MailMarshal SMTP Engine fails to start


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange

Question:

  • Why does the MailMarshal Engine not start?
  • Why do MailMarshal directories need to be excluded from virus scanning?

Symptoms:

  • MailMarshal Engine Service does not start after a new installation.
  • Error: 'It appears that the following directory: <directory name> is being checked by a virus scanner without MailMarshal's direction.' 

Causes:

This error is normally caused by a resident or "on-access" virus scanner attempting to scan the MailMarshal working directories on the local MailMarshal server.  MailMarshal periodically creates a message with a standard pseudo virus file, eicar.com (not a real virus) in its working directories to test if a virus scanner will intercept it. MailMarshal will not process email if it detects a resident virus scanner.

Background:

MailMarshal checks a message for viruses by unpacking the message into its various parts, and then invoking the configured virus scanners against the resulting files.

If a resident virus scanner, not in MailMarshal's control, processes one of the unpacked components before MailMarshal runs its virus scanner, MailMarshal will not detect that the message contained a virus. MailMarshal will then mark the original email message as clean and possibly deliver it, when in fact it still contains a virus.

Resolution:

For details of the directories you must exclude from scanning, see the following Trustwave Knowledgebase article:

  • Q10850: What directories need to be excluded from resident virus scanning and regular backups?

After excluding the directories, remember to start the Engine (from the MailMarshal Configurator > Server and Array Configuration > Server Properties, or from the Windows Services control panel).

This article was previously published as:
NETIQKB40099

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10866.aspx