Product: Norman Virus Control for MS Exchange
Module: n/a
Operating system(s): Windows
Date published: 18 April 2008
Date updated: 30 June 2008

Problem description

Over a period of time Norman has had some issues regarding Norman Virus Control for Microsoft Exchange. Unfortunately these issues have not been very difficult to reproduce in our QA and testing laboratories, which made debugging quite challenging.

The issues typically materialise on Small Business Servers and other small Windows servers running a multitude of services in parallel with MS Exchange such as Print, File, Backup, etc. On some instances Norman Virus Control MS Exchange plug-in causes MS Exchange server hangs and crashes.

Problem solution

The following fixes and improvements in the MS Exchange plug-in and related components should solve these problems:

• NVC for MS Exchange version 5.95
  A new installer for NVC for Exchange plug-in is available for download. For details regarding the new MS Exchange plug-in please see the MS Exchange plug-in section below. This page is password protected - please contact your local Norman support office if you no longer have these credentials.)
  Running installations of NVC for Exchange plug-in and NVC 5.90 must be removed before the new software is installed.
  
   
• NVC version 5.99 includes a scan service (see below) and has been released on Norman Internet Update servers to all customers. Run Norman Internet Update to download the latest version. Your version must show NVC 5.99 to be able to use the NVC for Exchange plug-in available from the link above.
  
   
• Scan Service
  The ScanService which was released with NVC version 5.99 will reduce the system footprint in installations where more than one scanner host are running. For example on installations where the NVC for MS Exchange plug-in is running in parallel with On-Access and On-Demand scanners. This will typically be the case on servers running other services like for example file server in parallel with Exchange.
  Also on servers running only the Exchange plug-in Scan Service will have a positive impact.
  Today the engine is initialised within the store.exe process (the MS Exchange service). This may cause crashes due to the plug-in's need for allocating a rather large continuous memory block. This is in some cases problematic due to memory fragmentation issues within MS Exchange. When ScanService is running these problems will be reduced because the engine is initialised in the ScanService process and initialisation of store.exe will most likely not include additional allocation of memory needed by the engine. Most likely because:
  • If store.exe is started after ScanService the engine initialisation in store.exe will use ScanService and not allocate memory related to engine in addition to the store.exe's internal needs
  • If store.exe is started before ScanService the engine initialisation in store.exe will allocate the same memory as before and hence allocate memory use in addition to the store.exe internal needs. (The engine in the plug-in will switch to using the ScanService when this is running.)

NVC for MS Exchange - details

The new NVC for Exchange (5.95) is not a simple bug fix release, but a new version. This has been necessary because the crashes that have been plaguing this product the last year have been impossible to reproduce in controlled test environments. Norman did some improvements during 2007 to minimize memory fragmentation issues provoked by Exchange's internal memory handling, but in order to further improve the product the old architecture could not be kept. Norman has also had some crash dumps for analysis that point to a buffer overflow in the logging routines in NVC for Exchange, and there have also been problems with quarantining certain files. The following outlines the major changes in the new version:

• Reduced memory use to minimize application footprint
• Removed all temporary buffer allocations to eliminate Exchange heap fragmentation
• Rewritten nexlh.exe that avoids access rights conflicts by running as LocalSystem
• Improved speed when cleaning infected attachments
• Improved speed and execution flow when handling compressed archives
• Improved error handling to better handle unexpected situations
• New architecture that streamlines execution flow
• Removed all uses of synchronization primitives and shared resources used between scanner instances because of new architecture
• Simplified logging functionality to reduce overhead by removing buffer parsing only relevant for theoretical error situations with partially corrupted attachments
• Moved to Norman Security Suite / Norman Operation Center (NOC) message handling to ease transition to a full NOC version
• Removed over-engineered structures used internally during scanning
• Removed polling architecture to check for configuration changes and definition files, which reduces application footprint
• Simplified configuration to make more inline with NOC architecture

In addition to problems with NVC for Exchange itself Norman has seen various engine related problems that have affected Exchange installations much heavier than other installations. Most of these problems have been related to reloading of the scanner during definition file updates and memory allocation problems. 

• The first issue is a problem in Exchange installations because of limitations in the VSAPI from Microsoft which require reloading NVC for Exchange completely during definition file updates in order to be able to re-scan emails with the new virus definitions.
• The second issue is increasing because of increased definition file size, which requires increased memory usage by NSE, and since NVC for Exchange runs in-process in the MSExchangeIS service, this uses the same memory pool as the information store uses.