Virus Protection

Before I begin, let me tell you a true story. It is 2am on a Monday morning and I am happily asleep. Then the thing that all administrators dread, the pager starts chirping. I groggily pick it up only to find a text message from our night shift NOC operator stating that he loved me. Now, as our NOC operator was an old beefy guy, I needed to decide what was worse, receiving his declaration of love or the realization that my system had been hit with a virus. You would think that my story would end there, but no, it was just the beginning. After showing up to work at 2:45am, I realize that everyone in our entire GAL has been send a copy of this virus, including all of our clients. The "I Love You" virus was brand new and no update was available from any anti-virus vendor yet. Now there is a utility with Exchange called ISSCAN.EXE whose use is detailed in Microsoft's knowledge base article Q224493. It is a nifty utility that can strip a message of its attachment based on set criteria.

So, like the good admin I am, I proceeded to remove the offending attachment from the entire information store. I sent a urgent message to the Staff - All alias informing them of the virus and letting them know not to open it should we receive any more. Then I went home to try and get an hour more of sleep. Of course that didn't happen as the users clicked on the virus anyway. All through the next day the system went up and down and up and down as I had to clean the boxes out. I tried everything possible to keep users from clicking. I posted big signs on all entrances and exits. I was ready to evoke lashings! Needless to say, by the time I had updates for the virus scanners, I had a lot of egg on my face.

The message of that rather long story is that just having a virus scanner is not enough. You need to have it setup correctly and more importantly, you need to have your users "virus aware". You are halfway there if your users know about attachment safety. Teach your users about clicking on attachments and make sure they understand that just because the message is from someone they know, that alone does not make it safe.

Let me state that you need a virus scanner for your Exchange system. I don't care if everyone's desktop and all the file servers run a scanner, you need one specifically designed for Exchange, no ifs, ands, or buts about it! When you select your virus scanner, there are a few features that I believe are important. The first thing to look at is what kind of scanning API the product supports. MS now supports 2 API's, antivirus API and MAPI. Antivirus API is the newer of the two and offers several advantages.

First, the ativirus API is a lot faster. It can scan many more attachments in a given time. This is important if your system is being barraged by a virus. Also, attachments are guaranteed to be scanned before being delivered. That was a problem with MAPI because if the scanner couldn't keep up, the message would be delivered without being scanned, with the hope it would catch up later. A disadvantage to the antivirus API is that it won't tell you the sender or receiver if the API does find a virus. Depending on your software, you can quarantine the attachment/message, delete it or clean it, but as an administrator, you won't know where it came from. When choosing a scanner, I recommend one that gives you the option of both APIs. There are also some third party APIs, but I have not dealt with them.

After the "I love you" incident, my principal requirement for selecting a virus scanner was the ability to selectively block attachments based on file name or type. This is now a key element in keeping my servers virus free. There are always going to be new viruses and until you get an updated virus definition, you are at risk. By blocking file types that can spread viruses, you give yourself a much wider margin of security. Unfortunately this comes at an expense to convenience for the users. For example, I block all script file types and all executables. They first go into quarantine in case the file is needed by the user and then later they are deleted.

Now in most organizations, sending executables and scripts are usually not required for work. Most documents are documents and the executables can be zipped to pass through. I find most of what my systems block are "non-work" -- files, jokes and the like. It is not worth the downtime to allow these to pass through. I find that you can screen out about 90% of the viruses by an effective attachment blocking policy. There is a security patch for Outlook that will also limit the attachments that the users can open. Although it can be restrictive, it may be worth it to prevent infection. Your users all have desktop scanners on their computers, right? That is another way to prevent infection.

Some other features to look for are automatic definition updates (a definition is a file that tells the scanner what a virus looks like), scheduled scanning of the information store, and, depending on the size of the organization, a well-defined alert function to let the administrators know when viruses are found. Some of the better scanners even allow you to set rules to prevent possible outbreaks, such as a certain number of attachments or attachment types being sent in a given period of time. You can then have the scanner automatically perform an action, such as shutting down your IMCs until you can contain an outbreak.

Another thing to do is to make sure your virus definitions are up-to-date. Most scanners now have auto-update functions, but they do not always work. I recommend updating at least once a week and manually checking to make sure the updates are being applied.

So, to summarize, you absolutely need an effective virus scanning solution. By correctly setting it up and implementing policies such as attachment blocking and regular information store scans, you can prevent downtime and embarrassment caused by an outbreak. Virus scanning is a multi-tiered effort that starts at the user level and goes up to the server level. By making sure all levels of your virus protection strategy are being used, you can keep your systems humming along as they should.

This was the last of a three part series on setting policies to manage your Exchange system. You can see the first two parts here:

Succesful Policies for Exchange Administration (Part 2: Distribution Lists and Public Folders)
Succesful Policies for Exchange Administration (Part 1: Size Limits)

Jason Haifley