FAQ: Background scanning in Symantec Mail Security for Microsoft Exchange
search cancel

FAQ: Background scanning in Symantec Mail Security for Microsoft Exchange


Article ID: 177106


Updated On:


Mail Security for Microsoft Exchange


This page contains answers to frequently asked questions (FAQ). The answers cover background scanning with Symantec Mail Security installed.



The following sections are in a Question (Q:) and Answer (A:) style.

Q: If enabled, when does the background scanning thread start?
A: Background scanning will start if any of the following events occur:

    • The Symantec Mail Security service is started or restarted.
    • Virus definitions are updated.

      Note: It can take up to 60 minutes after a virus definition update before the SMS product will recognize the newer definitions. You can force this process by running SAVFMSEUpdate.exe
    • A private or public store is mounted.


    One option on the Auto-Protect page is “On virus definition update, force . . .”. Checking the option causes background scanning to start at the beginning of the database. Scanning creates a tag on each item and folder. The tag contains the version of the last virus definitions to scan the item or folder. When background scanning starts, it compares this tag with the version of virus definitions scanning. A rescan of the item or folder happens when the comparison does not match. The scan continues until the end of the database.

    WARNING: Updating virus definitions does not start a background scan when this option is unchecked (disabled). Detection of the viruses then depends on access or submission to the information store.

Q: What is the impact of enabling the “On virus definition update, force rescan before allowing access to information store” option?
A: Each time virus definitions are updated, a rescan of all items of the database is done. This option provides the highest level of security. The performance of the server is affected. The larger the store the longer it takes to scan. Until all the items are rescanned with the current virus definitions client will not be allowed to access those items.

Q: How do I enable detailed logging for the background scanning process?
A: To enable detail logging use the following steps.

    1. Open Exchange System Manager for Microsoft Exchange 2000/2003.
    2. Right-click the Exchange server name under “Servers” and select “Properties.”
    3. Select the “Diagnostics Logging” tab from the server properties dialog.
    4. Expand “MSExchangeIS” from the Services list box and select “System.”
    5. Under Categories -> Category, select “Virus Scanning.”
    6. From “Logging Level” select the “Minimum” radio button, then click Apply, and OK.

Q: How can I tell when the background thread has started on a particular database?
A: On the ESM logging properties page, enable VSAPI logging. The application event log contains an event similar to the following.

    Event Type: Information
    Event Source: MSExchangeIS
    Event Category: Virus Scanning
    Event ID: 9578
    Date: 1/17/2004
    Time: 8:02:52 PM
    User: N/A
    Computer: ZYMURGY
    Background virus scanning task started for database "First Storage Group\Public Folder Store (ZYMURGY)."
    Note: For more information, click http://www.microsoft.com/contentredirect.asp.

Q: How do I know when the background scan has completed for a database?
A: With VSAPI logging enabled for the server, the following event will be recorded in the application event log when the background scan is complete.

    Event Type: Information
    Event Source: MSExchangeIS
    Event Category: Virus Scanning
    Event ID: 9579
    Date: 1/17/2004
    Time: 8:02:53 PM
    User: N/A
    Computer: ZYMURGY
    Background virus scanning task for database "First Storage Group\Public Folder Store (ZYMURGY)" has completed.
    Note: For more information, click http://www.microsoft.com/contentredirect.asp.

Q: Why does the background thread sometimes start, and then finish only minutes later?
A: If no items need to be scanned, then the background thread can finish very quickly.

Q: Is the background thread a multi-threaded process? If so, how many threads will it use?
A: The background thread is multi-threaded. This is part of VSAPI 2.x. The process starts one thread per database on the server (Up to a max of 20.)

Q: How can I monitor the performance of the background thread?
A: VSAPI 2.x adds performance counters under MSExchangeIS. Two performance counters added are:

    Virus Scan Folders Scanning in Background
    Virus Scan Messages Scanned in Background

Q: What is the recommended setting for background scanning and rescanning after virus updates?
A: The server administrator must make this decision based on first-hand knowledge of the setup. Two factors to consider are:

    • Background scanning provides the highest security to network.
    • Background scanning affects server performance.

Q: How long does it take for the background thread to complete?
A: In general, a background scan operates at a rate of 1GB per hour. This means that a single store of 30 GB takes approximately 30 hours to be complete. If you have three 30 GB stores, then the scan time will increase slightly. The increase is due to the use of three simultaneous threads to scan. It also depends on the following factors:

    • Hardware
    • Size of database
    • Number of messages/attachments and their sizes.

    Note: You may also use the performance counters (the listed above) under MSExchangeIS to calculate an average number of messages or bytes processed per minute. Then multiply this figure by the size of you databases.

Q: The Information Store assigns what process priority to background scanning? Can you change the process priority?
A: The process priority assigned is BelowNormal. The process priority is not changeable.

Q: Who do I contact if I have a concerns about or enhancement requests for background scanning?
A: Background Scanning is part of Microsoft’s VSAPI. If you have suggestions for the feature set of background scanning, contact Microsoft.