I think that some people are jumping to some wrong conclusions here. First off the AVAPI 1.0 article talks about MAPI scanning occasionally missing viruses under load. Then the Exchange 2000 article points out that the VSAPI 2.0 is the next evolutionary that addresses some of the shortcomings of its predecessor. The primary "shortcoming" that version 2 addressed for most people were the addition of Sender / Recipient information and ability of the API to scan message bodies.
I do not think articles imply that AVAPI 1.0 scanning will miss viruses under certain conditions. At McAfee, we are not "strongly urging customers to upgrade to Microsoft Exchange 2000." That is a decision for our customers to make based on their own operational needs and requirements. Robert Grupe, PE GroupShield: Electronic Messaging & Groupware Content Security McAfeeB2B - Product Management *: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *: +44.7747.762.655; 6+604+7093 (internal) i: http://www.mcafeeb2b.com/products/email-protection.asp <http://www.mcafeeb2b.com/products/email-protection.asp> http://www.securityfocus.com/infocus/1271 <http://www.securityfocus.com/infocus/1271> > -----Original Message----- > From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 10, 2001 8:59 AM > To: Exchange Discussions > Subject: MS says antivirus not effective on Exchange 5.5: > must buy E2000 > > > MS is now saying that even the AVAPI mode of exchange 5.5 can > let viruses slip through under load. The only solution is to > upgrade to Exchange 2000. From NTBUGTRAQ: > > > ============================================================== > ============== > =================== > Message from NTBUGTRAQ mailing list shown below: > ============================================================== > ============== > =================== > No real news for some, but the recent waves of mass mailers > have once again demonstrated how Exchange Server 5.5 plus an > Anti-Virus product may not do an effective job at handling > mass mailers. But don't blame your Anti-Virus vendor, the > problem comes when the Exchange Server 5.5 is put under load. > How much load? Nobody seems to be able to say for sure. > However, when under sufficient load Exchange Server 5.5 will > simply not notify the AV product there's a message to scan, > and instead pass it through to the recipient. > > Prior to Exchange Server 5.5 SP3, AV Vendors used MAPI-based > scanning. However, Microsoft's KB article Q263949 says; > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q263949 > > "If you select MAPI-based scanning, be aware that the > vendor's software may not scan all attachments because first > and exclusive access is not guaranteed." > > SP3 introduced the Virus Scanning API 1.0, and many vendors > provided support for it because it was more reliable. But > Microsoft have acknowledged that even VSAPI 1.0 can't always > handle the load of an internal infection, and rather than > losing messages, sends them through without notifying the AV product. > > Exchange Server 2000 SP1, with its VSAPI 2.0, says; > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q285667 > > "The enhancements to the virus scanning API that are included > in Exchange 2000 Server SP1 represent the next step in the > evolution of the commitment that Microsoft has made to > protecting customer investment. These new features, known as > virus scanning API 2.0, fulfill many of the shortcomings of > virus scanning API 1.0." > > You gotta love it, "the next step in the evolution of the > commitment"...;-] So the commitment is evolving to, > presumably eventually, actually let customers protect > themselves...but we're not there yet. > > AV Vendors are strongly urging their customers to switch to > Exchange Server 2000. > > Microsoft say they have no plans to make VSAPI 2.0 available > for Exchange Server 5.5, so to get secure, upgrade. > > The number of times customers have actually been bitten by > this problem is unknown, suffice it to say it doesn't happen > often. Reports I've received indicate that the load required > to make Exchange Server 5.5 start missing infected messages > (or messages with attachments that have been indicated should > be stripped) comes about as a result of one, or more, > mass-mailers active in your internal network. > > For example, someone uses a web-based mail service and opens > an email/attachment that invokes a mass-mailer. Once the > mass-mailer starts bombing the Exchange Server 5.5, depending > on the hardware, it can then get to a point where the load is > great enough to cause it to miss inbound messages. > > Using the Outlook Email Security Update or Outlook 2002, both > of which prevent mass-mailers from programmatically accessing > the Exchange Addresses, can help to prevent infections that > occur outside of the normal AV path. Using client-side AV > products can also help. > > Consider also putting a second network adapter on your > Exchange Server(s). If internal clients connect to one > adapter, and the infrastructure to the other, you can more > easily disconnect your clients from the Exchange Server > should you detect its under load. Minimizing what your > Exchange Server is doing also helps, size it appropriately > and don't use it for anything else. Consider also putting > your AV product on its own box. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > ============================================================== > ============== > Delivery co-sponsored by VeriSign - The Internet Trust > Company > ============================================================== > ============== > Protect your servers with 128-bit SSL encryption! > Get VeriSign's FREE guide, "Securing Your Web Site for > Business." You will learn everything you need to know about > using SSL to encrypt your e-commerce transactions for serious > online security. Click here! > http://www.verisign.com/cgi-bin/go.cgi?> a=n016065650057000 > > > ============================================================== > ============== > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
