How to Properly Configure File System Antivirus Software on Exchange Server


Recently, while preparing for my presentation on Exchange disaster recovery planning for a Microsoft conference, I did some statistics on causes of Exchange server failures that I encountered in last 2 years.  


And I came up with a quite surprising result: Over 50% of all support incidents we had were caused by – antivirus software!!! To be precise: improperly configured file system antivirus software.


The information in this article is applicable to all versions of Exchange Server and all types of file system antivirus software. It discusses a situation where we have an Exchange server with file system antivirus software and Exchange server antivirus software installed.


First part of this article points to existing resources particularly some Microsoft Knowledge base articles and the second part adds some additional information based on my professional working experience.


What you need to do when configuring your file system antivirus software is to exclude several Exchange server and related items from being scanned. There are already some Microsoft Knowledge Base Articles available on this subject:






Microsoft Knowledge Base Article – 328841
Exchange and antivirus software
http://support.microsoft.com/default.aspx?kbid=328841


Microsoft Knowledge Base Article – 823166
Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/default.aspx?scid=kb;en-us;823166


In short here is the list of what should be excluded from scanning:



  • The M: drive. (Exchange 2000)
  • Exchange databases, logs and checkpoint files across all storage groups. By default, these are located in the Exchsrvr\Mdbdata folder.
  • Exchange MTA files in the Exchsrvr\Mtadata folder.
  • Directory Exchsrvr\server_name.log file which contains the tracking log.
  • The Exchsrvr\Mailroot virtual server folder.
  • The working folder that is used to store streaming temporary files that are used for message conversion. By default, this folder is located at \Exchsrvr\MDBData, but you can configure the location.
  • The temporary folder that is used for offline database maintenance with Eseutil.exe and Isinteg utilities.
  •  Site Replication Service (SRS) files in the Exchsrvr\Srsdata folder.
  • Microsoft Internet Information Service (IIS) system files in the %SystemRoot%\System32\Inetsrv folder.

Note that the list refers to the default file locations and that in production environment some of those elements for example database and log files can be found in different locations.




Fig 1: You can find log file locations in the Exchange Server Manager in Storage Group properties…



Fig 2: …and the database locations (.edb and .stm files) in the Store properties


I believe that by just looking at the exclusion list above, you already have a picture of potential problems you can run into. If you don’t configure the exclusions you may run into one or more of the following problems:



  • File system antivirus software accesses your database through M: drive letter as a file system and can “rip out” parts of the database causing database damages and often crash of your Exchange database. M: drive should also be excluded from your backup software. Ideally if you are not using the IFS (Installable File System) feature, you should disable the M: drive mapping. You can find how to disable M: drive in Microsoft Knowledge Base Article – 305145 How to remove the IFS mapping for Drive M in Exchange 2000 Server http://support.microsoft.com/default.aspx?scid=kb;en-us;305145
  • Antivirus software can damage you database and log files, or even worse quarantine or delete database, log or checkpoint files, which will cause loss of data and your Exchange to crash.
  • Items “disappearing” from public folders, calendars
  • “Disappearing” e-mail messages,
  • Problems with committing logs to the database
  • Backup unable to remove log files after full backup
  • Slow local and remote delivery,
  • Damage your IIS server files (most often metabase.bin) causing different failures of   Exchange related services: WWW, SMTP, POP3, IMAP, etc.

One of the things you will not find in those previously mentioned Microsoft articles is that you also must exclude:



The temporary folder of the Exchange server antivirus software.  


If you don’t exclude the temporary folder of the Exchange server antivirus software the following scenario happens:


A virus comes to the Exchange server and antivirus for Exchange starts to process the data. However the file system antivirus will also spot the infected material in the temporary files of the Exchange antivirus and delete or quarantine those temporary files.


The Exchange server antivirus will of course crash and sometimes even cause the Microsoft Exchange Information Store service to crash as well.


Some Exchange antivirus softwares like for example Sophos MailMonitor prior to version 1.7 were unable to recover from such situation and you had to reinstall it.


Other Exchange server antivirus softwares, like for example, Symantec Mail Security are able to automatically recover from such situation but until you make the necessary exclusion in the file system antivirus, the crash is very likely to repeat and in the event log you will see events similar to this:



Event Type:       Warning
Event Source:    Symantec Mail Security for Microsoft Exchange
Event Category: Service
Event ID:           168
Date:                30.8.2004
Time:                11:28:07
User:                N/A
Computer:         MASMG
Description:
The process SAVFMSESp.exe was restarted.


Exchange server antivirus which is down (even only few seconds), will of course produce other problems: Your Exchange Server becomes unprotected and can be damaged by worms and viruses.


A typical example is where a worm damages the metabase.bin file which is a kind of “registry” for IIS. This causes a serial crash of IIS Admin and dependent services: IMAP, NNTP, MS Exchange Routing engine, and SMTP


Your Event log will contain entries similar to these:



Event Type:       Error
Event Source:    Service Control Manager
Event Category: None
Event ID:           7031
Date:                31.8.2004
Time:                15:42:10
User:                N/A
Computer:         MASMG
Description:
The IIS Admin Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.


Event Type:       Error
Event Source:    Service Control Manager
Event Category: None
Event ID:           7034
Date:                31.8.2004
Time:                15:42:10
User:                N/A
Computer:         MASMG
Description:
The Microsoft Exchange IMAP4 service terminated unexpectedly.  It has done this 1 time(s).


Event Type:       Error
Event Source:    Service Control Manager
Event Category: None
Event ID:           7034
Date:                31.8.2004
Time:                15:42:10
User:                N/A
Computer:         MASMG
Description:
The Network News Transfer Protocol (NNTP) service terminated unexpectedly.  It has done this 1 time(s).


Event Type:       Error
Event Source:    Service Control Manager
Event Category: None
Event ID:           7034
Date:                31.8.2004
Time:                15:42:10
User:                N/A
Computer:         MASMG
Description:
The Microsoft Exchange Routing Engine service terminated unexpectedly.  It has done this 1 time(s).


Event Type:       Error
Event Source:    Service Control Manager
Event Category: None
Event ID:           7034
Date:                31.8.2004
Time:                15:42:10
User:                N/A
Computer:         MASMG
Description:
The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly.  It has done this 1 time(s).


Also if you telnet to port 25 (SMTP) you will notice that Exchange extended command verbs are missing: (see screenshots below) and you will most probably experience problems in messages delivery.




Fig 3: Normal response



Fig 4: Response of a damaged SMTP service


If you were unfortunate to run into situation like this, the only way to repair is to make a restore of System State data backup, or reinstall the server if you don’t have a backup.

Leave a Comment

Your email address will not be published.

Scroll to Top