An interesting issue with file level antivirus…

  • Article

In order for Exchange to function correctly administrators are generally advised to make two important configuration changes to their file level antivirus scanners:

  • Exclude directories that contain Exchange binaries and Exchange data.
  • Add process exclusions for the Exchange processes (for example – store.exe etc).

When antivirus exclusions are not properly set servers may experience performance issues or database availability issues.

Today I worked an interesting issue with a customer.  A common issue when antivirus settings are not set correctly is that the ENNtmp.log file in the Exchange database log directory is deleted or quarantined during the rename procedure.  Remember that while a database is mounted any current transactions are being written to the ENN.log file.  When the ENN.log file is full, the lock on it is released and the file is renamed to it’s full name (for example ENN00001af.log).  While writing to the ENN.log, the next log file in the series is being built as the ENNtmp.log.  When the ENN.log is full, and that rename is occurring another rename operation is occurring – renaming the ENNtmp.log to ENN.log.  As locks are released on these files to facilitate renaming etc – file level antivirus when mis-configured can interject itself and operate against these files.  In this case the file was deleted as a virus and the database forcefully dismounted.

In our case events were clearly logged by the antivirus scanner indicating an action was performed on the log file in question.  This naturally lead us to reviewing the file level antivirus exclusions.

The structure of the server had all log directories stored on L:\ and all databases stored on M:\.  When the file system exclusions were reviewed, you could clearly see that exclusions for L and M existed and were set to include sub-directories.

Upon further investigation it was determined that the log file directories though were actually mountpoints.  For example, L:\SG1 where SG1 is a mounted volume as a mountpoint. 

From here it was determined that the antivirus scanner was actually looking at things at the volume / disk level.  Therefore, L:\ exclusions did not apply since SG1 was a mounted physical disk, and not a folder on the file system.

Given the above example:

A folder L:\Folder would be excluded since it’s a folder existing on the L file system.

A mountpoint L:\MountPoint would not be excluded since L is a physical disk and MountPoint is a physical disk – and no exclusion existed specifically for the mounted physical disk.

A folder L:\Folder\Mountpoint exists.  In this case the L:\Folder would be excluded, but the L:\Folder\Mountpoint would not be excluded since the Mountpoint is a mounted physical disk.

The moral of the story…please make sure you are following up with your antivirus vendor on the appropriate method to apply exclusions when files exist on both lettered physical disks and mounted physical disks as mountpoints.

=========================

Update – 2/16/2015

A customer shared this with me today as a vendor example.

https://kc.mcafee.com/corporate/index?page=content&id=KB70886

 

=========================