Antivirus solutions are an important part of most business networks. The criminals who write and release viruses are increasingly prolific and clever at distributing their "products." Their industriousness and skill argues in favor of keeping antivirus scanners at your network perimeter, on your desktop machines, and on your Exchange Server systems. However, the cure might sometimes be worse than the disease. I've noticed a worrisome trend: Many Exchange administrators are having trouble with their server-based antivirus products, usually because of two simple problems that can easily be corrected.
The first problem is that in some cases, antivirus scanners cause email to stop flowing to users. The precise cause of this problem can be difficult to isolate, but the symptoms are unmistakable: Users stop getting new email from the outside world. Stopping and restarting the scanning service will sometimes resolve the problem. Depending on the antivirus product you use, you might be able to use its management tool to pinpoint the problem, or you can use Exchange System Manager's (ESM's) queue-viewing tools to determine whether mail from particular origins is arriving at your Exchange servers normally. You'll probably find that the problem is caused by your antivirus software's failure to keep up under load, or by its behavior when it encounters a particular type of malformed (or poorly formed) message. If disabling the antivirus service solves the problem or if you can localize the problem to a single message, you've found an extremely valuable clue as to the cause of the issue. Also, stoppage might be because your perimeter SMTP scanner has stopped accepting mail or has fallen behind in its scanning. Exchange-aware scanners that use the Virus Scanning API (VSAPI--see "You Had Me At EHLO" at http://blogs.msdn.com/exchange/archive/2004/10/20/245157.aspx for a description) typically perform on-demand scans that aren't subject to this problem.
The second problem is both more serious and easier to avoid. For years, the understood best practice has been to avoid running file-level antivirus scanners on Exchange servers. Why? Because those scanners look at patterns of data within individual files, quarantining or "cleaning" files that contain patterns that match virus signatures. Guess what happens if your scanner quarantines an Exchange database file? Nothing good, that's for sure:
- If the EDB or STM file is quarantined, Exchange won't be able to mount the Store. If the file is quarantined while still opened by Exchange, the results are unpredictable but will frequently include -1018 errors. The Microsoft article "Error events are logged when the Exchange Server database service is denied write access to its own .edb files or to the .chk file" ( http://support.microsoft.com/?kbid=253111 ) provides details about this particular type of misbehavior.
- If a transaction log file is quarantined, Exchange will notice the missing file when you next try to mount that Store, and the database won't mount.
- If the checkpoint log file is quarantined, the database won't be mountable, and you might notice other problems (including -1811 errors). The Microsoft articles "Error events are logged when the Exchange Server database service is denied write access to its own .edb files or to the .chk file" and "XADM: Database Won't Start; Circular Logging Deleted Log File Too Soon" ( http://support.microsoft.com/?kbid=176239 ) describe typical results of this situation.
If you run into one of these situations, your only option to get the file back is to release it from quarantine, restore it from a backup, or recreate the database by playing back your log files.
Microsoft recommends against using file-level scanners on Exchange databases, log files, Message Transfer Agent (MTA) files, and SMTP queues (see the Microsoft articles "Overview of Exchange Server 2003 and antivirus software" at http://support.microsoft.com/?kbid=823166 or "Exchange and antivirus software" at http://support.microsoft.com/?kbid=328841). Many experienced administrators know this advice, but more than a few do not. As part of your job-security program, please make sure the folks you work with are in the former category.
One last note about virus cleaning: Don't assume that an infected machine is OK just because you used an antivirus tool to clean it. Such cleaning can get rid of simple infections such as those caused by Blaster, but sophisticated malware can pass through cleaning. Serious infections might require you to flatten and rebuild the machine.