Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Memory usage of SAVFMSECTRL.exe on Exchange Server 2003

Posted on 2005-03-18
Medium Priority
Last Modified: 2010-05-18
I've got an Exchange 2003 server with 3 GB of RAM in it for approximately 100 mailboxes.  We're using Symantec AV Enterprise for anti virus.  Every so often, the memory usage of the SAVFMSECTRL.exe gets up to almost a gig, and with the store taking up almost a gig, and inetinfo.exe taking about half that, the
Exchange server gets really slow.  There are also at any given time about 10 copies of the SAVFMSESp.exe running.  I apologize if this question should be somewhere else besides the Exchange area, since it really deals with Symantec AV, but since it's running on our Exchange server, and affecting performance on that server, I thought I'd try here:  What is causing SAVFMSECTRL.exe to grab so much memory?  Is there a preferred method to getting it to release those resources, other than ending the process, and then waiting the minute or two it takes to restart?  Why do 10 instances of the SAVFMSESp.exe occur?  Is this normal?

Question by:kburmaster
1 Comment
LVL 24

Accepted Solution

flyguybob earned 500 total points
ID: 13579250
This is from: http://bobchristian.blogspot.com/2005/02/symantec-mail-security-settings.html and was documented in December 2004/January 2005.  Chances are that your problem is happening after the definitions download and SAVMS is scanning the whole store.

Recently I have started working with Symantec’s Mail Security product. Below is a compilation of items that I have obtained from other technicians, support staff, Gold Support, and my personal experience with the product.

The Symantec Mail Security product is not cluster-aware product for any clustering solution (Microsoft MSCS, Veritas VCS, and Legato AAM). Settings configured on one node need to be configured on the partner node. Note: I have only used this product in an Active/Passive or Active/Passive/Passive (N+1 and N+2) cluster environment. I have not tried it in an Active/Active/Passive, or N2+1 cluster.

Symantec has 4 base services that start. These are the job manager (SAVFMSSJM, or “Symantec Mail Security for Microsoft Exchange” service), the definition engine, the serial scanners, and a service that is in the format SAV*SP.

The serial scanner services will start with the following format:
The number of processors installed x 2 + 1
4 proc system = 9
8 proc system = 17

I did not dig hard enough to determine whether a hyper-threaded processor counts as a single processor or two processors in the thread count for Symantec. Imagination (and I have a vivid one) would lead me to believe that it would count as two because that is how the operating system presents it to Task Manager. However, when the server posts, it will only report the amount of physical processors installed.
We found that performing a ‘net stop “Symantec Mail Security for Microsoft Exchange”’ will perform the functions desired to gracefully shutdown the services and threads scanning the databases. It is also possible to create a dependency on the Information Store, so that Symantec Mail Security shuts down when the IS shuts down.

Sybari handles this a bit differently by creating a dependency so that the IS depends on the AV app. This practice bothers me for the simple reason…if the app crashes, or hiccups, down comes the Exchange server. This is simply a side note.

Symantec noted that we should stop the SMSMSE service. We found that this stops cleanly when the “Symantec Mail Security for Microsoft Exchange” service is stopped with the “net stop” command listed above.

The Symantec SPAM Statistics service is set to manual by default. Leave it that way.

Symantec Mail Security apparently makes zero changes to the Exchange database. The changes made to the Exchange database are made through the Microsoft VS API for Exchange. This was confirmed with Symantec Gold Support.

According to Gold Support, when performing a manual scan it takes approximately 1GB per hour to scan the Exchange database, depending upon the processors, RAM, disk speed, etc. “The Symantec SMSMSE 4.5 application averages approximately 1GB scanned per hour.”
My assumption is that this is on an average exchange server. Obviously results will vary based upon hardware architecture (processors, RAM, disk types, disk sizes, SAN storage, disk spindles, spindle speeds, drive head types), threads used, load on the exchange server, etc.

Exchange places a VS date stamp on the e-mail, similar to an incremental scan. If the e-mail is changed the Exchange VS API will remove the date stamp. When the mail is scanned again the VS API updates the e-mail with a new date stamp.

By default, when the definitions are updated it kicks off a manual scan and resets all the Exchange VS API date stamps.
It was noted that this can wreck the backups.
This can be changed through the GUI (See notes below)
As a best practice, it is advisable to uncheck the option to force a rescan. This setting can cause problems with backups as well as adversely affect clients attempting to access the server. This setting is enabled by default.
Changing this setting is performed through the Symantec console (https://server:8081)
Expand Scan Jobs
Select the Auto-Protect menu.
Check the checkbox for “Enable Exchange background scanning”
Uncheck the checkbox for: “On virus definition update, force rescan before allowing access to information store.”

There is a bug within Symantec Mail Security that can cause Exchange to “crater” when utilized with MS Clustering Services. Essentially what happens is Symantec could start prior to the Exchange IS starting and this will lead to Symantec “chewing up” all of the RPC threads until there are no more threads. This will cause the Exchange IS to crash. If you set dependencies in other clustering products the same issue will not occur. This will be corrected in the next revision of Symantec Mail Security.
In order to set the dependency browse to: HKLM\System\Current Control Set\Services\SMSMSE
Open the DependOnService string
Add the following (case sensitive) after the LmHosts entry: MSExchangeIS
Close the DependOnService string window.
Symantec verified that “This will force the Symantec Mail Security process to wait on the Information Store service. Otherwise, there is a possibility that SAV SMSMSE could come up early, chew up all the RPC calls, and cause the server to crater.”
Note…Sybari is just the opposite, it starts prior to the Information Store service and the IS depends upon it.

NOTE 1: If this is in violation of any copyrights or agreements, I will promptly remove it. Just e-mail me or post a response with your contact information at Symantec. Or, if you want me to include an inline advertisement, I will be more than happy to do that as well…just send me the HTML in a .txt attachment, from your Symantec address. (Note: Same applies to other vendors mentioned)

Note 2: If you own an anti-virus product, I HIGHLY RECOMMEND…HIGHLY, purchasing the Gold support and maintenance package (usually 20-30% of retail on a yearly basis) from your vendor.

Note3: Symantec’s Gold Support is excellent.

Trademark information:
Microsoft, Windows, Exchange Server, Windows Server, Microsoft Office, and Microsoft Outlook are either registered trademarks or trademarks of Microsoft Corporation, in the United States and/or other countries.

Sybari and Sybari Antigen are trademarks of Sybari Software, Inc. in the United States and/or other countries.

Symantec and Symantec Mail Security are trademarks of Symantec Corporation in the United States and other countries (including California =^) ).

Other product names mentioned in this document may be copyrighted, trademarked, or registered trademarks of their respective companies and are hereby acknowledged. Other brands, product names, company names, trademarks and service marks are the properties of their respective owners.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You finally migrated Public Folders to Office 365, decommissioned the Public Folder mailbox database and since then, when you send an email from on-premise to mail-enabled Public Folders, you get the following error: "Misconfigured public folder mai…
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question