Protecting your Exchange server with Norton AntiVirus for Microsoft Exchange

As an Exchange administrator, you probably panic when you hear of a new Exchange borne virus. Your life can be less stressful if you install an Exchange antivirus program. In this Daily Drill Down, Troy Thompson looks at Symantec?s solution for Exchange.

With the ever-growing threat of viruses being written to infiltrate your network via e-mail, securing your Exchange server is a top priority. What can you do to keep viruses from causing problems on your network? In this Daily Drill Down, I’ll look at protecting your Exchange server from viruses using Norton AntiVirus For Microsoft Exchange (NAVMSE). This Norton product monitors not only your mailboxes, but also your public folders. If an e-mail message is sent through your Exchange server, NAVMSE can be configured to scan it for viruses.

Installing NAVMSE is pretty straightforward: Run Setup and follow the instructions. Before you begin the NAVMSE installation, you must ensure you've completed a few preliminary tasks.

First, make sure you install NAVMSE on the Exchange server. You can’t install it on a different NT server and expect it to scan your Exchange server. Second, you must be logged on as Administrator with the Act As Part Of The Operating System user right enabled, or you must be logged on as the service account administrator. It will also be necessary for you to know the Exchange service account name and password.

If you plan to install NAVMSE for Exchange right after you install Microsoft Exchange Server, you must reboot between installations. If you don’t, NAVMSE’s installation program will fail. During the installation process, you can decide who will be granted rights to administer NAVMSE based on a range of IP addresses or a specific IP address. You will also have to create a password to access the user interface.

Once the installation process is complete, you will see an Internet Explorer icon on the desktop labeled Norton AntiVirus For Microsoft Exchange. Immediately after installation, you should initiate a manual scan of all public folders and mailboxes. A mailbox called NAV For Microsoft Exchange-servername will also be created. You can choose to hide this mailbox after installation—if you ever need to reinstall, the setup will reveal the mailbox automatically.

Since NAVMSE runs as a service, it must be started before e-mails can be scanned. By default, the service is set to automatic. Starting the NAVMSE service may take a while because it verifies all mailboxes and public folders on the Exchange server before informing the NT Service Control Manager that it has started. The service is automatically stopped when you shut down the System Attendant service.

You'll administer NAVMSE using a Web browser. When you double-click the desktop icon to launch the browser interface, it will open your Web browser and request the password you created when installing the software. The Username field is optional.

To ensure that not just anyone can launch a Web browser and connect to the Exchange server, NAVMSE makes use of an access list to check to see who can administer it. A machine whose IP address is not in the access list receives the HTTP/1.0 403 Forbidden error message when attempting to connect to NAVMSE. To add additional IP addresses, you must run the setup program again or edit the ModifyIPAddrs value of the HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\NAVMSE\2.0 registry key on the server. The key should contain the comma-separated list of IP addresses and address ranges such as,, After editing the registry key, the service must be stopped and restarted for the new settings to take effect. You will also get the HTTP/1.0 403 Forbidden error message if you input the wrong password. After typing the correct password, you will be presented with a menu in the left pane and the details in the right pane.

Checking out NAVMSE’s Web interface
After you start NAVMSE’s Web administration program, you’ll see a list of tasks you can perform in the left pane. If you click Statistics, you'll see a list of statistics about your server. The Statistics tab, shown in Figure A, displays the number of e-mail messages and attachments scanned, the average scan time, and the total kilobytes processed. It also shows the date of the virus definitions being used and the number of viruses logged, quarantined, deleted, and repaired.

Figure A
The Statistics For Auto-Protect window shows statistics about your server.

Clicking the Reports tab, shown in Figure B, enables you to list virus incidents and the action taken on the infected item. The report can be ordered by author, scan type, or virus. If desired, you can process the data to generate the report that can be downloaded for manipulation outside the program.

Figure B
NAVMSE generates reports about virus infections.

Click the Quarantine tab to see the viruses that have been placed in quarantine, as shown in Figure C. Quarantine is a restricted zone that safely stores infected attachments withheld from delivery. NAVMSE places items in the quarantine area based on the Detect tab settings you specified when you configured manual scans, Auto-Protect, and scheduled scans. If an infected attachment is stripped from an e-mail, the intended recipient receives the body of the e-mail and any uninfected attachments.

Attachments will stay in the quarantine area until you delete or release them. Upon release, items are re-sent to the original recipient. If the item is still infected and the virus cannot be removed, Auto-Protect quarantines the item again. Quarantine can display 1,000 entries at a time.

Figure C
NAVMSE will quarantine suspected virus attachments.

Click the Activity Log tab to see a record of all Norton AntiVirus and server-related events, as shown in Figure D. The log lists events in chronological order with the most recent at the top. You can specify dates of interest and filter the log to specific events. You can also use the Windows NT Event Viewer to view the Windows NT Application Log, which stores the entries.

Figure D
The Activity Log shows the Date, Severity, Category, and Message of antivirus- and server-related events.

Clicking the Manual Scan tab shown enables you to initiate a manual scan of public folders and mailboxes, as shown in Figure E. A manual scan is an on-demand scan of public folders and mailboxes. The Activity Log summarizes virus detections from manual scans. You should run a manual scan after installation to ensure that public folders and mailboxes are virus-free.

Figure E
Manual Scan allows you to control how NAVMSE scans files.

Click the Auto-Protect tab to configure the program and instruct it on what to scan and where to scan, as shown in Figure F. Auto-Protect is the best defense against virus attacks. It detects viruses in real time as e-mail is routed through the Microsoft Exchange server—before viruses have a chance to spread through your site.

