When running a manual of scheduled scan of mailbox stores the Windows Security log fills with Logon failures.
In Windows Security Event log an entry similar to the following appears:
Log Name: Security
Date: X/XX/20XX XX:XX:XX AM
Event ID: 4625
Task Category: Logon
Keywords: Audit Failure
Computer: Exchange Server Name.domain.com
An account failed to log on.
Security ID: S-1-5-18
Account Name: Local Exchange Server
Account Domain: Exchange Server Domain
Logon ID: xxxxx
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Failure Reason: Account currently disabled.
Sub Status: 0xc0000072
Caller Process ID: 0x810
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Workstation Name: Exchange Server Name
Source Network Address: Exchange Server IP
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
When Symantec Mail Security for Microsoft Exchange (SMSMSE) scans the Exchange Databases, SMSMSE impersonates each user to gain access to their mailbox contents.These events are written to the Security event log when SMSMSE attempts to impersonate a user account that is currently disabled to scan the mailbox associated with that disabled user account.
These events can be safely ignored, they will not impact functionality of the server. To prevent these events from being written to the Security event log: