Cisco Email Security Appliance

ESA FAQ: What should I do when I get an alert with a Sophos Anti-Virus error code on the ESA?

Document ID: 117849

Updated: Jun 25, 2014

Contributed by Jackie Fleming and Enrico Werner, Cisco TAC Engineers.



This document describes the meaning of error codes from the Sophos Anti-Virus engine on the Cisco Email Security Appliance (ESA).

What should I do when I get an alert with a Sophos Anti-Virus error code on the ESA?

AsyncOS generates an alert with an error code whenever the Sophos Anti-Virus engine fails to scan an email message.  Each code indicates a specific error condition, such as:

  • 0x8004020F - The message was of an unknown format, and was therefore unscannable.

  • 0x8004021A - The message is in a format that cannot be scanned.

  • 0x8007000E - The message was most likely too large or contained too many nested items, and the scanner ran out of memory before completing the scan. This most likely occurred when the appliance was under heavy load.

  • 0x80040210 - The scanner could not open the message, and the message was therefore unscannable.

In each of these cases, it is important to realize that the message was scanned using the Unscannable Messages option that was applied to this message, as determined by the Incoming or Outgoing Mail Policy that matched the message.

Depending on your policy, a number of different actions could have occurred. You might want to review your policy for unscannable messages in order to ensure that it is appropriate for your site. 

If you are able to identify and forward the message, Cisco Customer Support would be interested in reviewing the format. The system does not automatically save these messages, so typically the way to gather these messages is to enable the Archive action in your Unscannable Messages settings in order to log these messages to a file that can be retrieved and reviewed.

If you have a message to submit, contact Cisco Customer Support.

Updated: Jun 25, 2014
Document ID: 117849