MS says (Q263949) and Russ repeats that MAPI-scanning has a potential hole, but the AVAPI x.0 and shim methods don't (depending of course upon the 3rd party shim or AVAPI process behavior).
-----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Monday, December 10, 2001 12:05 PM To: Exchange Discussions Subject: RE: MS says antivirus not effective on Exchange 5.5: must buy E20 00 AFAIK none of the enhancements in AVAPI 2.0 were related to messages being allowed to slip through, but were to expose things such as the sender and recipient of the messages, the lack of inclusion in the 1.0 version being deemed a shortcoming by many customers. Even if the AVAPI in Exchange 5.5 was susceptible to letting messages slip through (an assertion for which I have seen no evidence), Microsoft now has stated publicly that they have no problem with AV vendors who want to engineer an ESE shim scanning method for 5.5 and Sybari's use of just such a technology of the past several years has proved that method to be quite effective. > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 10, 2001 10:59 AM > To: Exchange Discussions > Subject: RE: MS says antivirus not effective on Exchange 5.5: > must buy E20 00 > > > As far as I can tell MS is saying no such thing. Russ is saying it. > > -----Original Message----- > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 10, 2001 8:59 AM > To: Exchange Discussions > Subject: MS says antivirus not effective on Exchange 5.5: > must buy E2000 > > > MS is now saying that even the AVAPI mode of exchange 5.5 can > let viruses slip through under load. The only solution is to > upgrade to Exchange 2000. From NTBUGTRAQ: > > > ============================================================== > ============== > =================== > Message from NTBUGTRAQ mailing list shown below: > ============================================================== > ============== > =================== > No real news for some, but the recent waves of mass mailers > have once again demonstrated how Exchange Server 5.5 plus an > Anti-Virus product may not do an effective job at handling > mass mailers. But don't blame your Anti-Virus vendor, the > problem comes when the Exchange Server 5.5 is put under load. > How much load? Nobody seems to be able to say for sure. > However, when under sufficient load Exchange Server 5.5 will > simply not notify the AV product there's a message to scan, > and instead pass it through to the recipient. > > Prior to Exchange Server 5.5 SP3, AV Vendors used MAPI-based > scanning. However, Microsoft's KB article Q263949 says; > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q263949 > > "If you select MAPI-based scanning, be aware that the > vendor's software may not scan all attachments because first > and exclusive access is not guaranteed." > > SP3 introduced the Virus Scanning API 1.0, and many vendors > provided support for it because it was more reliable. But > Microsoft have acknowledged that even VSAPI 1.0 can't always > handle the load of an internal infection, and rather than > losing messages, sends them through without notifying the AV product. > > Exchange Server 2000 SP1, with its VSAPI 2.0, says; > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q285667 > > "The enhancements to the virus scanning API that are included > in Exchange 2000 Server SP1 represent the next step in the > evolution of the commitment that Microsoft has made to > protecting customer investment. These new features, known as > virus scanning API 2.0, fulfill many of the shortcomings of > virus scanning API 1.0." > > You gotta love it, "the next step in the evolution of the > commitment"...;-] So the commitment is evolving to, > presumably eventually, actually let customers protect > themselves...but we're not there yet. > > AV Vendors are strongly urging their customers to switch to > Exchange Server 2000. > > Microsoft say they have no plans to make VSAPI 2.0 available > for Exchange Server 5.5, so to get secure, upgrade. > > The number of times customers have actually been bitten by > this problem is unknown, suffice it to say it doesn't happen > often. Reports I've received indicate that the load required > to make Exchange Server 5.5 start missing infected messages > (or messages with attachments that have been indicated should > be stripped) comes about as a result of one, or more, > mass-mailers active in your internal network. > > For example, someone uses a web-based mail service and opens > an email/attachment that invokes a mass-mailer. Once the > mass-mailer starts bombing the Exchange Server 5.5, depending > on the hardware, it can then get to a point where the load is > great enough to cause it to miss inbound messages. > > Using the Outlook Email Security Update or Outlook 2002, both > of which prevent mass-mailers from programmatically accessing > the Exchange Addresses, can help to prevent infections that > occur outside of the normal AV path. Using client-side AV > products can also help. > > Consider also putting a second network adapter on your > Exchange Server(s). If internal clients connect to one > adapter, and the infrastructure to the other, you can more > easily disconnect your clients from the Exchange Server > should you detect its under load. Minimizing what your > Exchange Server is doing also helps, size it appropriately > and don't use it for anything else. Consider also putting > your AV product on its own box. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > ============================================================== > ============== > Delivery co-sponsored by VeriSign - The Internet Trust > Company > ============================================================== > ============== > Protect your servers with 128-bit SSL encryption! > Get VeriSign's FREE guide, "Securing Your Web Site for > Business." You will learn everything you need to know about > using SSL to encrypt your e-commerce transactions for serious > online security. Click here! > http://www.verisign.com/cgi-bin/go.cgi?> a=n016065650057000 > > > ============================================================== > ============== > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
