XADM: Using ISSCAN to Remove Messages or Attachments Affected by a Virus

ID: Q224493

The information in this article applies to:

Microsoft Exchange Server, versions 5.0, 5.5
on the following platforms: Alpha, x86

SUMMARY

A new tool, Isscan.exe, for Microsoft Exchange Server versions 5.0 and 5.5, is available to help you clean Exchange Server databases that contain messages or attachments with viruses. This tool scans the Exchange Server database message or attachment table, and deletes any affected messages and attachments.

MORE INFORMATION

To run the Isscan utility for Exchange Server 5.0 and 5.5:

Stop the Exchange Server Information Store service.

Copy the Isscan.exe utility to the Exchsrvr\Bin folder, and from a command line, run:

isscan {-pri | -pub} [-fix] -test {badmessage | badattach | badattach2} [-c critfile]

The -fix parameter instructs the Isscan utility to remove the messages or attachments found. Without the -fix parameter, the Isscan utility records all of the messages and attachments it finds in a log file.

The -pri | -pub parameter instructs the Isscan utility to scan either the private or public information store (the Priv.edb or Pub.edb file).

The -test badmessage parameter deletes messages from the message table that is determined to be bad.

The -test badattach and -test badattach2 parameters delete attachments from the attachment table that is determined to be bad.

The -c critfile parameter allows you to create a criteria file that the Isscan utility uses as it searches the message and attachment databases. If this is not specified, it defaults to the following (for the Melissa virus):

The badmessage parameter deletes single attachments on messages with a subject that starts with "Important Message From" and a creation time after 03/01/99.

The badattach and badattach2 parameters delete attachments with a filename of List.doc and a size between 40,000 and 60,000 bytes.

If critfile is specified, the Isscan utility reads that file for the scan criteria. There can be two types of entries in the file: attachment criteria or message criteria. The attachment criteria has the following format (note the tab separators indicated by "\t"):

ATTACH filename\tminsize\tmaxsize

MSG start-of-subject\tyyyy/mm/dd

NOTE: Please copy the Criteria file to the Exchsrvr\Bin folder before you specify it when you are running Isscan.exe.

You can have multiple entries for each criteria. The attachment file names must be in 8.3 format. If you have a long file name, use the 8.3 format for it (for instance, use "Zipped~1.exe" for "Zippedfile.exe"). Also, you can specify up to 256 criteria in the criteria file. A sample file looks like the following:


	ATTACH list.doc	40000	60000
	ATTACH list1.doc	40000	60000
	ATTACH new.doc	     20000	40000
	MSG Important Message From	1999/03/01
	MSG New version of virus	1999/03/28

As a safeguard, the filename and subject values cannot be FEWER than five characters long.

There can be two MAPI types for an attachment in Exchange Server: PR_ATTACH_FILENAME and/or PR_ATTACH_LONG_FILENAME. For example:

ATTACH Zipped_Files.exe15000500000
ATTACH Zipped~1.exe15000500000

The PR_ATTACH_FILENAME is the 8.3 filename used for backward compatibility with 16-bit clients.

You can use the Mdbvu32.exe file from the Exchange Server 5.5 CD to view attachments in a user mailbox. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

Q214816 HOWTO: Use Mdbvu32.exe to Set/Create a Property on a Folder

The Isscan utility creates a report called either Isscan.pri or Isscan.pub, depending on whether you are scanning a private store or public store. This report includes the following information:

When run with the -test badmessage parameter, this report includes the sender and recipient of a message that is deleted.

When run with the -test badattach parameter, this report includes the file name of the attachment that is deleted.

When run with the -test badattach2 parameter, this report includes the file name of the attachment that is deleted and the sender and recipient of the associated message.

When you run the Isscan utility with the -test badmessage parameter, it searches the message folder table based on the specified message criteria. When you run the Isscan utility with the -test badattach parameter, it searches the attachment table based on the specified attachment criteria. Searching the attachment table is faster, but it prevents the Isscan utility from obtaining information about the sender and recipient of the message.

When you run the Isscan utility with the -test badattach2 parameter, it uses the specified attachment criteria, but it checks attachments through the message folder table instead of the attachment table. This makes the search slower, but it allows the Isscan utility to obtain information about the sender and recipient of the message. This is useful for viruses where the Subject field is always different, which prevents you from searching based on message criteria. The -test badattach2 parameter allows you to search based on attachment criteria instead, while still obtaining information about the sender and recipient.

Important Notes

This is only a method to clean an already affected Exchange Server database. This does not in any way prevent the virus from being introduced into the e-mail system.

To prevent the virus from being introduced, enact a well planned anti-virus strategy at all Internet firewalls and at every desktop workstation.

You can run the command, isinteg -fix -pri -test attachref, to delete the reference to the attachment--otherwise the message reports "Could not open one or more attachments." The message is not deleted with either the badmessage or the badattach switch. Only the attachment is removed on either option.

However, no test removes the actual Paperclip icon.

Isscan does not search for wildcard attachments or messages. The user must specify a file name that is at least five characters long. For example, searching for messages or attachments by specifying "*.doc" (without the quotation marks) does not work.

The Isscan utility is available on the Microsoft FTP server at:

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANI.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANA.EXE

ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANI.EXE

The version of the Isscan utility that is available on the FTP server does not support the -test badattach2 parameter. Microsoft recognizes the need for this functionality and has modified the Isscan utility to support it.

The English version of this feature should have the following file attributes or later:

Component: ISSCAN

File name	Version
Isscan.exe	5.5.2648.0

Additional query words:

Keywords : exc5 exc55
Version : winnt:5.0,5.5
Platform : winnt
Issue type : kbhowto