Inside the Exchange Server Antivirus API
Exchange 2000 Server SP1 has an updated version of the antivirus API. Jerry Cochran explains what it means to Exchange administrators.
September 6, 2001
Many readers have asked me to elaborate on the new antivirus API (AVAPI 2.0) that Microsoft has included in Microsoft Exchange 2000 Server Service Pack 1 (SP1) and what AVAPI 2.0 means to Exchange administrators. I'll start with a brief review to bring everyone up to date.
Before we had AVAPI, antivirus vendors had to use Messaging API (MAPI) to log into mailboxes and perform antivirus scanning—a cumbersome and error-prone task. Microsoft released AVAPI 1.0 in Exchange Server 5.5 SP3 (for details about AVAPI 1.0, see Microsoft article Q263949). The reason behind the new API was simple: Microsoft needed to manage the way in which antivirus vendors accessed the Exchange Information Store (IS), ensure data integrity, and increase virus-detection rates. Thus, the AVAPI was born. Exchange 2000 SP1's AVAPI 2.0 adds several key features that address shortcomings in AVAPI 1.0.
The first improvement in AVAPI 2.0 is scanning. Although AVAPI 1.0 supported on-demand and background scanning of attachments, AVAPI 2.0 scans both message body and attachments, adds support for proactive and priority-based scanning, and improves on-demand and background scanning. With proactive scanning, the system submits messages to the IS by putting them in a common queue. You can prioritize items in this queue based on need (by default, all are low priority). When a client requests an item, AVAPI upgrades the item to high priority. The antivirus software proactively scans all items in the queue as priorities permit (AVAPI 1.0 treated all items as on-demand high-priority items). This approach maximizes detection rates with minimal effect on the client. AVAPI 2.0 performs multithreaded processing of the queue and supports native MIME and MAPI content (without the need for content conversion), which lets antivirus scanning and detection operations have minimal effect on system resources.
Exchange 2000 SP1 also brings management information to AVAPI 2.0. To help administrators troubleshoot AVAPI-related problems, Microsoft added Performance Monitor counters that administrators and support staff can use to track AVAPI's performance and operations. These counters disclose data about scanning rates and volumes to reveal antivirus overhead and let administrators properly size Exchange servers running AVAPI 2.0 software. Microsoft also added event logging to AVAPI 2.0 to complement the Performance Monitor counters. (If you want more details about AVAPI 2.0 management instrumentation, Microsoft article Q285696 documents the Performance Monitor counters, and article Q294336 provides event-logging information. You can find those articles at the second and third URLs at the end of this commentary.) AVAPI 2.0 also offers message-detail information and lets IT staff track viral outbreaks to determine how a virus penetrated the system and which mailboxes the virus has infected. This ability is possible because AVAPI 2.0 scanning is no longer limited to the IS's attachments table.
The enhancements in Exchange 2000 SP1's AVAPI 2.0 reflect the needs of antivirus vendors and customers alike. Microsoft added these features to make Exchange Server a more reliable and secure messaging platform. If you haven't deployed AVAPI-compliant antivirus software on your Exchange servers, take steps to do so soon.
About the Author
You May Also Like