To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Email and Server Security - email storage scanning

Edo_Synchronix
Edo_Synchronix W/ Alumni Posts: 3 Security Scout
edited January 2023 in WithSecure Business Suite

We have two MS Exchange Servers 2019 CU11 (v15.2.986.5) where WithSecure Email and Server Security v15.10.3009 is installed. Each of the Exchange server has Hub and Edge role installed, both share common DAG. The DAG is active only on one of the Exchange servers. The other Exchange is in passive mode. Each of the Exchange servers has its own mail database, which is synchronized between them.

Now I have two problems running email storage scanning (ESS):

1. When I try to run manual ESS on the Exchange server in passive mode, the scan completes in a few seconds and scans nothing. In ods.log there is this:

2022-05-27 02:43:49.475 [55bc.0001] I: *** LOGGING STARTED *** (UTC+02:00, session: 0x0) 
2022-05-27 02:43:49.569 [55bc.0001] I: * Assembly version: 5.1.130.0 
2022-05-27 02:43:49.569 [55bc.0001] I: FSecure.Ess.Ods.Program: Current user name: %DOMAIN%\%FSecure-EMA-Account%
2022-05-27 02:43:49.569 [55bc.0001] I: FSecure.Ess.Ods.CommandLineArguments: Manual scan mode 
2022-05-27 02:44:00.919 [55bc.0001] I: FSecure.Ess.Ods.App: Start processing 
2022-05-27 02:44:01.524 [55bc.0001] I: FSecure.Ess.Ods.Factory: Settings for manual scanning was got successfully 
2022-05-27 02:44:01.524 [55bc.0001] I: FSecure.Ess.Ods.App: Process task with ID: '', is test mode: 'True', is restore mode: False 
2022-05-27 02:44:01.568 [55bc.0001] I: FSecure.Ess.Ods.App: Start processing of task request 
2022-05-27 02:44:01.568 [55bc.0001] I: FSecure.Ess.Ods.App: Start processing of mailboxes 
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.ElementProcessor: Items list is empty
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.App: End processing of mailboxes 
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.App: Start processing of public folders 
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.ElementProcessor: Scanning is disabled 
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.App: End processing of public folders 
2022-05-27 02:44:01.840 [55bc.0001] I: FSecure.Ess.Ods.App: Stop processing of task request 
2022-05-27 02:44:02.322 [55bc.0001] I: FSecure.Latebound.LateboundManager: Loaded resources from 'C:\ProgramData\F-Secure\NS\default\latebound\localization\EssScanner.Strings.xaml' successfully. 
2022-05-27 02:44:02.348 [55bc.0001] I: FSecure.Ess.Ods.ReportsCreator: Path to report file: 'C:\ProgramData\F-Secure\NS\default\EssOdsReports\scan_report.htm' 
2022-05-27 02:44:02.411 [55bc.0001] I: FSecure.Ess.Ods.ReportsCreator: HTML report created 
2022-05-27 02:44:02.713 [55bc.0001] I: FSecure.Ess.Ods.ReportsCreator: Report to PM was sent 
2022-05-27 02:44:02.729 [55bc.0001] I: FSecure.Ess.Ods.App: Stopping 
2022-05-27 02:44:02.752 [55bc.0001] I: *** LOGGING ENDED ***

I have intentionally modified the account information in the log dump on the line 3, but in fact there is a correct account dedicated to F-Secure.Ess.Ods.Service with all the requirements according to the manual (member of the local administrator group & Organization Management role group and so on...)

In odsService.log there is this:

2022-05-27 02:43:48.772 [1640.0009] I: FSecure.Ess.Ods.Service.IpcServer: New message received, type = ScanManual 
2022-05-27 02:43:48.772 [1640.0026] I: FSecure.Ess.Ods.Service.OdsProcessController: Starting ods process with args: --mode manual 
2022-05-27 02:44:02.842 [1640.002c] I: FSecure.Ess.Ods.Service.OdsController: Ods process has finished with code: 0 

2. When I try to run manual ESS on the Exchange server in active mode, the scan process starts. The progress can be seen In the web console ESS (no. of processed mailboxes, items and so on is growing). In ods.log there is this:

2022-05-27 03:37:35.290 [40bc.0001] I: *** LOGGING STARTED *** (UTC+02:00, session: 0x0) 
2022-05-27 03:37:35.365 [40bc.0001] I: * Assembly version: 5.1.130.0 
2022-05-27 03:37:35.365 [40bc.0001] I: FSecure.Ess.Ods.Program: Current user name: SEVITECH\F-Secure_EMA 
2022-05-27 03:37:35.365 [40bc.0001] I: FSecure.Ess.Ods.CommandLineArguments: Manual scan mode 
2022-05-27 03:37:44.453 [40bc.0001] I: FSecure.Ess.Ods.App: Start processing 
2022-05-27 03:37:44.993 [40bc.0001] I: FSecure.Ess.Ods.Factory: Settings for manual scanning was got successfully 
2022-05-27 03:37:44.993 [40bc.0001] I: FSecure.Ess.Ods.App: Process task with ID: '', is test mode: 'True', is restore mode: False 
2022-05-27 03:37:45.036 [40bc.0001] I: FSecure.Ess.Ods.App: Start processing of task request 
2022-05-27 03:37:45.036 [40bc.0001] I: FSecure.Ess.Ods.App: Start processing of mailboxes 
2022-05-27 03:37:45.270 [40bc.0001] I: FSecure.Ess.Ods.MailboxProcessor: Mailboxes to be processed: 234 
the list of scanned items continues...

In odsService.log there is this:

2022-05-27 03:37:34.681 [5bb0.0007] I: FSecure.Ess.Ods.Service.IpcServer: New message received, type = ScanManual 
2022-05-27 03:37:34.681 [5bb0.0044] I: FSecure.Ess.Ods.Service.OdsProcessController: Starting ods process with args: --mode manual 

But after about 26 hours, over 200 mailboxes and over 200000 items are processed and the scan stops. No report is send to Policy Manager, no report can be seen in the web console ESS by pressing the button View manual scanning report. In odsService.log this line is added:

2022-05-27 01:26:53.830 [5bb0.004c] I: FSecure.Ess.Ods.Service.OdsController: Ods process has finished with code: -532462766 

ods.log ends with the latest items processed by scan. Nothing more.

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 508 Moderator
    edited June 2022

    Hi,

    Can you confirm if the user name has been configured for ODS service (page 8 of the configurator tool) ? You may refer to Page 30 on the Deployment guide here - https://help.f-secure.com/data/pdf/fsess15.10-deployment-eng.pdf

    The path to the config tool: \Email and Server Security\ui\F-Secure.ESS.Config.exe

  • Edo_Synchronix
    Edo_Synchronix W/ Alumni Posts: 3 Security Scout

    Hello,

    yes, there have been created a new user account for F-Secure.Ess.Ods.Service. The account has been used on the page 8 of the configuration tool. The account is a member of local Administrators group on both the Exchange servers. As well the account is a member of the "Organization Management" Exchange group. In the service console the account can be seen as a logon account for F-Secure.Ess.Ods.Service. The service is running.

    Finally, the account can be seen in the ods.log (line 3) from the Exchange server in active mode.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 508 Moderator

    Hi,

    I have checked this with our product team and we suggest to submit a support ticket along with the ESS FSdiag logs.


    https://www.withsecure.com/no-en/support/contact-support/email-support

  • Edo_Synchronix
    Edo_Synchronix W/ Alumni Posts: 3 Security Scout

    Thank you, I'll do.

This discussion has been closed.

Categories