Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
The Exchange server is beeping, and / or you are getting the following events: Event ID 110 - The process SavFmsesp.exe failed to start (0xC009008A). Event ID 168 - The process SAVFMSESp.exe was restarted. Event ID 68 - Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a liveupdate to retrieve the latest virus definitions. Event ID 167 - The process SAVFMSESp.exe terminated unexpectedly.

Symptoms:

• The following Symantec Mail Security for Microsoft Exchange events are examples of the entries found in the Windows Application Event log.
  
  ===========================================================
  Event ID 110 - The process SavFmsesp.exe failed to start (0xC009008A).
  
  Date: 10/27/2003 Source: Symantec Mail Security
  Time: 11:22PM Category: <?>
  Type: Error Event ID: 110
  User: N/A
  Computer: EXSRVR01
  
  Description:
  The process SavFmsesp.exe failed to start (0xC009008A).
  =============================================================
  
  ===========================================================
  Event ID 168 - The process SAVFMSESp.exe was restarted.
  
  Date: 10/27/2003 Source: Symantec Mail Security
  Time: 11:22PM Category: <?>
  Type: Error Event ID: 68
  User: N/A
  Computer: EXSRVR01
  
  Description:
  Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a liveupdate to retrieve the latest virus definitions.
  =============================================================
  
  ===========================================================
  Event ID 68 - Unable to initialize scan engine. The virus definitions may be missing or corrupt. Perform a liveupdate to retrieve the latest virus definitions.
  
  Date: 10/27/2003 Source: Symantec Mail Security
  Time: 11:22PM Category: (5)
  Type: Error Event ID: 167
  User: N/A
  Computer: EXSRVR01
  
  Description:
  The process SAVFMSESp.exe terminated unexpectedly.
  =============================================================
  
  =============================================================
  Event ID 167 - The process SAVFMSESp.exe terminated unexpectedly.
  
  Date: 10/27/2003 Source: Symantec Mail Security
  Time: 11:22PM Category: (5)
  Type: Error Event ID: 168
  User: N/A
  Computer: EXSRVR01
  
  Description:
  The process SAVFMSESp.exe was restarted.
  =============================================================
  
• The file Usage.dat (Default path: C:\Program Files\Common Files\Symantec Shared\VirusDefs) does not contain entries for SAVFMSE_SP processes.

Cause:
This is most commonly caused by a corruption in the Virus Definitions.

Solution:
Repair the corrupted Virus Definitions with Intelligent Updater

1. Download the latest Intelligent Updater from http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=gw (this is an EXE file).
2. Double-click the EXE file you downloaded and run the Intelligent Updater.
3. Restart the SMSMSE service.
4. If this does not fix the problem, proceed with the next section.

In case the Usage.dat is missing entries for SAVFMSE_SP processes, the following procedure could fix the problem:

1. Stop the Symantec Mail Security for Microsoft Exchange service.
2. Open usage.dat and confirm that it's missing SAVFMSE_SP_x=1 entries, where x is a number from 1 to 9. This file can be found at this location <drive>:\Program Files\Common Files\Symantec Shared\VirusDefs\usage.dat file
   
   Example of how an invalid usage.dat file looks:
   [20071024.017]
   SMSMSE=1
   [20071025.021]
   DEFWATCH_10=1
   NAVCORP_70=1
   NAVCORP_70_2=1
   
   Example of how a valid usage.dat file looks:
   [20020424.005]
   DEFWATCH_10=1
   NAVCORP_70=1
   SSS_MICROSOFT_EXCHANGE_30=1
   SAVFMSE_SP_3=1
   SAVFMSE_SP_1=1
   SAVFMSE_SP_2=1
   
3. Remove VirusDefs0000000x folders from <drive>:\Program Files\Common Files\Symantec Shared\definitions\Antivirus (where 'x' is a number).
4. Remove files from <drive>:\Program Files\Common Files\Symantec Shared\definitions\Antivirus\incoming.
5. Copy all files from the latest definition folder to <drive>:\Program Files\Common Files\Symantec Shared\definitions\Antivirus\incoming.
   
   NOTE: The latest definition folder can be found in <drive>:\Program Files\Common Files\Symantec Shared\VirusDefs\
   So for example, copy all files from <drive>:\Program Files\Common Files\Symantec Shared\VirusDefs\2008XXXX.XXX to <drive>:\Program Files\Common Files\Symantec Shared\definitions\Antivirus\incoming
   
6. Restart the SMSMSE service.
7. When the service starts up, SMSMSE will read new definition files from incoming folder and create new virus definition folder under definitions folder. For example, VirusDefs00000001.
8. If this does not fix the problem, proceed with the next section.

Uninstall of Symantec Mail Security for Exchange, followed by the removal of LiveUpdate and its folders.

NOTE: If you are running Symantec AntiVirus version of less than 10.1.x, this procedure may require that you reinstall Symantec AntiVirus as well. Please contact your Symantec AntiVirus technical support for more information.If you are running Symantec Endpoint Pretection, or backup Exec or any other software which is using that liveupdate.Please make sure that you contact Symantec Technical SupportFirst before removing Symantec Liveupdate.

---

WARNING: In the next steps you will edit the Windows registry. Back up the registry before you make any changes to it, because incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the registry keys that are specified.
For instructions, see How to back up the Windows registry.

---

To uninstall Symantec Information Foundation Mail Security for Microsoft Exchange and Liveupdate to clear the corrupted virus definitions:

1. Export your settings via the File menu
2. Open Add and Remove Programs in Windows and remove Symantec Mail Security for Microsoft Exchange.
3. Open Add and Remove Programs in Windows and remove Symantec LiveUpdate.
4. Remove the folder: <installed drive> \Program Files\Symantec\SMSMSE
5. Open the Windows Registry and delete the following key, if it still exists: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE
6. Remove the LiveUpdate Folders in bold below:
   Note: All these may not be present, the LiveUpdate uninstall removes most of them.
   
   \Program Files\Common Files\Symantec Shared\VirusDefs
   \Program Files\Symantec\LiveUpdate
   \Documents and Settings\Allusers\Application Data\Symantec\LiveUpdate
   
7. Reinstall Symantec Mail Security for Microsoft Exchange and import your settings.
   Note: This will automatically reinstall Symantec LiveUpdate.

Note: If you have any errors when performing the above steps, please refer to the manual removal instructions for your specific version of Symantec Mail Security for Microsoft Exchange. "Manual removal instructions for Symantec Mail Security for Microsoft Exchange, Symantec Antivirus/Filtering for Microsoft Exchange, or Norton Antivirus for Microsoft Exchange."

To prevent this from happening again, install the latest version

References:
For some additional information regarding this issue, refer to the following KB article:

'Exchange mail flow is either stopped or very slow when scanned by Symantec Mail Security for Microsoft Exchange'
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005110110582254

Document ID: 2008091806373854
Last Modified: 01/27/2010
Date Created: 09/18/2008
Product(s): Symantec Mail Security 5.x for Microsoft Exchange, Symantec Mail Security 6.0 for Microsoft Exchange
Release(s): 5.0 [All Releases], MSME 5.0 [All Releases], SMSMSE 6.0 [All Releases]

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements