Exchange & Outlook UPDATE, Exchange Edition, November 11, 2004

1. Commentary
- The Pitfalls of Antivirus Solutions

2. Resources
- Featured Thread: Virtualization Technology Contest and Blog
- Outlook Tip: Understanding Outlook Junk-Email Rules

3. New and Improved
- Manage Reminders from One Window
- Tell Us About a Hot Product and Get a T-Shirt!

~~~~ Sponsor: Manage Email, PSTs & Public Folders (Free Trial) ~~~~
Having trouble accessing PST Files? Looking for a cost-efficient email management solution? Mail Attender Enterprise gives you the ability to automatically manage PST files (network accessible and local), Public Folders and Mailboxes from a central location.
Perform keyword searches to retrieve information, implement retention policies, address compliance issues, compress attachments, compact PSTs, archive data to a secure storage device and view email statistics across your enterprise. Management is transparent to end-users and can be applied to certain users or groups. With Mail Attender Enterprise, you will decrease administration time, reclaim storage space and reduce liabilities. Download a FREE TRIAL and instantly view statistics like total message/attachment count, size, and type across your entire Exchange information store!
http://www.sherpasoftware.com/windowsnetEO.shtml

Editor's note: Share Your Exchange Discoveries and Get $100
Share your Exchange Server and Outlook discoveries, comments, or problems and solutions for use in the Exchange & Outlook Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.

==== 1. Commentary: The Pitfalls of Antivirus Solutions ==== by Paul Robichaux, Exchange Editor, [email protected]

Antivirus solutions are an important part of most business networks. The criminals who write and release viruses are increasingly prolific and clever at distributing their "products." Their industriousness and skill argues in favor of keeping antivirus scanners at your network perimeter, on your desktop machines, and on your Exchange Server systems. However, the cure might sometimes be worse than the disease. I've noticed a worrisome trend: Many Exchange administrators are having trouble with their server-based antivirus products, usually because of two simple problems that can easily be corrected.

The first problem is that in some cases, antivirus scanners cause email to stop flowing to users. The precise cause of this problem can be difficult to isolate, but the symptoms are unmistakable: Users stop getting new email from the outside world. Stopping and restarting the scanning service will sometimes resolve the problem. Depending on the antivirus product you use, you might be able to use its management tool to pinpoint the problem, or you can use Exchange System Manager's (ESM's) queue-viewing tools to determine whether mail from particular origins is arriving at your Exchange servers normally. You'll probably find that the problem is caused by your antivirus software's failure to keep up under load, or by its behavior when it encounters a particular type of malformed (or poorly formed) message. If disabling the antivirus service solves the problem or if you can localize the problem to a single message, you've found an extremely valuable clue as to the cause of the issue. Also, stoppage might be because your perimeter SMTP scanner has stopped accepting mail or has fallen behind in its scanning. Exchange-aware scanners that use the Virus Scanning API (VSAPI--see "You Had Me At EHLO" at http://blogs.msdn.com/exchange/archive/2004/10/20/245157.aspx for a description) typically perform on-demand scans that aren't subject to this problem.

The second problem is both more serious and easier to avoid. For years, the understood best practice has been to avoid running file-level antivirus scanners on Exchange servers. Why? Because those scanners look at patterns of data within individual files, quarantining or "cleaning" files that contain patterns that match virus signatures. Guess what happens if your scanner quarantines an Exchange database file? Nothing good, that's for sure:

- If the EDB or STM file is quarantined, Exchange won't be able to mount the Store. If the file is quarantined while still opened by Exchange, the results are unpredictable but will frequently include -1018 errors. The Microsoft article "Error events are logged when the Exchange Server database service is denied write access to its own .edb files or to the .chk file" ( http://support.microsoft.com/?kbid=253111 ) provides details about this particular type of misbehavior.

- If a transaction log file is quarantined, Exchange will notice the missing file when you next try to mount that Store, and the database won't mount.

- If the checkpoint log file is quarantined, the database won't be mountable, and you might notice other problems (including -1811 errors). The Microsoft articles "Error events are logged when the Exchange Server database service is denied write access to its own .edb files or to the .chk file" and "XADM: Database Won't Start; Circular Logging Deleted Log File Too Soon" ( http://support.microsoft.com/?kbid=176239 ) describe typical results of this situation.

If you run into one of these situations, your only option to get the file back is to release it from quarantine, restore it from a backup, or recreate the database by playing back your log files.

Microsoft recommends against using file-level scanners on Exchange databases, log files, Message Transfer Agent (MTA) files, and SMTP queues (see the Microsoft articles "Overview of Exchange Server 2003 and antivirus software" at http://support.microsoft.com/?kbid=823166 or "Exchange and antivirus software" at http://support.microsoft.com/?kbid=328841). Many experienced administrators know this advice, but more than a few do not. As part of your job-security program, please make sure the folks you work with are in the former category.

One last note about virus cleaning: Don't assume that an infected machine is OK just because you used an antivirus tool to clean it. Such cleaning can get rid of simple infections such as those caused by Blaster, but sophisticated malware can pass through cleaning. Serious infections might require you to flatten and rebuild the machine.

