Memory usage of SAVFMSECTRL.exe on Exchange Server 2003

Posted on 2005-03-18
Medium Priority
Last Modified: 2010-05-18
I've got an Exchange 2003 server with 3 GB of RAM in it for approximately 100 mailboxes.  We're using Symantec AV Enterprise for anti virus.  Every so often, the memory usage of the SAVFMSECTRL.exe gets up to almost a gig, and with the store taking up almost a gig, and inetinfo.exe taking about half that, the
Exchange server gets really slow.  There are also at any given time about 10 copies of the SAVFMSESp.exe running.  I apologize if this question should be somewhere else besides the Exchange area, since it really deals with Symantec AV, but since it's running on our Exchange server, and affecting performance on that server, I thought I'd try here:  What is causing SAVFMSECTRL.exe to grab so much memory?  Is there a preferred method to getting it to release those resources, other than ending the process, and then waiting the minute or two it takes to restart?  Why do 10 instances of the SAVFMSESp.exe occur?  Is this normal?

Question by:kburmaster
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 24

Accepted Solution

flyguybob earned 500 total points
ID: 13579250
This is from: http://bobchristian.blogspot.com/2005/02/symantec-mail-security-settings.html and was documented in December 2004/January 2005.  Chances are that your problem is happening after the definitions download and SAVMS is scanning the whole store.

Recently I have started working with Symantec’s Mail Security product. Below is a compilation of items that I have obtained from other technicians, support staff, Gold Support, and my personal experience with the product.

The Symantec Mail Security product is not cluster-aware product for any clustering solution (Microsoft MSCS, Veritas VCS, and Legato AAM). Settings configured on one node need to be configured on the partner node. Note: I have only used this product in an Active/Passive or Active/Passive/Passive (N+1 and N+2) cluster environment. I have not tried it in an Active/Active/Passive, or N2+1 cluster.

Symantec has 4 base services that start. These are the job manager (SAVFMSSJM, or “Symantec Mail Security for Microsoft Exchange” service), the definition engine, the serial scanners, and a service that is in the format SAV*SP.

The serial scanner services will start with the following format:
The number of processors installed x 2 + 1
4 proc system = 9
8 proc system = 17

I did not dig hard enough to determine whether a hyper-threaded processor counts as a single processor or two processors in the thread count for Symantec. Imagination (and I have a vivid one) would lead me to believe that it would count as two because that is how the operating system presents it to Task Manager. However, when the server posts, it will only report the amount of physical processors installed.
We found that performing a ‘net stop “Symantec Mail Security for Microsoft Exchange”’ will perform the functions desired to gracefully shutdown the services and threads scanning the databases. It is also possible to create a dependency on the Information Store, so that Symantec Mail Security shuts down when the IS shuts down.

Sybari handles this a bit differently by creating a dependency so that the IS depends on the AV app. This practice bothers me for the simple reason…if the app crashes, or hiccups, down comes the Exchange server. This is simply a side note.

Symantec noted that we should stop the SMSMSE service. We found that this stops cleanly when the “Symantec Mail Security for Microsoft Exchange” service is stopped with the “net stop” command listed above.

The Symantec SPAM Statistics service is set to manual by default. Leave it that way.

Symantec Mail Security apparently makes zero changes to the Exchange database. The changes made to the Exchange database are made through the Microsoft VS API for Exchange. This was confirmed with Symantec Gold Support.

According to Gold Support, when performing a manual scan it takes approximately 1GB per hour to scan the Exchange database, depending upon the processors, RAM, disk speed, etc. “The Symantec SMSMSE 4.5 application averages approximately 1GB scanned per hour.”
My assumption is that this is on an average exchange server. Obviously results will vary based upon hardware architecture (processors, RAM, disk types, disk sizes, SAN storage, disk spindles, spindle speeds, drive head types), threads used, load on the exchange server, etc.

Exchange places a VS date stamp on the e-mail, similar to an incremental scan. If the e-mail is changed the Exchange VS API will remove the date stamp. When the mail is scanned again the VS API updates the e-mail with a new date stamp.

By default, when the definitions are updated it kicks off a manual scan and resets all the Exchange VS API date stamps.
It was noted that this can wreck the backups.
This can be changed through the GUI (See notes below)
As a best practice, it is advisable to uncheck the option to force a rescan. This setting can cause problems with backups as well as adversely affect clients attempting to access the server. This setting is enabled by default.
Changing this setting is performed through the Symantec console (https://server:8081)
Expand Scan Jobs
Select the Auto-Protect menu.
Check the checkbox for “Enable Exchange background scanning”
Uncheck the checkbox for: “On virus definition update, force rescan before allowing access to information store.”

There is a bug within Symantec Mail Security that can cause Exchange to “crater” when utilized with MS Clustering Services. Essentially what happens is Symantec could start prior to the Exchange IS starting and this will lead to Symantec “chewing up” all of the RPC threads until there are no more threads. This will cause the Exchange IS to crash. If you set dependencies in other clustering products the same issue will not occur. This will be corrected in the next revision of Symantec Mail Security.
In order to set the dependency browse to: HKLM\System\Current Control Set\Services\SMSMSE
Open the DependOnService string
Add the following (case sensitive) after the LmHosts entry: MSExchangeIS
Close the DependOnService string window.
Symantec verified that “This will force the Symantec Mail Security process to wait on the Information Store service. Otherwise, there is a possibility that SAV SMSMSE could come up early, chew up all the RPC calls, and cause the server to crater.”
Note…Sybari is just the opposite, it starts prior to the Information Store service and the IS depends upon it.

NOTE 1: If this is in violation of any copyrights or agreements, I will promptly remove it. Just e-mail me or post a response with your contact information at Symantec. Or, if you want me to include an inline advertisement, I will be more than happy to do that as well…just send me the HTML in a .txt attachment, from your Symantec address. (Note: Same applies to other vendors mentioned)

Note 2: If you own an anti-virus product, I HIGHLY RECOMMEND…HIGHLY, purchasing the Gold support and maintenance package (usually 20-30% of retail on a yearly basis) from your vendor.

Note3: Symantec’s Gold Support is excellent.

Trademark information:
Microsoft, Windows, Exchange Server, Windows Server, Microsoft Office, and Microsoft Outlook are either registered trademarks or trademarks of Microsoft Corporation, in the United States and/or other countries.

Sybari and Sybari Antigen are trademarks of Sybari Software, Inc. in the United States and/or other countries.

Symantec and Symantec Mail Security are trademarks of Symantec Corporation in the United States and other countries (including California =^) ).

Other product names mentioned in this document may be copyrighted, trademarked, or registered trademarks of their respective companies and are hereby acknowledged. Other brands, product names, company names, trademarks and service marks are the properties of their respective owners.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question