Suppose the worst has happened: your network has been hit by an e-mail virus. One of the first things you’ll do is remove the Exchange Server from the network, to prevent any more messages carrying the virus from getting into the system. Then, you have to wait hours–or even days–for the antivirus software companies to post a solution that you can download and implement. In the interim, you’re stuck with a server full of infected messages–but, thanks to Microsoft’s Isscan.exe utility, you don’t have to be. Isscan.exe is not antivirus software, and it won’t prevent your Exchange Server from becoming infected. However, it will help you clean your Exchange Server databases and remove any attachments that you think are infected with a virus while you wait for the updated signature files from your antivirus vendor. In this article, I’ll introduce you to Isscan.
How the Isscan utility works
Isscan.exe allows administrators to scan the Exchange Server 5.x private or public information store and remove message attachments based on the attachment name or the message subject. It is available for both Intel and Alpha platforms. One version covers Exchange Server versions up to and including Exchange Server 5.0 Service Pack 3 and Exchange Server 5.5 Service Pack 3, and another version covers Exchange Server 5.5 post-Service Pack 3.
You can download a ZIP archive containing instructions, Isscan.exe, and batch files for removing the ILOVEYOU virus and repairing both the private and public information stores from Microsoft at http://support.microsoft.com/support/exchange/love_letter.htm. The contents of the ILOVEYOUHLPI.ZIP file are as follows:
- -ILOVEYOUReadmeFirst.txt –
- -ATTACHMENTS.TXT – ExMerge
- -EXMERGE.doc – ExMerge
- -ExMerge.exe – ExMerge
- -EXMERGE.INI – ExMerge
- -mfc42.dll – ExMerge
- -SUBJECTS.TXT – ExMerge
- -gwclean.exe – imc
- -MSVCRTD.DLL – imc
- -ProfInst.exe – imc
- -resetimc.cmd – imc
- -Isintegfixpri.bat – ISSCAN-postsp3
- -Isintegfixpub.bat – ISSCAN-postsp3
- -Isscanfixpri.bat – ISSCAN-postsp3
- -Isscanfixpub.bat – ISSCAN-postsp3
- -Lovecrit.txt – ISSCAN-postsp3
- -ISSCAN.EXE – ISSCAN-postsp3
- -Isintegfixpri.bat – ISSCAN-presp3
- -Isintegfixpub.bat – ISSCAN-presp3
- -Isscan.exe – ISSCAN-presp3
- -Isscanfixpri.bat – ISSCAN-presp3
- -Isscanfixpub.bat – ISSCAN-presp3
- -Lovecrit.txt – ISSCAN-presp3
- -FindBin.exe – mta
- -Mtaclean.bat – mta
- -Ascii2Hex.exe – mta
Advantages and disadvantages
Using Isscan offers several advantages. For one thing, it’s a free tool. As I’ve mentioned, you can use it to clean your database while you wait for a fix from your antivirus vendor. And you can search your Exchange database based on message name or on attachment name.
Of course, Isscan also has some disadvantages. It only cleans an Exchange Server database that’s already been affected by a virus, and it does not prevent the virus from being introduced into the e-mail system. You must shut down the Exchange services in order to use the utility. The program removes each attachment without updating the link in the message, which causes unnecessary errors on the client trying to open these messages. And Isscan does not remove the message itself–just the attachment.
Using Isscan
To use this tool, you must shut down the services and be familiar with the switches associated with the utility. The syntax for the command line is as follows:
Isscan {-pri|-pub} [-fix] -test {badmessage |badattach | badattach2} [-c <critfile>] |
The syntax uses these parameters:
- The
parameter is used to remove messages or attachments. Without the-fix
parameter, the Isscan utility records all the messages and attachments it finds in a log file.-fix
- The
parameter causes the Isscan utility to scan the private information store (priv.edb), and the-pri
parameter scans the public information store (pub.edb).-pub
- The
parameter deletes attachments from the attachment table that meet the criteria you specify.-test badmessage
- The
and-test badattach
parameters delete attachments that meet the criteria you specify. The-test badattach2
parameter checks attachments through the message folder table instead of the attachment table, which makes the search slower.baddattach2
- The
parameter instructs the utility to use a criteria file as it searches the message and attachment databases. If the-c <critfile>
parameter is specified, Isscan parses the case-sensitive entries in the file to determine the search criteria.critfile
A criteria file contains two types of entries: attachment or message. An attachment entry has the following syntax:
ATTACH <i>filename</i> <i>minsize</i> <i>maxsize</i> |
There is a space between
ATTACH |
<i>filename</i> |
<i>minsize</i> |
<i>filename</i> |
<i>maxsize</i> |
A message entry has the following syntax:
MSG <i>start-of-subject</i> <i>yyyy/mm/dd</i> |
There is a space between
MSG |
<i>start-of-subject</i> |
<i>start-of-subject</i> |
<i>yyyy/mm/dd</i> |
Be sure to use a non-DOS editor such as Notepad to create the criteria file to ensure proper formatting. You can have multiple entries for each criterion, and you can specify up to 256 criteria in the criteria file. A sample file looks like the following:
<p>ATTACH FirstAttachment.doc 40000 60000 |
As a safeguard, the filename and subject values cannot be fewer than five characters long.
Correcting inconsistencies
After you run Isscan, it will be necessary to run the Isinteg utility to correct inconsistencies in the information store. The syntax for Isinteg is:
<p> |
The test required is the message test; therefore, you need to type the following at the command line:
isinteg -fix [-pri|-pub] -detailed -verbose -l c:isinteg.rpt -test message |
Depending on the size of your information store and the speed of your server, Isinteg may take from several minutes to several hours to run. I have seen the process take up to 30 minutes per gigabyte of data, but that should be noted as an observation and not an average.
Reports
CrossLinks
|
The Isscan utility will create a report called Isscan.pri (when you scan priv.edb) or Isscan.pub (when you scan pub.edb). The report, when run with the
-test badmessage |
-test badattach |
-test badattach2 |
Example
Let’s look at an example of how to use the Isscan utility. We’ll create a file that will remove references to attachments in the private information store that contain the ILOVEYOU virus. Follow these steps:
- Use Notepad to make a file called Critfile.txt that contains the following lines:
<p>ATTACH LOVE-L~1.VBS 10000 50000
<br>ATTACH LOVE-LETTER-FOR-YOU.txt.vbs 10000 50000
- Use Notepad to make a batch file named with a .bat extension (fixmail.bat). Enter the following on the first line in the file:
isscan -fix -pri -c critfile.txt -test badattach
- Copy the files Isscan.exe, Critfile.txt, and fixmail.bat to the ExchsrvrBin folder.
- Stop the Exchange Server Information Store Service.
- At a command prompt, change to the ExchsrvrBin folder and run the batch file you created (
).C:exchsrvrbin>fixmail
When the batch files has finished, run the following from the command prompt:
isinteg -fix -pri -test message |
Doing so will check the private information store. To check the public information store, replace
-pri |
-pub |
Conclusion
The Isscan utility is a reactive way to remove malicious attachments from your information store. Although it is effective, you may be able to avoid its use by having a good virus protection plan in place. //
Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Kentucky area.