How can I search my Exchange stores for virus infected messages?

A. After the problems with the recent Melissa virus, Microsoft have produced a utility which can search your Exchange store for messages which have been infected with a virus and clean them. This will not in any way prevent the virus from being introduced into the email system, you should ensure you are running anti-virus software to prevent the virus infecting your message stores.

The utility can be downloaded for Exchange 5.5 and 5.0 for both Intel and Alpha

Exchange 5.5 IntelĀ
Exchange 5.5 Alpha
Exchange 5.0 Intel
Exchange 5.0 Alpha

Once downloaded the self extracting file produces two files, ISSCAN.EXE and the symbol file ISSCAN.DBG. Once you copy the files to the server running Exchange it is used as follows (you don't need to copy the .dbg file)

For Exchange 5.5

  1. Logon as an Administrator
  2. Stop the Microsoft Exchange Server Information Store server (via Control Panel - Services)
  3. Enter the command below from the command prompt (cmd.exe)
    C:\> ISSCAN -fix \{-pri | -pub\} -test badmessage, badattach \[-c <criteria file>\]
    Where the -fix parameter instructs ISSCAN to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file.
    The -pri or -pub parameter instructs ISSCAN to scan either the private or public information store (priv.edb or pub.edb).
    The -test badmessage parameter deletes messages from the message table determined to be bad. The -test badattach parameter deletes attachments from the attachment table determined to be bad.
    The -c <criteria file> is optionally and allows you to specify which messages ISSCAN will search for. If not used the Melissa virus will be searched for. The format of the criteria file is supplied in the readme file for ISSCAN which can be downloaded from here.

ISSCAN will create a report called either isscan.pri or, depending on whether you are scanning a private store or public store. This report will include the attachment's filename that is deleted, and the sender of a message that is deleted. You can then use this information to determine the users computers who may need extra attention.

This utility is very powerful and can be very constructive or destructive depending on how it is used. Please use with caution and consider every action twice before implementing. There is no undo so restoring a backup is the alternative if a problem occurs. It is recommended that you do not use this utility until a known good backup is secured.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.