Well, that hook is actually gone. I can’t remember if it was removed in 2013 or 2016 – but it was when store.exe was rewritten to have a separate process for each mailbox database.
Now, the ONLY mechanism to scan for viruses is via FrontEndTransport (incoming or outgoing email messages) and EWS (which is dreadfully slow and not suitable for this task). Store.exe is now managed code – and with all the various a/v and a/m mitigations in managed-code, I don’t know that anyone has tried trying to reverse engineer hooks into the live processes. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Chenault Sent: Friday, June 30, 2017 12:52 PM To: exchange@lists.myitforum.com Subject: RE: [Exchange] June 2017 Quarterly Exchange Updates Reminds me of how Trend Micro reverse-engineered store.exe to hook their AV product into the message stream in Exchange 5.x. Of course now the hook into the message stream is exposed. Since 2k3 I believe. Never did like brick-level backups; took longer and needed more storage. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Thursday, June 29, 2017 7:42 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: RE: [Exchange] June 2017 Quarterly Exchange Updates Great. Never considered they did it that way, that scares me. Another reason not to do item level backups on exchange. Our awesome browser driven archive system will do just fine. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Thursday, June 29, 2017 8:35 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: RE: [Exchange] June 2017 Quarterly Exchange Updates Backup Exec (and every backup program promising single-item restores) depend on non-public data – they are reverse-engineering the format of a mailbox database.. This is noted in the release blog. Post release update concerning Cumulative Update 5 Several customers have reported problems with 3rd party solutions which provide brick level backup or single mailbox recovery as a reported feature after installing Cumulative Update 5. Cumulative Update 5 included an update to our database schema which caused some of these products to not function as they had previously. That change carries forward into Cumulative Update 6 as well. The practice of updating the database schema has long been in place with Exchange Server. Microsoft has urged developers to not consider the schema to be immutable nor to program against it. The schema is not publicly defined and is a structure internal to the operation of Exchange Server. Access to store level objects is provided through publicly documented interfaces and structures only. The Exchange Team From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Thursday, June 29, 2017 8:18 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: RE: [Exchange] June 2017 Quarterly Exchange Updates CU5 breaks single item restores in Backup Exec. They are working on it. https://vox.veritas.com/t5/Backup-Exec/Exchange-2016-CU5-Support/td-p/830356 ________________________________ From: "Michael B. Smith" <mich...@smithcons.com<mailto:mich...@smithcons.com>> To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Sent: Wednesday, June 28, 2017 7:59:34 AM Subject: [Exchange] June 2017 Quarterly Exchange Updates Released yesterday: https://blogs.technet.microsoft.com/exchange/2017/06/27/released-june-2017-quarterly-exchange-updates/ The blog article and the KB articles do a poor job of explaining everything that has changed. 2016 CU6 includes a fix for the annoying Set-Mailbox bug present in CU5. However, if you do a lot mailbox moves or discovery searches, I suggest that you carefully test it in a lab. The same if you intend to apply CU6 to edge servers. I am not aware of confirmed issues, but I’ve heard some rumbles about these.
