Wednesday, October 20, 2004

File based Antivirus scanners and Exchange ...

Hmmm.... after all these years working with Exchange I thought that everyone knew how to configure file-level antivirus scanners on an Exchange Server - but this apparently isn't the case (My gut feeling tells me that I'd prefer not to install an file-level on-access scanner on an Exchange server - but Multi-Purpose servers and other security measures often makes it a requirement).
I've just finished recovering a SBS 2003 Exchange installation from the results of an antivirus scanner which found a variant of Netsky in the e00.log file (The "working" log file in use by exchange, which will be renamed to Exxxxxxx when it reaches 5.120 KB) and deleted it - resulting in a dirty shutdown and an -1811 error from Exchange which prevents mounting the Store.
The person who installed it had excluded the catalogs containing the .EDB files but had forgotten to exclude the catalog where the log files resides - so when you configure this remember that the Exchange Stores and their log files can be placed in many different directories and also to exclude the SRS folder.
To make things worse the Anti-Virus client was configured to delete files instead of quarantining them (so I weren't able to recover the file) and the customers last backup was more than 5 days old. So I had to do a full repair of the databases (Luckily there wasn't any serious corruptions - it was primarily inconsistencies due to dirty shutdown and the missing log file).
This time I used the dial tone restore method, which starts by creating a blank database so all the users got access to e-mail (Sending and receiving new mail, not old e-mail or public folders), while I had the time to repair the old Information Stores and mounting them in a RSG for testing. Afhter this I switched the Dial tone Mailbox Store and the now repaired Mailbox Store around between the Storage Groups and ran Exmerge (The purpose of switching databases is that you retain all outlook rules etc. and just has to Exmerge the content of the smaller Dial tone Store into the older/repaired Store).
Check this page for 4 security best practices for Exchange - including info and links to articles on configuration of filebased antivirus scanners and what to do when everything has gone wrong.

No comments: