Microsoft KB Archive/245822

= Recommendations for troubleshooting an Exchange Server computer with antivirus software installed =

Article ID: 245822

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 4.0 Standard Edition
 * Microsoft Exchange Server 5.0 Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition

-



This article was previously published under Q245822



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Note An antivirus program is designed to help protect your computer from viruses. You must not download or open files from sources that you do not trust, visit Web sites that you do not trust, or open e-mail attachments when your antivirus program is disabled.

For additional information about computer viruses, click the following article number to view the article in the Microsoft Knowledge Base:

129972Computer viruses: description, prevention, and recovery



SUMMARY
This article describes recommendations for troubleshooting issues on Microsoft Exchange Server computers that antivirus software is installed on.



File-Based Antivirus Software
You can install file-based scanning antivirus software on an Exchange computer. However, never run scanning against the program and database files of an Exchange computer.

In addition, never run scanning against the Installable File System (IFS) drive (drive M) of an Exchange 2000 server. If you do so, you might receive false reports of a virus and you might damage Exchange 2000 databases when you attempt to disinfect the file.

In Exchange 2000, drive M is a convenient label for the Exchange IFS. The Exchange IFS enables you to view and use the Exchange information store as a file system.

NOTE: Drive M can use a letter other than M. This drive is generally referred to as drive M; however, if the letter M is already being used, this drive uses another drive letter. For additional information about issues that are caused by antivirus scanning of drive M, click the following article number to view the article in the Microsoft Knowledge Base:

299046 Calendar items disappear from user's folders

In some situations, you may experience additional issues with the Exchange IFS. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

305145 How to remove the IFS mapping for drive M in Exchange 2000 Server

If you need to run a file-based virus scanner on an Exchange computer, remove the Exchange-specific files and folders from the scheduled scans and real-time scanning. File-based scanning of Exchange 2000 executable files is supported.

IMPORTANT: Never run file-based scanning software against Exchange databases, logs, temporary files, the IIS system files, or the IFS drive (drive M). Configure antivirus software to avoid scanning the folders that contain these files.

You can run file-based antivirus software against the operating system of the Exchange computer and against Exchange program files (the Exchsrvr\Bin folder), but never run file-based antivirus software against files in the following folders:
 * Exchange databases and log files.
 * Exchange .mta files (default location: \Exchsrvr\Mtadata).
 * Exchange message tracking log files (default location: \Exchsrvr\ .log).
 * Virtual server folders (default location: \Exchsrvr\Mailroot).
 * Site Replication Service (SRS) files (default location: \Exchsrvr\Srsdata).
 * Internet Information Service (IIS) system files (default location: \%SystemRoot%\System32\Inetsrv).
 * Internet Mail Connector files (default location: \Exchsrvr\IMCData).
 * The working folder that is used to store streaming temporary files that are used for message conversion. By default, this working folder is located at \Exchsrvr\MDBData.
 * A temporary folder that is used in conjunction with offline maintenance utilities such as Eseutil.exe. By default, this folder is the location that you run the .exe files from, but you can configure this when you run the utility.

You can run file-based scanning against the following folders:
 * Exchsrvr\Address
 * Exchsrvr\Bin
 * Exchsrvr\Exchweb
 * Exchsrvr\Res
 * Exchsrvr\Schema

Temporarily disable file-based scanning software during operating system and Exchange upgrades; this includes upgrading to new versions of Exchange or the operating system, and applying any Exchange or operating system fixes or service packs.

When you upgrade an Exchange or operating system product, or apply a service pack or fix, it is standard procedure to stop and disable all of the third-party services, hardware vendor and operating system monitors, and any agents or Exchange monitors before you perform the update or upgrade. Also stop and disable any performance monitors, any Microsoft or third-party backup programs, and Microsoft Simple Network Management Protocol (SNMP). Then restart the Exchange computer before you apply the upgrade or fix. This procedure prevents files that the update process needs to access from being locked.

IMPORTANT: This procedure also includes stopping and disabling any antivirus programs (including file-based scanning antivirus software) before you upgrade any version of Exchange or the operating system and before you apply any Exchange or operating system service pack or fix.

Exchange Information Store Scanning Software
Microsoft provides application programming interfaces (APIs) that give other manufacturers the ability to write antivirus programs that scan the information store. If this type of software is running on your Exchange computer and you are experiencing issues, research the issues and follow normal troubleshooting procedures. If these procedures do not resolve the issue, temporarily disable or remove the antivirus software to determine whether it is contributing to the issue. If the antivirus software is not contributing to the issue, you can re-enable the antivirus software.

If the issue stops occurring after you disable or remove the antivirus software, contact the manufacturer of the antivirus software for the most recent update. If the most recent update of the software does not resolve the issue, continue working with the antivirus software manufacturer and Microsoft to pursue a resolution to the issue.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

241855 Information Store does not start with event ID 145

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Exclude the folder that contains the checkpoint (.chk) files from file-based scanners.

NOTE: Even if you move the Exchange databases and log files to new locations, and you exclude those folders, the .chk file may still be scanned. For more information about what may occur if the .chk file is scanned, click the following article number to view the article in the Microsoft Knowledge Base:

253111 Event: Unable to write a shadowed header for file

176239 Database won't start; circular logging deleted log file too soon

Additional query words: Third party Norton InocuLAN Scanmail NAI Groupshield Trend

Keywords: kbinfo KB245822

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.