THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT 
WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, 
INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN 
NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS 
PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY. 

©1999 Microsoft Corporation


Additional Notes About Microsoft Exchange Server

This document contains information not available in the Microsoft Exchange
Server documentation, as well as information on changes that occurred after
publication.  If you enlarge the Write window to its maximum size, this document
will be easier to read. To do so, click the Maximize button in the
upper-right corner of the window.  To move through the document, press PAGE UP
or PAGE DOWN, or click the scroll bar along the right side of the Write window.
To print the document, choose Print from the File menu. For Help on using Write,
press F1.

Installing Microsoft Exchange Server Information Store utility ISSCAN.EXE.

STEPS TO INSTALL
==============

Download the compressed setup file appropriate for the server for your hardware
platform. Select the appropriate files as indicated by the following list:
		
		Alpha AXP(TM)		ISSCANA.EXE
		Intel(R)		ISSCANI.EXE
		

1.  Download appropriate file to a temporary location on the servers local hard 
    drive.
    Example: English version for the Intel platform will be located at :

   ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5
   /ISSCAN/ISSCANI.EXE

2.  Unzip the file by typing the file name of the self-extracting archive
    at the command prompt.
    Example: The version for the Intel platform will be ISSCANI.
3.  The Zip2EXE file contains two files, the program ISSCAN.EXE and the symbol     
    file ISSCAN.DBG. 
4.  To run copy the file ISSCAN.EXE to the harddrive containing the Exchange Server.

If you have the Exchange symbols installed, replace the old DBG files
with the newer version in the <systemroot>\symbols\exe directory.

Note: Use the Q224493 number to query the Microsoft Knowledge Base for an 
article about that bug.

Article ID: 

Q224493 QFE: Using ISSCAN to remove messages or attachments affected by a Virus

Additional Information:

The following explains how to run ISSCAN for Exchange Server 5.0 or 5.5:

Exchange Server 5.5
-------------------

 - Stop the Microsoft Exchange Server Information Store service.

 - From a command line run ISSCAN -fix {-pri | -pub} -test badmessage, badattach
   -c <critfile>

Exchange Server 5.0
-------------------

 - Stop the Microsoft Exchange Server Information Store service.

 - From a command line run ISSCAN -fix {-pri | -pub} -test badmessage -c
   <critfile>

The -fix parameter instructs ISSCAN to remove the messages or attachments found.
Without the -fix parameter, ISSCAN will record all the messages and attachments
it finds in a log file.

The -pri | -pub parameter instructs ISSCAN to scan either the private or public
information store (priv.edb or pub.edb).

The -test badmessage parameter deletes messages from the message table determined
to be bad.

The -test badattach parameter deletes attachments from the attachment table
determined to be bad.

The -c <critfile> parameter allows you to create a criteria file that
ISSCAN will use as it searches the message and attachment databases. If this is
not specified, it will default to the following (for the Melissa virus):

badmessage will delete single attachments on messages with a subject starting
with "Important Message From" and a creation time
after 3/1/99

badattach will delete attachments with a filename of list.doc and a size between
40000 and 60000 bytes

If <critfile> is specified, it will read that file for the scan criteria.
There can be two types of entries in the file: attachment criteria or message
criteria. The attachment criteria has the following format (note the tab
separators indicated by "\t"):
 
ATTACH <filename>\t<minsize>\t<maxsize>

A message entry looks like this:
 
MSG <start-of-subject>\t<yyyy/mm/dd>

You can have multiple entries for each criteria. The attachment file names must be in 8.3 format.  So, if you have a long file name, use the 8.3 format for it (for instance, use "ZIPPED~1.EXE" for "ZIPPEDFILE.EXE".  Also, you can specify up to 256 criteria in the criteria file. An example file would look like:

ATTACH list.doc 40000 60000 
ATTACH list1.doc 40000 60000 
ATTACH new.doc 20000 40000 
MSG Important Message From 1999/03/01 
MSG New version of virus 1999/03/28


As a safeguard, the filename and subject values cannot be LESS than 5 characters
long.

ISSCAN will create a report called either isscan.pri or isscan.pub, depending on
whether you are scanning a private store or public store. This report will
include the attachment's filename that is deleted, and the sender of a message
that is deleted. You can then use this information to determine which user's
computers should be scanned for viruses.

Important Notes
---------------

 - It should be understood that this is only a method to clean an already
   affected Exchange Server database. This will not in any way prevent the virus
   from being introduced into the email system.

 - To prevent the virus from being introduced a well planned anti-virus strategy
   should be enacted at all Internet firewalls and at every desktop workstation.