In-Depth

Antiviral Scanners

This is Roberta; are you working?

• By Roberta Bragg
• 12/01/2001

Yeah, the answer should be a no-brainer. Can you imagine a scenario in which your shiny new antiviral scanner wouldn't find stuff to prove its mettle? Just install it and forget about it right? You'll know soon enough if it can handle an all-out attack. Whoa, do you purchase a car without a test drive? (I'll just bet you have a favorite hill or stretch of freeway you use. Fred, my son, likes to take his large screwdriver and place it between the engine and his ear - claims he can diagnose engine problems long before they are apparent by other means.)

Ok, then, how do you test-drive a viral scanner? You can't exactly go out to the Internet and holler, "Hey, send me some viruses today I need to test my scanner, but oh, please just send a few since I don't know if it's working." Or can you?

The answer has three parts:

First, you don't want to obtain real viral code to test your scanner. While I'm sure someone would be very happy to lend you some. (I have a contact in California who collects viral code. Interesting hobby, but trust me, you really don't want to make his acquaintance.) Instead, take a little trip and visit EICAR (The European Institute of Antivirus Research) at www.eicar.com. They had this thought some time ago and have developed test files that they make available so that you can confirm that your virus scanner is up and correctly configured. These files are not viruses and cannot harm your system, but to your virus checker they look like a virus. Use them as attachments - email them to recipients on a protected server and watch the fireworks. You can also see the type of information you antiviral scanner is producing from the new Antiviral API. Alternatively, you can create a test file yourself by following these instructions. Enter the following line (without line breaks) into its own file, as the first line in the file, then save the file with the name EICAR.COM

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You must use a plain text editor, such as Notepad, to do this.

Second, now that you can see the scanner detecting infected attachments, load up the new Performance Monitor Counters (and some basic stand-bys like % of CPU utilization). Granted, you're not going to see much activity here, but you should be able to determine what your baseline activity is and confirm that the product is working. Adding any processing activity to a mail server is bound to result in some strain on the system. What's it going to be like if you're under attack? Obtaining a baseline now can assist you in determining server sizing. Growth in the sheer number of messages your server and antiviral scanner have to handle is bound to slow down the process. Monitoring it will help you understand it and anticipate problems. Some of the new counters will tell you things like how many messages and files have been processed by the scanner, the rate at which its doing so, how many messages/files have been cleaned or quarantined and the current length of the processing queue. More information can be found in the knowledge-base article Q285696, "XADM: Virus Scanning API Performance Monitor Counters In Exchange 2000 Server SP1."

Third, configure, examine, understand, and monitor event log messages. Antivral API 2.0 has added to the range of messages logged when a viral scanner is active. Specifically, events can warn you that configuration is wrong and the viral scanner can't be started; or that problems are occurring during the scanning of messages. To obtain these message you need to adjust the logging level. This is done on the Diagnostics Logging tab under Services\MSExchange\System\Categories\Virus Scanning in Exchange Administrator. For more information see Q294336, "XADM: Event Logging in Exchange 2000 Server SP1 for Virus Scanning API 2.0."