Using Isscan to scan Exchange Server for viruses

Suppose the worst has happened: your network has been hit by an e-mail virus. One of the first things you’ll do is remove the Exchange Server from the network, to prevent any more messages carrying the virus from getting into the system. Then, you have to wait hours–or even days–for the antivirus software companies to post a solution that you can download and implement. In the interim, you’re stuck with a server full of infected messages–but, thanks to Microsoft’s Isscan.exe utility, you don’t have to be. Isscan.exe is not antivirus software, and it won’t prevent your Exchange Server from becoming infected. However, it will help you clean your Exchange Server databases and remove any attachments that you think are infected with a virus while you wait for the updated signature files from your antivirus vendor. In this article, I’ll introduce you to Isscan.

How the Isscan utility works

Isscan.exe allows administrators to scan the Exchange Server 5.x private or public information store and remove message attachments based on the attachment name or the message subject. It is available for both Intel and Alpha platforms. One version covers Exchange Server versions up to and including Exchange Server 5.0 Service Pack 3 and Exchange Server 5.5 Service Pack 3, and another version covers Exchange Server 5.5 post-Service Pack 3.

You can download a ZIP archive containing instructions, Isscan.exe, and batch files for removing the ILOVEYOU virus and repairing both the private and public information stores from Microsoft at http://support.microsoft.com/support/exchange/love_letter.htm. The contents of the ILOVEYOUHLPI.ZIP file are as follows:

• -ILOVEYOUReadmeFirst.txt –
• -ATTACHMENTS.TXT – ExMerge
• -EXMERGE.doc – ExMerge
• -ExMerge.exe – ExMerge
• -EXMERGE.INI – ExMerge
• -mfc42.dll – ExMerge
• -SUBJECTS.TXT – ExMerge
• -gwclean.exe – imc
• -MSVCRTD.DLL – imc
• -ProfInst.exe – imc
• -resetimc.cmd – imc
• -Isintegfixpri.bat – ISSCAN-postsp3
• -Isintegfixpub.bat – ISSCAN-postsp3
• -Isscanfixpri.bat – ISSCAN-postsp3
• -Isscanfixpub.bat – ISSCAN-postsp3
• -Lovecrit.txt – ISSCAN-postsp3
• -ISSCAN.EXE – ISSCAN-postsp3
• -Isintegfixpri.bat – ISSCAN-presp3
• -Isintegfixpub.bat – ISSCAN-presp3
• -Isscan.exe – ISSCAN-presp3
• -Isscanfixpri.bat – ISSCAN-presp3
• -Isscanfixpub.bat – ISSCAN-presp3
• -Lovecrit.txt – ISSCAN-presp3
• -FindBin.exe – mta
• -Mtaclean.bat – mta
• -Ascii2Hex.exe – mta

Advantages and disadvantages

Using Isscan offers several advantages. For one thing, it’s a free tool. As I’ve mentioned, you can use it to clean your database while you wait for a fix from your antivirus vendor. And you can search your Exchange database based on message name or on attachment name.

Of course, Isscan also has some disadvantages. It only cleans an Exchange Server database that’s already been affected by a virus, and it does not prevent the virus from being introduced into the e-mail system. You must shut down the Exchange services in order to use the utility. The program removes each attachment without updating the link in the message, which causes unnecessary errors on the client trying to open these messages. And Isscan does not remove the message itself–just the attachment.

Using Isscan

To use this tool, you must shut down the services and be familiar with the switches associated with the utility. The syntax for the command line is as follows:

Isscan {-pri|-pub} [-fix] -test {badmessage |badattach | badattach2} [-c <critfile>] 

The syntax uses these parameters:

• The
  

  -fix

  parameter is used to remove messages or attachments. Without the

  -fix

  parameter, the Isscan utility records all the messages and attachments it finds in a log file.
• The
  

  -pri

  parameter causes the Isscan utility to scan the private information store (priv.edb), and the

  -pub

  parameter scans the public information store (pub.edb).
• The
  

  -test badmessage

  parameter deletes attachments from the attachment table that meet the criteria you specify.
• The
  

  -test badattach

  and

  -test badattach2

  parameters delete attachments that meet the criteria you specify. The

  baddattach2

  parameter checks attachments through the message folder table instead of the attachment table, which makes the search slower.
• The
  

  -c <critfile>

  parameter instructs the utility to use a criteria file as it searches the message and attachment databases. If the

  critfile

  parameter is specified, Isscan parses the case-sensitive entries in the file to determine the search criteria.

A criteria file contains two types of entries: attachment or message. An attachment entry has the following syntax:

ATTACH <i>filename</i> <i>minsize</i> <i>maxsize</i>

There is a space between

ATTACH

and

<i>filename</i>

, and a tab separates

<i>minsize</i>

from

<i>filename</i>

and

<i>maxsize</i>

.

A message entry has the following syntax:

MSG <i>start-of-subject</i> <i>yyyy/mm/dd</i>

There is a space between

MSG

and

<i>start-of-subject</i>

and a tab between

<i>start-of-subject</i>

and

<i>yyyy/mm/dd</i>

.

Be sure to use a non-DOS editor such as Notepad to create the criteria file to ensure proper formatting. You can have multiple entries for each criterion, and you can specify up to 256 criteria in the criteria file. A sample file looks like the following:

 <p>ATTACH FirstAttachment.doc    40000    60000

<br>ATTACH SecondAttachment.vbs    40000    60000

<br>ATTACH ThirdAttachment.exe    20000    40000

<br>MSG Important Message From        2000/07/01

<br>MSG New version of virus        2000/07/28

As a safeguard, the filename and subject values cannot be fewer than five characters long.

Correcting inconsistencies

After you run Isscan, it will be necessary to run the Isinteg utility to correct inconsistencies in the information store. The syntax for Isinteg is:

<p>

<br>isinteg -pri|-pub [-fix] [-detailed] [-verbose] [-l logfilename] -test testname [[, testname]…]

<br>    -pri – private store

<br>    -pub – public store

<br>    -fix – check and fix (default – check only)

<br>    -detailed – detailed mode (default – non-detailed mode)

<br>    -verbose – report verbosely

<br>    -l filename – log file name (default – .isinteg.pri|pub)

<br>    -t refdblocation (default – the location of the store)

<br>    -test testname,…

<br>        folder message aclitem mailbox (pri only) delfld acllist

<br>        rcvfld (pri only) timedev rowcounts attach morefld oofhist (pri  only)

<br>        global searchq dlvrto namedprop (-detailed mode only)

<br>        peruser artidx (pub only) search newsfeed (pub only) dumpsterprops

<br>        fldprops

<br>        Ref count tests: msgref msgsoftref attachref acllistref  aclitemref

<br>        newsfeedref (pub only) fldrcv (pri only) fldsub dumpsterref

<br>        Groups tests: allfoldertests allacltests

<br>        Special tests: deleteextracolumns

<br> isinteg -patch (repair information store after an offline restore)

<br> isinteg -pri|-pub -dump [-l logfilename] (verbose dump of store data)

The test required is the message test; therefore, you need to type the following at the command line:

isinteg -fix [-pri|-pub] -detailed -verbose -l c:isinteg.rpt -test message

Depending on the size of your information store and the speed of your server, Isinteg may take from several minutes to several hours to run. I have seen the process take up to 30 minutes per gigabyte of data, but that should be noted as an observation and not an average.

Reports

The Isscan utility will create a report called Isscan.pri (when you scan priv.edb) or Isscan.pub (when you scan pub.edb). The report, when run with the

-test badmessage

parameter, will include the sender and recipient of a message that is deleted. When run with the

-test badattach

parameter, it will include the file name of the attachment that is deleted. When run with the

-test badattach2

parameter, the report includes the file name of the attachment that is deleted and the sender and recipient of the associated message.

Example

Let’s look at an example of how to use the Isscan utility. We’ll create a file that will remove references to attachments in the private information store that contain the ILOVEYOU virus. Follow these steps:

1. Use Notepad to make a file called Critfile.txt that contains the following lines:
   

   <p>ATTACH LOVE-L~1.VBS 10000 50000 <br>ATTACH LOVE-LETTER-FOR-YOU.txt.vbs 10000 50000

2. Use Notepad to make a batch file named with a .bat extension (fixmail.bat). Enter the following on the first line in the file:

   isscan -fix -pri -c critfile.txt -test badattach

3. Copy the files Isscan.exe, Critfile.txt, and fixmail.bat to the ExchsrvrBin folder.
4. Stop the Exchange Server Information Store Service.
5. At a command prompt, change to the ExchsrvrBin folder and run the batch file you created (
   

   C:exchsrvrbin>fixmail

   ).

When the batch files has finished, run the following from the command prompt:

isinteg -fix -pri -test message

Doing so will check the private information store. To check the public information store, replace

-pri

with

-pub

.

Conclusion

The Isscan utility is a reactive way to remove malicious attachments from your information store. Although it is effective, you may be able to avoid its use by having a good virus protection plan in place. //

Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Kentucky area.