Printers

Tech Tip: Keep Exchange Server and your e-mail virus-free

It's vital that organizations deploy some form of antivirus scanning on Exchange Server. Learn more about your options.

By Mike Mullins

E-mail viruses and worms continue to run rampant, and a new variant hits networks almost every week. While many PCs have antivirus solutions installed, organizations should also consider scanning for viruses at the Exchange Server level.

After installing Exchange Server, it's vital that you verify that your e-mail server and your users' e-mail are as safe as possible from viruses. This is an area in which administrators must remain vigilant; if you're not careful, problems can easily crop up.

To keep your Exchange server and the e-mail it delivers virus-free, it's important to familiarize yourself with the different types of antivirus scanners available for Exchange. Let's look at some of your options.

File-level scanners

File-level (or on-demand) antivirus scanners verify that any software and files residing on your server are virus-free. However, these scanners provide little to no protection from viruses within e-mail messages, and they can cause significant problems if you allow them to scan the wrong directories.

File-level scanners can lock or quarantine files during a scan, which can cause database corruption. Make sure your file-level scanners always exclude the following directories:

  • Databases and log files (Exchsrvr\Mdbdata)
  • MTA files (Exchsrvr\Mtadata)
  • Log files (Exchsrvr\server_name.log)
  • Site Replication Service (SRS) files (Exchsrvr\Srsdata)
  • Virtual server (Exchsrvr\Mailroot)
  • Internet Information Services (IIS) system files (%SystemRoot%\System32\Inetsrv)

In addition, Exchange 2000 creates a virtual drive for transactions, using the M: drive. Make sure your scanners don't scan the M: drive, or it will generate a lot of transaction logs.

Exchange-aware scanners

There are two types of Exchange-supported antivirus scanners: Messaging Application Programming Interface (MAPI) scanners and Virus Application Programming Interface (VAPI) scanners.

MAPI scanners
MAPI scanning is an older technology that logs into each individual mailbox and scans every e-mail message. However, MAPI scanners don't scan outbound e-mail.

In addition, these scanners don't recognize the Exchange Single Instance Storage filter. So if multiple recipients receive the same message, the scanner will check it multiple times, slowing down your e-mail server.

VAPI scanners
Also known as Antivirus VAPI (AVAPI) or Virus Scanning API (VSAPI), these scanners have gone through several changes. They are currently the scanners of choice.

VAPI scanners check messages when they reach the information store. If the current antivirus signature file hasn't scanned a message, the scanner interrupts the client message retrieval process to check the message. VAPI scanners understand the Single Instance Storage structure of the Exchange database and can also scan outbound messages.

By the way, I intentionally didn't include antivirus scanners based on the Extensible Storage Engine (ESE) in this list. The Microsoft Exchange architecture doesn't support this type of scanning because of the changes it makes to dependencies and the process used to interrupt messages submitted to the information store. If Microsoft doesn't support it, why load it on your Exchange server?

Final thoughts

Over the past few years, antivirus technology has evolved significantly. It's vital that organizations deploy some form of antivirus scanning on Exchange Server. Remember that keeping your e-mail server secure also means delivering and sending clean, virus-free e-mail to your users and your customers.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox