Symantec Client Security Best Practices

I'm going to be posting a few blog entries about a recent experience implementing Symantec Client Security (the corporate version of Symantec/Norton antivirus). This first entry is dedicated to a problem with the default installation options when implemented on Exchange servers.

I was working with a client this week and one of my tasks was to assist them with an upgrade from Exchange 2000 to Exchange 2003. Given that this is a single server swing upgrade I knew it would be a slam dunk. Basically we would install the new server on new hardware, move the mailboxes during a maintenance window, then decommission the old server. Boy was I wrong.

Once the new server was in place we started by migrating a few pilot mailboxes. We immediately noticed that mail was not flowing reliably between the old and new servers. We were also getting some ambiguous errors in the event log. To make a long blog entry short, the problem was with Symantec Client Security's advanced e-mail scanning component. Here are the exact error messages we received in the event logs.

Event Type: Warning
Event Source: MSExchangeMTA
Event Category: Interface
Event ID: 9318
Date: 10/27/2004
Time: 11:06:54 AM
User: N/A
Computer: SERVERNAME
Description:An RPC communications error occurred. Unable to bind over RPC. Locality Table (LTAB) index: 7, Windows 2000/MTA error code: 9297. Comms error 9297, Bind error 9297, Remote Server Name MAIL [MAIN BASE 1 500 %10] (14)

Event Type: Warning
Event Source: MSExchangeMTA
Event Category: Security
Event ID: 9297
Date: 10/27/2004
Time: 11:06:54 AM
User: N/A
Computer: SERVERNAME
Description:Calling client thread does not have permission to use MTA RPCs. Windows 2000 error code: 0X80070005. Client user account: NT AUTHORITY\ANONYMOUS LOGON. [BASE IL INCOMING RPC 25 237] (14)

It turns out that the default install of Symantec Client Security 9 also installs and activates a component which should only be used on 2000/XP client machines. This component, referred to in the install routine as POP3 Scanner, was intercepting all mail to and from our Exchange server and basically messing up the mail flow. We simply re-ran the install routine and de-selected this component (as well as the Outlook scanning piece which was also installed by default) and after a reboot the server was back to normal. The above event log messages were also gone once the server rebooted--and they haven't come back since.

I'll write a future blog entry on the steps required to create a custom Symantec Client Security package. It is wise to have a separate package for desktops, laptops, and servers. I sincerely hope the search engines pick up this blog entry so that any other individuals who may be fighting this issue can find my solution. We burned about 3 hours fighting this issue--and believe me it wasn't an enjoyable few hours.

One more thing... while we were already aware of the necessary file exclusions for Exchange servers (in other words, this had nothing to do with the above problem) you may want to check out this Microsoft article for full details. There are quite a few do's/don'ts regarding file system antivirus scanners running on Exchange servers.