Exchange and some anti-virus lessons.

Since you are reading this you must be interested in protecting your Exchange environment from email distributed viruses. That is good! Too many Exchange administrators simply ignore this important step in building a reliable mail system. Ordinary file based anti virus programs simply can not protect your Exchange server; in fact they can destroy it! I have been working with lots of Exchange systems since 1996 and I want to share some lessons regarding anti-virus programs with you.

Lesson 1: Do not ever try to run a standard file based anti-virus program on a Exchange server; they will think that the log files are virus programs and actually remove them, thus making the Information Store service to halt. You must use Exchange aware anti-virus programs only for all databases and log files.

Reference: Q262375, Q247774, Q245822

Lesson 2: There are different Exchange anti-virus programs! The first scanning method was using the MAPI interface and still today this is the most common method. But using MAPI has its drawbacks; It is slow and it prohibits the Single-store feature of Exchange. How? Well, lets say that 10 persons belonging to the same server gets a email and its attachment; The MAPI anti-virus program will detect the new mail for the first recipient, scanning its attachment and will by this modify it; therefore IS will store a new copy of this attachment for this recipient. Then the same will happen with the other 9 recipients, making it 10 copies of the same attachment! It may not be a big problem, but you should be aware of it and design you server with this in mind.

Reference: Antigen 5.5 Practice safe email! (Tony Redmond)

Lesson 3: Microsofts Anti-Virus API is not perfect! Microsoft heard the complains about using MAPI for anti-virus scanning and released with SP3 a special API for this use; the "Anti Virus Application Programming Interface" or AVAPI. This gave the 3rd party anti-virus companies a new and much faster way of scanning email. The AVAPI will in fact be running together with the IS process and will be able to scan a incoming mail to 10 recipients only once without removing the single store feature of Exchange. So that is good. But still there are some problems with this AVAPI: Everything is scanned, even directory replication messages and other system messages and by that making the system slower. Due to the fact that all messages are scanned you can experience several problems if you have many or large attachments. Below are some, but not all, problems:
- Synchronization of OST files does not work; 
- IS crashes
- IMS move mail with large attachements to the BAD directory
- Autoforward rules is disabled
- Messages is stuck in the Outbox in Outlook
- Mapi operations like "Move Mailbox", Exmerge and export to PST files may fail

Reference: Q263949, Q269439, Q262492;Q271591, Q271711;Q263947;Q264731

Lesson 4: You must implement SP4 if you are using a AVAPI program! There are lots of fixes for the AVAPI program in the latest SP4 for Exchange 5.5. Implement it as soon as you can - but as always you should run it on your test environment first! And remember that this SP4 will do changes to your databases and DLL's so make sure you have a working backup before doing anything at all!

Reference: Q274832

Lesson 5: There are alternatives to MAPI and AVAPI! The company Subari found out a new way of scanning the Exchange messages; Their product AntiGen are using a clever, but unsupported, method that utilize the ESE interface to scan the mail and their attachments. This is basically the same method that Exchange backup program uses and are fast, rock solid and without any known problems. And Subari has made another smart move; they have licensed three virus checking engines with the AntiGen so you can select the one you like best. Even the  Great Exchange Guru Tony Redmond is impressed by this product.

Reference: Antigen 5.5 Practice safe email (Tony Redmond)

Lesson 6: Anti-virus program will be different for Exchange-2000. The three methods mentioned above, MAPI, AVAPI and Subari's, will still work with the Exchange-2000. But this new Exchange release has lots of different ways of adding programs that can scan and manipulate messages transported within the Exchange server engine. So you can expect to see completely new anti-virus scanners during 2001. Some companies have already done new versions of their programs that will work with Exchange-2000. But today, December 2001, there seems to be more Pre-final versions than complete and fully tested versions of these programs, even if the manufacture in their web sites are stating that they can deliver the final release now; so be a bit skeptical ; test it before you implement it in full scale.

/Goran Husman
MCSE, MCT
CEO Human Data