11-30-2010 04:01 AM
Hi,
For a customer of mine I am reviewing their current Anti-Virus strategy. They are using Sophos as their on-access and file-level virus scanner.
This customer is using SEV for e-mail archiving. The server running SEV has the Sophos client installed on it.
I would like some help on answering the following questions:
1) What is the best way to periodically scan the contents of the e-mail archive? Are there special 'SEV' plugins or should this be done from the mail server (Exchange 2007)?
2) Do they need to exclude specific file types, folders and/or processes from the on-access and file-level virus scanner?
Any suggestions and recommendations would be great!
Regards,
Ashley.
Solved! Go to Solution.
11-30-2010 04:07 AM
Theres a Tech note with the Best practice exclusions:
http://www.symantec.com/docs/TECH48856
11-30-2010 04:07 AM
Theres a Tech note with the Best practice exclusions:
http://www.symantec.com/docs/TECH48856
11-30-2010 04:22 AM
Hi Marvin,
Thank you for your reply! This perfectly answers my second question.
Regards,
Ashley.
11-30-2010 04:45 AM
It answers both :) Because you should not be scannig the Vault Stores which is question one. Stuff that is getting archived needs to get thru exchange so have AV there.
11-30-2010 05:06 AM
Hi Marvin,
I don't fully agree with you on that.
Yes, e-mail should be scanned when going through Exchange. But I also recommend performing a periodic scan of the entire database just in case one slips by the first time (possibly because it is not recognized yet).
Depending on how long it takes for SEV to archive the message (instant, days, weeks) a message could be scanned in Exchange more than once reducing the chance a virus gets in to the SEV database.
Maybe I should rephrase my first question:
1) Is it possible to scan the contents of a SEV database for viruses? If so, what products can do this?
Regards,
Ashley.
11-30-2010 05:32 AM
If you plan to scan your archived data, you will get corruption.
Most likely due to false alerts, but still.
Look at it this way.
A message containing a virus that is not yet detected by an av-application is put in the archive. The only way this virus might do some harm, is if the archived message is being recalled by the user. There is no way the archived message is being activated from the EV-stores/partitions.
Suppose this virus sits here, and virusdefinitions are updated, enabling detection for this virus.
As soon as the message is being recalled in Outlook, it will be catched by the users AV on the desktop, and/or the AV on exchange. and cleaned or quarentined. The virus will remain in the archive (provided you do not allow deletions), but cannot do any harm.
Please do NOT scan EV-locations. We have setup ev to have indexes/stores/msmq/cache and shopping under a folder called \enterprise vault\ and have excluded that folder from scanning.
11-30-2010 05:44 AM
Hi Flensje,
As far i know there is no EV aware antivirus available in the Market.
In the same time i do agree that there are chances to get the virus archived, in my company we had to migrate lot of mails from Groupwise to Exchange and while migrating we were not scning the mails so we got lot of virus in Exchange now in one location/server.
Ameen.
11-30-2010 06:01 AM
well the fact is you have multiple end points that are being scanned that it shouldn't necessarily matter if EV archives (unintentionally) a virus.
So on the incoming mail you should have a gateway that scans for viruses, on the exchange server itself you have a program that scans for viruses, on the client itself you have a program that scans for viruses, so if you try and restore and email item that has a virus in it, either SEV or sophos should catch it on the Exchange or outlook level.
For file system archiving you would have similar layers of protection too
12-01-2010 07:08 AM
Thank you guys for your thoughts and answers.
I understand there is no way to scan 'inside' the EV archive, so it has to be done while still in the Exchange database and/or when in transit. I agree this is not a problem, I was just looking for a way to remove a virus from the EV archive if it slipped through.
I also understand it's a bad idea to have a file-level scanner remove EV files and therefor requires some exclusions.
Ashley.