Structure: On 64 bit systems, SMSMSE generates it's own Hawking structure. This acts as a file repository, and is not used directly for virus scanning by any process. LiveUpdate and other definition update methods update this directory. Whenever this location is updated, an event ID 30 is observed in the application event log from source "Symantec Mail Security for Microsoft Exchange" indicating that "Virus Definitions Update was successful"

    CSAPI: These are the definitions used by SMSMSE directly for virus scanning. After virus definitions are processed into the Hawking structure by your chosen virus definition update method, SMSMSE checks the Hawking structure every 10 minutes for updates, and when a new update is available, copies the definitions into CSAPI. After the definitions are copied to CSAPI, SMSMSE will write an event ID 25 to the application event log indicating "Updated virus definitions". At this point SMSMSE will be using the latest virus definitions for scanning.



File Locations
 

    On 32 bit systems

    Hawking Structure: C:\Program Files\Common Files\Symantec Shared\VirusDefs
    CSAPI: C:\Program Files\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs

    On Windows 2003 x64

    Hawking Structure: C:\Program Files(x86)\Common Files\Symantec Shared\VirusDefs. If SAV/SEP is not installed on the system, this location will not exist on this platform with current versions of SMSMSE (6.0.9 and greater)
    SMSMSE Hawking Structure: C:\Program Files(x86)\Common Files\Symantec Shared\SymcData\virusdefs32
    CSAPI: C:\Program Files(x86)\Common Files\Symantec Shared\definitions\AntiVirus\VirusDefs

    On Windows 2008

    Hawking Structure: C:\ProgramData\Symantec\Defintions\VirusDefs. If SAV/SEP is not installed on the system, this location will not exist on this platform with current versions of SMSMSE (6.0.9 and greater)
    SMSMSE Hawking Structure: C:\ProgramData\Symantec\Definitions\SymcData\virusdefs32
    CSAPI: C:\Program Files(x86)\Common Files\Symantec Shared\defintions\AntiVirus

 

Event IDs

6.5.X Event ID
 6.0.X Event ID Description Details Action to Take
399 393 Virus definitions authenticity check failed. Server will try to use previous virus definitions <Directory path of previous virus definition folder> Error code: <error encountered while processing definitions> If the latest definition inside the Hawking structure is corrupt, SMSMSE identifies a previous set of good definitions, and points to it. This event is written  into the Windows application event log indicating the rollback  to the previous known good definition set along with the path of valid virus definition directory. This event will be corrected automatically the next time LiveUpdate runs on its schedule.
400 394 No valid virus definitions are available. Server will attempt to download new virus definitions. Error code: <error encountered while processing  definitions> If all virus definitions at Hawking structure are either corrupt or missing, SMSMSE generates event 400 into Windows event log. SMSMSE will trigger a silent LiveUpdate session to attempt to replace the definitions with a working set after checking the availability of valid content license. This event will be self correcting, no action is needed unless this event is accompanied by an Event ID 401/395.
401 395 Failed to initialize AV scanner. The virus definitions are either missing or corrupt. Error code: <error encountered while processing  definitions> This event is written only if the previous self-remediation process fails. This event indicates no valid virus definitions are available for the scanner to use in either the Hawking structure or CSAPI. Follow the steps in the Solution section of document 'The Exchange server is beeping, and / or you are getting the following SMSMSE events: 110, 168, 68, and 167, in Windows Application Event log.' to replace the definitions with a working set.

 


Powered by Wolken Software