Exchange and Antiviruses

  • Article

Many times it has been seen in support that Antiviruses cause all kind of issues.

I thought we should also discuss one of them I recently came upon and see how we could resolve it.

Let's take Exchange 2003 for Example and the Sophos Antivirus. This can be the case also with Exchange 2010 or 2013.

We have a User for example that doesn't receive Emails from a specific Sender, only when other people are in the TO: field also.

If the Email is being sent only to our affected User, this works flawlessly.

Tracing showed in this case for example that the Message goes through multiple relays and we have this eventually split in 3.

This is taken from a SMTP Log in Exchange 2003.

More info on Tracing Transport issues here: https://support.microsoft.com/kb/821910

192.168.1.1

Incoming Email:

+FROM:<Software@Patrisel.lol>
+TO:<User1@Patrisel.lol>
+TO:<User2@Patrisel.lol>
+TO:<User3@Patrisel.lol>
+TO:<AffectedUser@Patrisel.lol>
+TO:<User4@Patrisel.lol>
+TO:<User5@Patrisel.lol>
+TO:<User6@Patrisel.lol>

1st relay to 192.168.1.2:
+TO:<User1@Patrisel.lol>

2nd relay 192.168.1.3:
+TO:<User2@Patrisel.lol>
+TO:<User3@Patrisel.lol>
+TO:<User4@Patrisel.lol>
+TO:<User5@Patrisel.lol>

3rd relay 192.168.1.4:
+TO:<User6@Patrisel.lol>

No entry for:
+TO:<AffectedUser@Patrisel.lol>

Checking the Message Tracking we also saw that AffectedUser@Patrisel.lol isn't in the TO: field of the next hops.

We concluded that the issue exists on that Server.

So we wanted to check if there was any Antivirus involvement here, as the admin said it didn't scan Emails.

For this we used smtpreg.vbs which you can find here:

https://msdn.microsoft.com/en-us/library/ms528023(v=exchg.10).aspx

The usage is cscript smtpreg.vbs /enum > C:\Temp\Output.txt so that we also export the output to a text file.

 

The interesting part of the output looked something like this:

| Binding |
  ---------

Event: SMTP Transport OnSubmission
ID: {92DE29D2-A8AA-4A82-B8AA-657CF32A67C8}
Name: Exchange Transport AntiVirus API 
SinkClass: Exchange.TransportAVAPI
Enabled: True
SourceProperties: {priority = 28000}

With this, we have proof that the Antivirus API is registered under the OnSubmission Event, so we can say it could be a candidate.

The next step was asking if the Antivirus could be removed completely but this was not an option which is also understandable for security reasons.

We went ahead and removed the API from the OnSubmission Transport Event to exclude this Antivirus when Exchange is sending the Email.

The command was: cscript smtpreg.vbs /remove 1 OnTransportSubmission "Exchange Transport AntiVirus API"

After this we also checked with the /enum command above if this was removed successfully. Restarting SMTP Service and IIS is a must.

We tried to repro the issue but this wasn't there anymore, so we have our troublemaker. Next step would be to contact the Antivirus manufacturer and present the analysis that Microsoft provided.

I hope this helps identifying other issues as well.

If you have any questions feel free to drop me an Email at patrisel@microsoft.com.