Information Store Antivirus for Exchange
In my recent EMO article, I referred to the fact that there are two different kinds of anti-virus that may execute on an Exchange Server: file-level scanning and information store scanning. In this article, I write more about information store scanning.
While written specifically with Exchange Server 2003 in mind, the information applies to Exchange Server 2007 as well.
Information-store antivirus programs break down into three categories:
MAPI ScannersMessaging Application Programming Interface (MAPI) scanners were the first generation of information-store scanners available for Exchange. MAPI scanners had a number of significant disadvantages that led to their replacement, including: speed (they were slow – they had to log into each individual mailbox in order to scan messages), speed (they were so slow that it was possible for a user to read an infected message before it was scanned), speed (they don’t understand single-instance storage so one message could be scanned many times), and finally that they couldn’t scan outgoing messages, only incoming messages. While there are still MAPI scanners being sold, none of the major brands of Exchange Antivirus are MAPI scanners.ESE-Based Scanners
The Extensible Storage Engine (ESE) is the database engine that Exchange uses for its information stores. ESE-Based scanners directly access the ESE databases and interpose their message scanning functionality between Exchange and the database engine by installing a piece of software technology known as either a shim or thunking layer between Exchange and the database engine. ESE-Based scanners are not officially supported by Microsoft, even though they market such a solution. ESE-Based scanners can claim speeds that no other scanner type can match.VSAPI Scanners Virus Scanning Application Programming Interface (VSAPI) scanning was first possible in Exchange 5.5 service pack 3. VSAPI is currently up to version 2.5, which was introduced in the original release of Exchange 2003 Server. The current version of VSAPI corrects pretty much every problem that was experienced with MAPI scanners. VSAPI understands single instance store, it will not place a message into a user’s mailbox until the message has been scanned, it can scan incoming as well as outgoing messages, plus other features not previously discussed. All major Exchange Antivirus solutions are now using VSAPI. A few have not upgraded to VSAPI 2.5, so you should check for this compliance prior to making a decision as to your antivirus solution. VSAPI is supported in Exchange 2007, but de-emphasized. Microsoft recommends running a transport scanner on the hub server.
Information-store antivirus solutions also often package other add-ons to Exchange (such as disclaimers, anti-spam, attachment filtering, etc.), but those are beyond the scope of this article.A common antivirus-related question is if you have an email gateway that feeds your Exchange server which already does virus scanning, should there also be a information-store antivirus solution on the Exchange server? The answer is a qualified yes.A multi-layered antivirus defense is your best protection against viruses. However, best practices dictate that each layer should be from a different vendor. This is due to an unfortunate fact that all vendors do not prevent or scan against all potential harmful viruses, and that each vendor will release updates at different times for different threats. Having one vendor’s solution scan the same data multiple times is of little value. It is possible that the added cost of having a multi-layered defense from multiple vendors may make it infeasible for some companies.However, and let me say this very strongly, having an email server that does not have either a gateway-based antivirus or an information store based antivirus in this day and age is nothing but pure negligence. Some studies have concluded that your servers will very likely be infected within a week.