File Level Antivirus for Exchange
In this article, I discussed one of the type of anti-virus available for Exchange Servers: information store antivirus. These two posts are follow-ons to an article I wrote for EMO. That article is discussed here.
Today, I'm going to talk about file-level antivirus on Exchange Servers.
If you have a multi-leveled antivirus solution at your Internet gateway, on all desktops in your organization, and you strongly control the introduction of external data into your workplace, some experts will say that file-level virus scanners on your servers are not required. I would respectfully disagree given that I've seen servers become compromised in those environments.
The purpose behind file-level antivirus programs is basically to scan everything but the information store itself (where the store includes the transactions logs, the EDB file and the STM file). File-level scanners have two modes of operation:
On-Demand Scanning
Most virus programs provide a mechanism for performing a virus scan on a specified schedule or whenever a particular event occurs. This event may be a manual request, on a reboot, when a new set of virus definitions is being loaded or practically any other occurrence supported by that antivirus program. On-demand scanning has the particular attribute of occurring after the fact. Any infestation that an on-demand scan finds has already had a chance to spread.
On-Access Scanning
Many modern antivirus programs interface with the Windows operating system in such a way that when a file is created, opened, written to, closed, or modified, the file is scanned for virus infestations. While modern computers can typically handle this load, this process can be extremely processor and memory intensive. On file servers, it is common to see that on-access scanning is consuming over one-third of the computer processor resource.
Both on-demand and on-access scanning have a significant negative: while they are scanning a file, they lock the file so that no other program can access that file. There are multiple reasons for this, but this is primarily so that no other program can become infected by transferring data that is present in the file.
If the file the antivirus program is scanning (and thus has locked from any other access) is an Exchange database or a temporary file that Exchange is expecting to have access to, real problems can occur including data corruption, program failure, and even worse - information-store corruption. Just imagine how horrible it would be if an antivirus program scanned one of your Exchange information stores and found a virus (or got a false positive) before the Exchange information-store antivirus program found it - and therefore quarantined (or deleted!) your entire information store. While this is quite unlikely to happen with a mounted information store, it is extremely likely to occur with transaction log files. This situation can be even worse - imagine your Exchange Server undergoing a database recovery and it failing - because many of your transaction logs are sitting in your antivirus package's quarantine!
Scanning the Exchange related directories is a recipe for disaster.
In order to prevent this, you should exclude a number of Exchange directories from the file-level scanning process. These include (for Exchange Serrver 2003):
- All Exchange databases and log files on all volumes (typically the \Program Files\Exchsrvr\MDBDATA folder).
- All Exchange MTA files (typically the \Program Files\Exchsrvr\MTADATA folder).
- Message tracking log files (typically the \Program Files\Exchsrvr\<servername>.log folder).
- All virtual SMTP server folders (typically the \Program Files\Exchsrvr\Mailroot folder).
- The folder used for the storage of temporary files (typically the \Program Files\Exchsrvr\MDBDATA folder).
- The folder used by the Site Replication Service (typically the \Program Files\Exchsrvr\SrsData folder).
- The folder containing the .chk file (typically the \Program Files\Exchsrvr\MDBDATA folder).
- Any ExIFS folder (typically the M: drive, but not present by default in Exchange Server 2003).
- The %SystemRoot%\System32\InetSrv folder.
- Any other folder specified by your antivirus product.
Many organizations simply exclude all Exchsrvr folders and subdirectories, plus the Inetsrv folder mentioned next to last above. Most antivirus applications also have a folder where they create/process temporary files for Exchange that also need to be excluded. You will need to refer to the documentation for your specific antivirus application for more information.
Also, specifically in the case of the MDBDATA folder, you notice that it is in the list multiple times. This is due to the fact that several types of files may be stored there and that they may be moved from the default locations-and if they are moved, those non-default locations will also need exclusion from the scanning.
Be aware that these folders should be excluded from both on-demand and on-access file scanning. If you do not, data corruption can result.
Microsoft's general recommendations on antivirus software and Exchange Server 2003 can be found in Microsoft KB 823166 (Overview of Exchange Server 2003 and antivirus software). The situation is a bit more complicated for Exchange Server 2007. The exclusions for Exchange Server 2007 are documented in this TechNet article (File-Level Antivirus Scanning on Exchange 2007).
While these restrictions may seem somewhat onerous, they are not unique to Exchange Server. There are also specific recommendations concerning antivirus and other types of servers:
- Domain Controllers, KB 822158 (Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP)
- SQL Server, KB 309422 (Guidelines for choosing antivirus software to run on the computers that are running SQL Server)
- Clustered Servers, KB 250355 (Antivirus Software May Cause Problems with Cluster Services)
This is a common issue across the Microsoft product line.