Alert: Exchange Server 5.5 Virus Scanning API 1.0

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/10/01

Previous message: Thomas C. Greene: "Windows hack for Web-surfing privacy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 10 Dec 2001 10:38:53 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

No real news for some, but the recent waves of mass mailers have once again
demonstrated how Exchange Server 5.5 plus an Anti-Virus product may not do
an effective job at handling mass mailers. But don't blame your Anti-Virus
vendor, the problem comes when the Exchange Server 5.5 is put under load.
How much load? Nobody seems to be able to say for sure. However, when under
sufficient load Exchange Server 5.5 will simply not notify the AV product
there's a message to scan, and instead pass it through to the recipient.

Prior to Exchange Server 5.5 SP3, AV Vendors used MAPI-based scanning.
However, Microsoft's KB article Q263949 says;

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q263949

"If you select MAPI-based scanning, be aware that the vendor's software may
not scan all attachments because first and exclusive access is not
guaranteed."

SP3 introduced the Virus Scanning API 1.0, and many vendors provided support
for it because it was more reliable. But Microsoft have acknowledged that
even VSAPI 1.0 can't always handle the load of an internal infection, and
rather than losing messages, sends them through without notifying the AV
product.

Exchange Server 2000 SP1, with its VSAPI 2.0, says;

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q285667

"The enhancements to the virus scanning API that are included in Exchange
2000 Server SP1 represent the next step in the evolution of the commitment
that Microsoft has made to protecting customer investment. These new
features, known as virus scanning API 2.0, fulfill many of the shortcomings
of virus scanning API 1.0."

You gotta love it, "the next step in the evolution of the commitment"...;-]
So the commitment is evolving to, presumably eventually, actually let
customers protect themselves...but we're not there yet.

AV Vendors are strongly urging their customers to switch to Exchange Server
2000.

Microsoft say they have no plans to make VSAPI 2.0 available for Exchange
Server 5.5, so to get secure, upgrade.

The number of times customers have actually been bitten by this problem is
unknown, suffice it to say it doesn't happen often. Reports I've received
indicate that the load required to make Exchange Server 5.5 start missing
infected messages (or messages with attachments that have been indicated
should be stripped) comes about as a result of one, or more, mass-mailers
active in your internal network.

For example, someone uses a web-based mail service and opens an
email/attachment that invokes a mass-mailer. Once the mass-mailer starts
bombing the Exchange Server 5.5, depending on the hardware, it can then get
to a point where the load is great enough to cause it to miss inbound
messages.

Using the Outlook Email Security Update or Outlook 2002, both of which
prevent mass-mailers from programmatically accessing the Exchange Addresses,
can help to prevent infections that occur outside of the normal AV path.
Using client-side AV products can also help.

Consider also putting a second network adapter on your Exchange Server(s).
If internal clients connect to one adapter, and the infrastructure to the
other, you can more easily disconnect your clients from the Exchange Server
should you detect its under load. Minimizing what your Exchange Server is
doing also helps, size it appropriately and don't use it for anything else.
Consider also putting your AV product on its own box.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================

Previous message: Thomas C. Greene: "Windows hack for Web-surfing privacy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Automate defragmentation
... run load sim in production... ... It's still a client side solution. ... has to spend cycles rebuilding the indexes that the offline defrag ... the performance of your exchange server on a regular scheduled basis.... ...
(microsoft.public.exchange.admin)
Exchange and subdomains
... I have an ISP hosting this company's email for now, but I would like to have ... my SBS2003 box take over that load. ... The problem is that my exchange server will not accept the new addresses. ... when I can send mail cross country in less than 1 minute. ...
(microsoft.public.windows.server.sbs)
Re: Exchange and subdomains
... > exchange server will not accept the new addresses. ... My server does not have that much load that it couldn't ... download all the mail ... Steve Foster [SBS MVP] ...
(microsoft.public.windows.server.sbs)
Re: Outlook 2003 forms problem
... Did you also change servers as part of the Outlook migration? ... Forms library on your Exchange server? ... You can leave the permissions set so no one can write items there. ... >>> When our user attempts this they initially get "form load failed", ...
(microsoft.public.outlook)