The store driver has reported that third-party antivirus software deleted a message prior to delivery. This is usually because the message was infected and could not be cleaned. You can change the setting to allow the mail to be sent to the BadMail folder instead.
No action is required.
For more information about MSExchangeTransport event 347, see:
Target | Microsoft.Exchange.Protocol.SMTP |
Category | EventCollection |
Enabled | True |
Event_ID | 347 |
Event Source | MSExchangeTransport |
Alert Generate | False |
Remotable | True |
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDs | DataSource | Microsoft.Windows.EventProvider | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
<Rule ID="A_virus_infected_message_was_deleted._6_Rule" Enabled="onEssentialMonitoring" Target="Exch2003Core!Microsoft.Exchange.Protocol.SMTP" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDs" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>.</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>347</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>MSExchangeTransport</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>