~~~~ Sponsor: Enter to Win & Say Yes to Mailbox Recovery Software ~~~~
Ontrack(R) PowerControls(TM) software is the ultimate alternative solution to brick-level backups. Last month, Ontrack Data Recovery introduced Ontrack PowerControls 3.0 software, the newest version of its widely used mailbox recovery tool. To celebrate, we are offering a chance to win a FREE PowerControls license (up to a $2,000 value). SAY YES to PowerControls today! To enter for a chance to win, download the free trial at:
http://s0b.bluestreak.com/ix.e?hy&s=394880&a=297868

==== Announcements ==== (from Windows IT Pro and its partners)

Subscribe Now to Windows IT Pro with Exclusive Online Access!
Windows & .NET Magazine is now Windows IT Pro! Act now to get the November issue, which features a Linux primer for Windows administrators, the how-tos of making NTBackup work, and a checklist for Sarbanes-Oxley compliance. You'll save 30% off the cover price and receive exclusive subscriber-only access to our entire online library with your paid subscription! This is a limited-time offer, so click here to order today!
http://www.winnetmag.com/rd.cfm?code=00ep204kul

Get the Final Chapter Release--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003"
Download our final chapter, "Exchange Security," and learn 5 key strategies to help you secure your environment before vulnerabilities become a problem, including how to reduce the number of protocols used and how to partition your environment. Plus, start protecting authentication credentials, data transmission, and more. Get the entire eBook now!
http://www.windowsitlibrary.com/ebooks/exchangeserver2003/index.cfm?code=1108annc

Attend and Get a Free Subscription to Windows IT Pro! The Enterprise Alliance Roadshow
Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Attend and you could win an iPod! Sign up today. Space is limited.
http://www.windowsitpro.com/roadshows/serverconsolidation/index.cfm?code-1108annc

Managing and Securing Corporate Email Forum: January 31 – February 2, 2004, Harrah’s, Las Vegas
Spammers and negligent email users are draining your budget and resources! With over 20 case studies, discussion groups and workshops, you’ll walk away with end user strategies, proven to make your organization’s email safer. For a full agenda and registration information log on to http://www.iqpc.com/NA-2237-01/ITPRO or call 1-800-882-8684.

~~~~ Hot Release: Find Oracle Answers Fast ~~~~
Finding answers to your most pressing questions about Oracle is easy. With over 700 how-to articles and simple tips, you'll discover how to maximize Oracle features and ultimately improve IT productivity and management of your network and database. Plus, you'll learn how easy it is to use, manage, and develop with Oracle. Click here for answers to your Oracle questions!
http://www.windowsitpro.com/oracleonwindows/

==== 2. Resources ====

Featured Thread: Virtualization Technology Contest and Blog
Enter the Windows IT Pro Virtualization Hero contest by telling us--in 200 words or less--how your IT organization has used virtual machine technology in innovative ways to reap practical business benefits. But hurry: The contest closes on November 24, 2004. For more information, go to the Virtualization Technology blog at http://www.windowsitpro.com/blog/index.cfm?DepartmentID=964

Outlook Tip: Understanding Outlook Junk-Email Rules by Sue Mosher, [email protected]

Q: In Outlook 2000, is it the Exchange Server system or the local client that processes messages against the junk-email rules? I'm interested in using these rules but wonder whether they'll create a large draw on my server (or just tax the local machines a little more than usual).
Find the answer (and links to more great tips) at http://www.windowsitpro.com/article/articleid/42226/42226.html

==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

IT Security Solutions Roadshow--Attend and Get a Free Subscription to Windows IT Pro
Take your security to the next level with this free half-day event covering topics such as antivirus, intrusion prevention, vulnerability discovery, and more. Get a backstage pass to the ISA Server 2004 Hands-on Lab. Attend and enter to win tickets to a professional sports game. Register now!
http://www.windowsitpro.com/roadshows/security/index.cfm?code=1108annc

==== 3. New and Improved ==== by Angie Brew, [email protected]

Manage Reminders from One Window
Slovak Technical Services released Reminder Manager 1.4.6, an Outlook add-in that sends reminders from any email, calendar, tasks, or contacts folder in any open mail store. The product can email reminders to any email address, email-enabled communications device, or pager and lets you manage all your reminders in one window. Reminder Manager supports Microsoft Office Outlook 2003, Outlook 2002, and Outlook 2000 and costs $30 for one user license. Contact Slovak Technical Services at 407-673-7655.
http://www.slovaktech.com

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

~~~~ Contact Us ~~~~

About the newsletter -- [email protected]
About technical questions -- http://www.windowsitpro.com/forums
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]