Recommendations for troubleshooting an Exchange Server computer with antivirus software installed

This article describes recommendations for troubleshooting issues on Microsoft Exchange Server computers that antivirus software is installed on.

File-Based Antivirus Software

You can install file-based scanning antivirus software on an Exchange computer. However, never run scanning against the program and database files of an Exchange computer.

In addition, never run scanning against the Installable File System (IFS) drive (drive M) of an Exchange 2000 server. If you do so, you might receive false reports of a virus and you might damage Exchange 2000 databases when you attempt to disinfect the file.

In Exchange 2000, drive M is a convenient label for the Exchange IFS. The Exchange IFS enables you to view and use the Exchange information store as a file system.

NOTE: Drive M can use a letter other than M. This drive is generally referred to as drive M; however, if the letter M is already being used, this drive uses another drive letter. For additional information about issues that are caused by antivirus scanning of drive M, click the following article number to view the article in the Microsoft Knowledge Base: In some situations, you may experience additional issues with the Exchange IFS. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: If you need to run a file-based virus scanner on an Exchange computer, remove the Exchange-specific files and folders from the scheduled scans and real-time scanning. File-based scanning of Exchange 2000 executable files is supported.

IMPORTANT: Never run file-based scanning software against Exchange databases, logs, temporary files, the IIS system files, or the IFS drive (drive M). Configure antivirus software to avoid scanning the folders that contain these files.

You can run file-based antivirus software against the operating system of the Exchange computer and against Exchange program files (the Exchsrvr\Bin folder), but never run file-based antivirus software against files in the following folders:

• Exchange databases and log files.
• Exchange .mta files (default location: \Exchsrvr\Mtadata).
• Exchange message tracking log files (default location: \Exchsrvr\Server_Name.log).
• Virtual server folders (default location: \Exchsrvr\Mailroot).
• Site Replication Service (SRS) files (default location: \Exchsrvr\Srsdata).
• Internet Information Service (IIS) system files (default location: \%SystemRoot%\System32\Inetsrv).
• Internet Mail Connector files (default location: \Exchsrvr\IMCData).
• The working folder that is used to store streaming temporary files that are used for message conversion. By default, this working folder is located at \Exchsrvr\MDBData.
• A temporary folder that is used in conjunction with offline maintenance utilities such as Eseutil.exe. By default, this folder is the location that you run the .exe files from, but you can configure this when you run the utility.

You can run file-based scanning against the following folders:

• Exchsrvr\Address
• Exchsrvr\Bin
• Exchsrvr\Exchweb
• Exchsrvr\Res
• Exchsrvr\Schema

Temporarily disable file-based scanning software during operating system and Exchange upgrades; this includes upgrading to new versions of Exchange or the operating system, and applying any Exchange or operating system fixes or service packs.

When you upgrade an Exchange or operating system product, or apply a service pack or fix, it is standard procedure to stop and disable all of the third-party services, hardware vendor and operating system monitors, and any agents or Exchange monitors before you perform the update or upgrade. Also stop and disable any performance monitors, any Microsoft or third-party backup programs, and Microsoft Simple Network Management Protocol (SNMP). Then restart the Exchange computer before you apply the upgrade or fix. This procedure prevents files that the update process needs to access from being locked.

IMPORTANT: This procedure also includes stopping and disabling any antivirus programs (including file-based scanning antivirus software) before you upgrade any version of Exchange or the operating system and before you apply any Exchange or operating system service pack or fix.

Exchange Information Store Scanning Software

Microsoft provides application programming interfaces (APIs) that give other manufacturers the ability to write antivirus programs that scan the information store. If this type of software is running on your Exchange computer and you are experiencing issues, research the issues and follow normal troubleshooting procedures. If these procedures do not resolve the issue, temporarily disable or remove the antivirus software to determine whether it is contributing to the issue. If the antivirus software is not contributing to the issue, you can re-enable the antivirus software.

If the issue stops occurring after you disable or remove the antivirus software, contact the manufacturer of the antivirus software for the most recent update. If the most recent update of the software does not resolve the issue, continue working with the antivirus software manufacturer and Microsoft to pursue a resolution to the issue.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base: The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Exclude the folder that contains the checkpoint (.chk) files from file-based scanners.

NOTE: Even if you move the Exchange databases and log files to new locations, and you exclude those folders, the .chk file may still be scanned. For more information about what may occur if the .chk file is scanned, click the following article number to view the article in the Microsoft Knowledge Base: