XADM: Using ISSCAN to Remove Messages or Attachments Affected by a Virus

ID: Q224493

The information in this article applies to:

Microsoft Exchange Server, versions 5.0, 5.5
on the following platforms: Alpha, x86

SUMMARY

A new tool, Isscan.exe, for Microsoft Exchange Server, versions 5.0 and 5.5, is available to aid in the cleansing of Exchange Server databases that contain messages or attachments with viruses. This tool will scan the Exchange Server databases' message or attachment table, and delete any affected messages and/or attachments.

MORE INFORMATION

The following section explains how to run ISSCAN for Exchange Server 5.0 or 5.5.

Exchange Server 5.5

Stop the Microsoft Exchange Server Information Store service.

From a command line, run:

ISSCAN -fix {-pri | -pub} -test badmessage, badattach -c critfile

Exchange Server 5.0

Stop the Microsoft Exchange Server Information Store service.

From a command line, run:

ISSCAN -fix {-pri | -pub} -test badmessage,badattach -c critfile

The -fix parameter instructs Isscan to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file.

The -pri | -pub parameter instructs Isscan to scan either the private or public information store (Priv.edb or Pub.edb).

The -test badmessage parameter deletes messages from the message table determined to be bad.

The -test badattach parameter deletes attachments from the attachment table determined to be bad.

The -c critfile parameter allows you to create a criteria file that Isscan will use as it searches the message and attachment databases. If this is not specified, it will default to the following (for the Melissa virus):

badmessage will delete single attachments on messages with a subject starting with "Important Message From" and a creation time after 03/01/99.

badattach will delete attachments with a filename of List.doc and a size between 40,000 and 60,000 bytes.

If critfile is specified, it will read that file for the scan criteria. There can be two types of entries in the file: attachment criteria or message criteria. The attachment criteria has the following format (note the tab separators indicated by "\t"):

ATTACH filename\tminsize\tmaxsize

MSG start-of-subject\tyyyy/mm/dd

You can have multiple entries for each criteria. The attachment file names must be in 8.3 format. So, if you have a long file name, use the 8.3 format for it (for instance, use "Zipped~1.exe" for "Zippedfile.exe"). Also, you can specify up to 256 criteria in the criteria file. A sample file looks like the following:


	ATTACH list.doc	40000	60000
	ATTACH list1.doc	40000	60000
	ATTACH new.doc	20000	40000
	MSG Important Message From	1999/03/01
	MSG New version of virus	1999/03/28

As a safeguard, the filename and subject values cannot be LESS than 5 characters long.

There can be two MAPI types for an attachment in Exchange Server: PR_ATTACH_FILENAME and/or PR_ATTACH_LONG_FILENAME. For example:

ATTACH Zipped_Files.exe15000500000
ATTACH Zipped~1.exe15000500000

The PR_ATTACH_FILENAME is the 8.3 filename used for backward compatibility with 16-bit clients.

Mdbvu32.exe from the Exchange Server 5.5 CD can be used to view attachments in a user mailbox. For more information, please see the following article in the Microsoft Knowledge Base:

Q214816 HOWTO: Use Mdbvu32.exe to Set/Create a Property on a Folder

Isscan will create a report called either Isscan.pri or Isscan.pub, depending on whether you are scanning a private store or public store. When run with the -test badattach parameter, this report will include the attachment's filename that is deleted. When run with the -test badmessage parameter, this report will include the sender of a message that is deleted.

Important Notes

It should be understood that this is only a method to clean an already affected Exchange Server database. This will not in any way prevent the virus from being introduced into the e-mail system.

To prevent the virus from being introduced, a well planned anti-virus strategy should be enacted at all Internet firewalls and at every desktop workstation.

Isscan is available on our FTP servers at:

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANI.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANI.EXE

Additional query words:


Keywords          : exc5 exc55 
Version           : winnt:5.0,5.5
Platform          : winnt 
Issue type        : kbhowto

Last Reviewed: June 28, 1999