One of the main purposes of Kaspersky Security is the anti-virus protection, which aims the application at scanning the mail flow and messages in mailboxes for viruses and other security threats, as well as disinfecting infected messages and other Microsoft Exchange objects, such as messages, tasks, or entries in shared folders.
Hereinafter, any information and instructions on how to perform actions on messages without affecting the integrity are also applicable to other Microsoft Exchange objects (such as tasks, appointments, meetings, entries), if there is no other specifically assigned condition.
General performance principles of Anti-Virus
Anti-Virus scans messages using the latest downloaded version of databases, Heuristic Analyzer, and the Kaspersky Security Network cloud services if they have been enabled in the Anti-Virus settings.
Anti-Virus scans the message body and attachments in any format.
Kaspersky Security differentiates between the following types of objects that are scanned: a simple object (message body or a simple attachment, such as an executable file) and a container object, which consists of several objects (such as an archive or a message with another message attached).
When scanning multivolume archives, the application processes each volume as a separate object. In this case, Kaspersky Security can detect malicious code only if the code is fully located in one of the volumes. If the malicious code is also divided into parts during a partial download, it will not be detected during the scan. In this situation, the malicious code may propagate after the object is restored as one entity. Multiple-volume archives can be scanned after they are saved to the hard drive by the anti-virus application installed on the user's computer.
If necessary, you can define a list of objects that should not be scanned for viruses. Archives, all container objects with a nesting level above the specified value, files matching name masks, andmessages addressed to specific recipients can be excluded from scanning.
Files over 1 MB will be saved to the Store folder for processing. The Store folder is located in the application Data folder. The Data folder also contains the temporary files storage – the Tmp folder. The Store and Tmp folders should be excluded from scanning by anti-virus applications running on computers with a Microsoft Exchange server installed.
Following the scan, Anti-Virus assigns one of the following status tags to each message:
If an e-mail message or a part of it is infected, Anti-Virus processes the detected malicious object in accordance with the specified settings.
In the settings of Anti-Virus, you can configure the actions that the application will perform on messages containing malicious objects. You can configure the following actions:
When a malicious object is deleted on a Microsoft Exchange server, the message or attachment containing the malicious object is replaced with a text file containing the name of the malicious object, the release date of the database used to detect the malicious object, and the name of the Microsoft Exchange server on which the object was detected.
Before an item is processed, its copy can be saved in Backup.
Anti-Virus consists of two application modules: Anti-Virus for the Hub Transport role and Anti-Virus for the Mailbox role.
Anti-Virus for the Hub Transport role
Anti-Virus for the Hub Transport role scans in real time all e-mail messages arriving at the Microsoft Exchange server. It processes both incoming and outgoing e-mail traffic as well as the stream of transit messages. If anti-virus protection of the server is enabled, traffic scanning starts and stops simultaneously with the starting and stopping of the Microsoft Exchange server.
Anti-Virus for the Mailbox role
Anti-Virus for the Mailbox role scans messages and other Microsoft Exchange items located in users' mailboxes within an organization and shared folders, searching for viruses and other security threats.
Protection provided by Anti-Virus for the Mailbox role covers all mailboxes and shared folders that are located in protected mailbox storage areas and protected storage areas for shared folders, respectively. You can include mailbox repositories and shared folder repositories in Anti-Virus protection individually, or exclude them.
Microsoft Exchange 2013 and Microsoft Exchange 2016 mail servers feature no storage of shared folders. Those mail servers store mailboxes and shared folders in common storage areas.
When a user whose mailboxes are protected creates messages in public folders of unprotected Microsoft Exchange servers, Kaspersky Security does not scan such messages. If messages are transferred from public folders of an unprotected storage to a protected one, the application scans them. During data replication between protected and unprotected storages, any changes made by the application as a result of the anti-virus scan are not synchronized.
How to prevent detainment when sending messages through Anti-Virus
In exceptional cases, failures in the anti-virus kernel operation may result in significantly increased times of message scanning by Anti-Virus. In such cases, Anti-Virus temporarily switches to the restricted scan mode in order to prevent message detainment. In this mode, some messages can be skipped without undergoing anti-virus scanning.
If an application that collects information and sends it to be processed is installed on your computer, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from scanning by configuring Kaspersky Security as described in this document.