THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ©1999 Microsoft Corporation Additional Notes About Microsoft Exchange Server This document contains information not available in the Microsoft Exchange Server documentation, as well as information on changes that occurred after publication. If you enlarge the Write window to its maximum size, this document will be easier to read. To do so, click the Maximize button in the upper-right corner of the window. To move through the document, press PAGE UP or PAGE DOWN, or click the scroll bar along the right side of the Write window. To print the document, choose Print from the File menu. For Help on using Write, press F1. Installing Microsoft Exchange Server Information Store utility ISSCAN.EXE. STEPS TO INSTALL ============== Download the compressed setup file appropriate for the server for your hardware platform. Select the appropriate files as indicated by the following list: Alpha AXP(TM) ISSCANA.EXE Intel(R) ISSCANI.EXE 1. Download appropriate file to a temporary location on the servers local hard drive. Example: English version for the Intel platform will be located at : ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5 /ISSCAN/ISSCANI.EXE 2. Unzip the file by typing the file name of the self-extracting archive at the command prompt. Example: The version for the Intel platform will be ISSCANI. 3. The Zip2EXE file contains two files, the program ISSCAN.EXE and the symbol file ISSCAN.DBG. 4. To run copy the file ISSCAN.EXE to the harddrive containing the Exchange Server. If you have the Exchange symbols installed, replace the old DBG files with the newer version in the \symbols\exe directory. Note: Use the Q224493 number to query the Microsoft Knowledge Base for an article about that bug. Article ID: Q224493 QFE: Using ISSCAN to remove messages or attachments affected by a Virus Additional Information: The following explains how to run ISSCAN for Exchange Server 5.0 or 5.5: Exchange Server 5.5 ------------------- - Stop the Microsoft Exchange Server Information Store service. - From a command line run ISSCAN -fix {-pri | -pub} -test badmessage, badattach -c Exchange Server 5.0 ------------------- - Stop the Microsoft Exchange Server Information Store service. - From a command line run ISSCAN -fix {-pri | -pub} -test badmessage -c The -fix parameter instructs ISSCAN to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file. The -pri | -pub parameter instructs ISSCAN to scan either the private or public information store (priv.edb or pub.edb). The -test badmessage parameter deletes messages from the message table determined to be bad. The -test badattach parameter deletes attachments from the attachment table determined to be bad. The -c parameter allows you to create a criteria file that ISSCAN will use as it searches the message and attachment databases. If this is not specified, it will default to the following (for the Melissa virus): badmessage will delete single attachments on messages with a subject starting with "Important Message From" and a creation time after 3/1/99 badattach will delete attachments with a filename of list.doc and a size between 40000 and 60000 bytes If is specified, it will read that file for the scan criteria. There can be two types of entries in the file: attachment criteria or message criteria. The attachment criteria has the following format (note the tab separators indicated by "\t"): ATTACH \t\t A message entry looks like this: MSG \t You can have multiple entries for each criteria. The attachment file names must be in 8.3 format. So, if you have a long file name, use the 8.3 format for it (for instance, use "ZIPPED~1.EXE" for "ZIPPEDFILE.EXE". Also, you can specify up to 256 criteria in the criteria file. An example file could look like: ATTACH list.doc 40000 60000 ATTACH list1.doc 40000 60000 ATTACH new.doc 20000 40000 MSG Important Message From 1999/03/01 MSG New version of virus 1999/03/28 As a safeguard, the filename and subject values cannot be LESS than 5 characters long. ISSCAN will create a report called either isscan.pri or isscan.pub, depending on whether you are scanning a private store or public store. This report will include the attachment's filename that is deleted, and the sender of a message that is deleted. You can then use this information to determine which user's computers should be scanned for viruses. Important Notes --------------- - It should be understood that this is only a method to clean an already affected Exchange Server database. This will not in any way prevent the virus from being introduced into the email system. - To prevent the virus from being introduced a well planned anti-virus strategy should be enacted at all Internet firewalls and at every desktop workstation.