XADM: Using ISSCAN to Remove Messages or Attachments Affected by a Virus

ID: Q224493


The information in this article applies to:


SUMMARY

A new tool, Isscan.exe, for Microsoft Exchange Server, versions 5.0 and 5.5, is available to aid in the cleansing of Exchange Server databases that contain messages or attachments with viruses. This tool will scan the Exchange Server databases' message or attachment table, and delete any affected messages and/or attachments.


MORE INFORMATION

The following section explains how to run ISSCAN for Exchange Server 5.0 or 5.5.

Exchange Server 5.5

  1. Stop the Microsoft Exchange Server Information Store service.


  2. From a command line, run:


  3. ISSCAN -fix {-pri | -pub} -test badmessage, badattach -c critfile

Exchange Server 5.0

  1. Stop the Microsoft Exchange Server Information Store service.


  2. From a command line, run:


  3. ISSCAN -fix {-pri | -pub} -test badmessage,badattach -c critfile
The -fix parameter instructs Isscan to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file.

The -pri | -pub parameter instructs Isscan to scan either the private or public information store (Priv.edb or Pub.edb).

The -test badmessage parameter deletes messages from the message table determined to be bad.

The -test badattach parameter deletes attachments from the attachment table determined to be bad.

The -c critfile parameter allows you to create a criteria file that Isscan will use as it searches the message and attachment databases. If this is not specified, it will default to the following (for the Melissa virus): You can have multiple entries for each criteria. The attachment file names must be in 8.3 format. So, if you have a long file name, use the 8.3 format for it (for instance, use "Zipped~1.exe" for "Zippedfile.exe"). Also, you can specify up to 256 criteria in the criteria file. A sample file looks like the following:

	ATTACH list.doc	40000	60000
	ATTACH list1.doc	40000	60000
	ATTACH new.doc	20000	40000
	MSG Important Message From	1999/03/01
	MSG New version of virus	1999/03/28 
As a safeguard, the filename and subject values cannot be LESS than 5 characters long.

There can be two MAPI types for an attachment in Exchange Server: PR_ATTACH_FILENAME and/or PR_ATTACH_LONG_FILENAME. For example:
ATTACH Zipped_Files.exe15000500000
ATTACH Zipped~1.exe15000500000
The PR_ATTACH_FILENAME is the 8.3 filename used for backward compatibility with 16-bit clients.

Mdbvu32.exe from the Exchange Server 5.5 CD can be used to view attachments in a user mailbox. For more information, please see the following article in the Microsoft Knowledge Base:
Q214816 HOWTO: Use Mdbvu32.exe to Set/Create a Property on a Folder
Isscan will create a report called either Isscan.pri or Isscan.pub, depending on whether you are scanning a private store or public store. When run with the -test badattach parameter, this report will include the attachment's filename that is deleted. When run with the -test badmessage parameter, this report will include the sender of a message that is deleted.

Important Notes

Isscan is available on our FTP servers at:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANI.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANI.EXE

Additional query words:


Keywords          : exc5 exc55 
Version           : winnt:5.0,5.5
Platform          : winnt 
Issue type        : kbhowto 

Last Reviewed: June 28, 1999