Figure F
Auto-Protect enables NAVMSE to scan for viruses on the fly.

The Scheduled Scans screen, shown in Figure G, allows you to set up a job that will run an unattended scan at a time you specify. The NT Scheduler service must be running for Scheduled scans. Scheduled scans should be performed during off-peak periods. To schedule a scan, click Scheduled Scans in the left panel, type the job name, time and day to run, then click the Add To Schedule button.

Figure G
You can schedule scans for particular times.

The Global Options tab, shown in Figure H, has five subtabs that allow you to configure NAVMSE. You can configure it to repair infected attachments, to eliminate viruses automatically on detection, quarantine infected attachments for administrator review, delete infected attachments, or continue delivery but log the virus detection. When a virus is detected, an e-mail notification can be sent to specified administrators, message authors, and intended message recipients. You can set the extension for the types of attachments you want to scan or exclude. Long extensions with long filenames are not used in the Global Options settings for extensions to scan or for extensions to exclude from scanning. Extensions longer than three characters are matched using the short filename extension. In addition, Windows NT alerts can be sent to specified machines and users. Global options apply to all scan types. If a setting is changed, it affects whatever is selected in Auto-Protect, Manual Scan, and future Scheduled Scans. It will check for new or moved mailboxes and public folders every 60 minutes. These new mailboxes and folders are not protected until detected. The time interval of 60 minutes can be changed in the Advanced Global Options. If you create or move several mailboxes, you can use the Refresh Now button on the Advanced Global Options to have them detected immediately. Although the default settings are appropriate for some sites, you will probably want to modify them for your specific needs.

Figure H
Global Options allow you to more narrowly focus the way NAVMSE scans files.

The LiveUpdate tab, shown in Figure I, allows you to set up the number of times that your server will download the latest virus definition files from Symantec—up to 10 times per month. There is a 60-minute delay before NAVMSE uses updated virus definitions from a live update. During the course of heavy virus attacks, 10 times per month may not be often enough. You can click the Update Now button to update the virus definition files immediately or to enable immediate use of the updated virus definitions from the scheduled update.

Figure I
LiveUpdate controls how often your server will download updated virus definition files.

How to test Norton AntiVirus for Exchange
You don’t have to use an actual virus to test your system. You can create a file using Notepad that will emulate a virus. If you are running an antivirus program on the computer from which you will create this file, you will need to temporarily disable it. Type or paste this line of code into a new Notepad file.

Save the file under the name Although this file is not a virus, it will be detected as the EICAR Test String.70 virus. Once the file is created, you can e-mail it as an attachment to yourself while NAVMSE is running.

You should monitor your NAVMSE at least once a day. Since it is a service, it is possible that the service may stop on its own or become corrupt. As messages flow through your Exchange server, they are accounted for in real time. If you pull up the Statistics window and notice the Number Of E-mails Processed counter is not increasing, you should check the service. Stopping and restarting the service may solve the problem, but in some cases, you may have to reinstall the program. When the service is not running, your Exchange server is not protected from viruses.

There are several problems that you may run into while using NAVMSE. Since the user interface is your Web browser, you may experience problems due to the version of the browser you are using. Manual Scan will not display status to the administrator when using the Windows 3.1 or Windows NT 3.51 (16-bit) versions of Microsoft Internet Explorer. The Manual Scan starts, but no information is displayed. You must use a browser that is supported to correct this problem.

If you are using Netscape, resizing the browser window while editing a form may reload the form. To prevent this, do not resize the browser before saving forms.

If Internet Explorer 4.0 and its optional Task Scheduler are installed, NAVMSE displays a scan scheduled for a Sunday as scheduled for a Saturday. Despite the incorrect display, the scan will run on a Sunday as intended. To correct the display problem, uninstall the Task Scheduler component of Internet Explorer 4.0 or use the Task Scheduler included with Internet Explorer 5.0.

Foreign language versions of Netscape Navigator 3.x may have problems displaying the information correctly or may hang up. To correct this, you must use a browser that is supported.

If you get the error Scan Engine Error In Extracting A File From A Compressed File, it is usually due to password-protected compressed files. Because the password is unknown, NAVMSE cannot scan the file.

What about Exchange 2000?
NAVMSE is now compatible with Exchange 2000. NAVMSE 2.11 adds support for the Exchange 2000 clustered environment. The additional modes for Auto-Protection require Service Pack 3 for Microsoft Exchange Server 5.5 or later (including Exchange 2000).

NAVMSE’s Setup program does not currently create an account and mailbox when installing on Exchange 2000. Before installing NAVMSE, you should create an account and mailbox for NAVMSE. The account should be an Exchange Administrator and have the Act As Part Of The Operating System and Log On As A Service user rights enabled.

With Exchange 2000, it is necessary for NAVMSE to be started before the Microsoft Exchange Information Store (MSExchangeIS) service. As this service must be running to install NAVMSE, it will be necessary to stop and restart MSExchangeIS immediately after the installation is complete.

Microsoft is aware of this problem. To fix it, all you need to do is install the Exchange 2000 Service Pack 1.

Of the ILoveYou, Stages of Life, Funny Text, AnnaKournikova, and other such viruses, NAVMSE on the server I administer caught more than 100,000 viruses in a 12-month period. Without proper safeguards in place, an Exchange server can easily be rendered inoperable. For the amount of protection you get, the cost of virus software is quite small.

Editor's Picks