Mail Security for Exchange: Best Practices for background scans
Last Updated October 30, 2013
This article contains Best Practices and Troubleshooting steps with regards to background scanning in Mail Security for Exchange (SMSMSE).
The following sections contain steps that may help configuring and troubleshooting background scans in SMSMSE.
Below are the recommended settings for fast and efficient background scans.
Time slots: it's recommended to allow several hours for large database scans, indicatively 12 to 24 hours.
Scan messages with attachments only: it's recommended to enable this option, i.e. only messages with attachments will be scanned.
Choose messages to scan: it's recommended to scan messages only from a limited time, e.g. from the past 2 days.
Advanced Scanning Options: the following settings are recommended:
Scan message bodies: unchecked.
Exclude outbound scanning on mailbox server: checked.
On virus definition update...: unchecked.
The following screenshot shows Best Practices applied to SMSMSE Settings (Scans > Views > Auto-Protect):
In order to investigate potential issues with background scanning, the following steps can be taken to provide additional logging to Symantec Support.
Consider to change the scope of what really needs to be scanned.
Enable VSAPI Logging on Exchange 2010 to capture background scans activity, as shown below:
Create a new Data Collector Performance Counter by importing the template attached below.
Allow the background scans to run at least for 24 hours, then provide the following files to Support once done:
Data resulting from the above performance counter (CSV file).
Copy of all Windows Event logs in .evtx format.
Screenshots from all pages in SMSMSE settings.
It is important to consider that background scans are an additional scanning feature provided by SMSMSE. On a default scenario, every email transiting through an Exchange environment where SMSMSE is running are already protected by:
a) Transport Agent b) On-Access scan
Therefore, background scans are a viable option for those deployments with several Exchange DBs which may require different times for scans. Additionally, it's important to consider that on average and with best practices applied, a background scan of 1GB emails will take approximately 6 minutes.
Events ID 405 logged in Windows Events while background scans take place:
Events with ID 405 are background scans completion events, that are logged only when there are no (0) emails to be scanned from VSAPI or the Exchange Store service is not available (less likely).
By default SMSMSE checks the status for the above condition every 30 seconds.
Once the above event is logged, SMSMSE will remain in that state for entire scan window period unless any new email is available for scanning from VSAPI. So it might log the above event multiple times as and when emails are scanned for that slot.
In some cases, when the resources on Exchange are getting used up aggressively, VSAPI may not get a chance to feed the background scan with newer emails; due to this, the background scan thread may "think" that there is nothing to process and will raise a completion event.
Additionally, a Debug View log may help better understand the described behaviour.
How to check if a background scan has paused or stopped
The recommended way to determine whether a background scan process has been paused or terminated, is to look for Event ID 406 in the Windows Event logs.