Background scan and on-demand scan
Background scanning is an operation mode of Anti-Virus for the Mailbox role when Anti-Virus scans messages and other Microsoft Exchange objects stored on a Microsoft Exchange server, searching for viruses and other security threats with the latest version of the anti-virus databases. You can run a background scan manually or set up a schedule. Using background scan mode decreases the load on the servers during busy hours and increases the security level of the e-mail infrastructure in general.
On-demand scan is an operation mode of Anti-Virus for the Mailbox role in which Anti-Virus scans for viruses and other threats in messages and other Microsoft Exchange objects stored in selected mailboxes and shared folders on a Microsoft Exchange server. You can manually run an on-demand scan of selected mailboxes and shared folders. Use of an on-demand scan lets you limit the scan scope and reduce scan time. If an on-demand scan was interrupted, the scan will start from the beginning the next time it is run. This means that it scans all the selected objects again.
Hereinafter, any information and instructions on how to perform actions on messages are also applicable to other Microsoft Exchange objects (such as tasks, appointments, meetings, entries) if there is no other specifically assigned condition.
Background scanning of messages can be repeated. Anti-Virus performs repeated background scanning of messages that have been scanned earlier after you update the anti-virus databases. An on-demand scan of the same messages in selected mailboxes and shared folders is only performed once.
If a background scan was interrupted, the next time a scan is run the application scans only those mailboxes and shared folders that were not scanned during the previous interrupted scan. If a background scan was completed, the next scan will start from the beginning the next time it is run. This means that it scans all selected objects.
If your organization is simultaneously using different versions of Microsoft Exchange servers (such as Microsoft Exchange 2010 / 2013), you are advised to run an on-demand scan of selected mailboxes and shared folders from the Security Server console of the specific server on which the storage of those mailboxes and shared folders is located.
Background scanning may lead to a slowdown in the Microsoft Exchange server's operation. We recommend that you run a background scan when the load on mail servers is at its minimum, for example, by night. If you want to run a scan of specific mailboxes or shared folders, you can use an on-demand scan.
During a background scan and on-demand scan:
- Kaspersky Security, in accordance with the current settings, receives from the Microsoft Exchange server the email messages and other Microsoft Exchange objects (such as tasks, appointments, meetings, and entries) located in the following areas:
- Background scan – objects located in protected mailbox storages and shared folders.
- On-demand scan – objects located in selected mailboxes and shared folders.
- Kaspersky Security sends the following messages to the Anti-Virus for the Mailbox role module for processing:
- Background scan – messages that have not been scanned using the latest version of the anti-virus databases.
- On-demand scan – messages that are located in the selected mailboxes and shared folders and that match the on-demand scan settings.
- When a background scan or on-demand scan detects infected objects, Anti-Virus processes them in accordance with the parameters defined in the settings of Anti-Virus for the Mailbox role, using the following algorithm:
If an infected object is detected in a message or another Microsoft Exchange object, and the Delete object or Delete message action is selected in the settings of Anti-Virus, the latter attempts to disinfect that object.
If disinfection has been successful, Anti-Virus replaces the infected object with the disinfected one.
If disinfection has failed, Anti-Virus performs the actions specified in the table below.
Actions performed by Anti-Virus if disinfection of an infected object fails
Where the infected object was found
Action selected
Action of Anti-Virus
In a message
Delete message
Anti-Virus deletes the message along with the infected object.
Delete object
Anti-Virus replaces the infected object (attachment) with a text file informing that the infected object was deleted.
In another Microsoft Exchange object (such as a task, meeting, or entry)
Delete message
Delete object
Anti-Virus does not delete Microsoft Exchange objects completely if they are not messages, such as tasks, appointments, meetings, and entries. Only infected attachments can be deleted from them.
Saving a Backup copy of an object during a background scan and on-demand scan
If the Save a copy of the object in Backup check box is selected in the settings of Anti-Virus for the Mailbox role, Kaspersky Security moves a copy of the object to Backup before processing that object. If the object (e.g., a task) features no From or To field, this field will be replaced in Backup with the address of the user whose mailbox stores the object.
Features of a background scan and on-demand scan depending on the version of the protected Microsoft Exchange server
Depending on the version of the protected Microsoft Exchange server, Kaspersky Security uses the following technologies for background scanning:
- On Microsoft Exchange 2010 servers – VSAPI (Virus Scanning Application Programming Interface).
- On Microsoft Exchange 2013 and Microsoft Exchange 2016 servers – EWS (Exchange Web Services).
Kaspersky Security uses EWS (Exchange Web Services) technology to perform an on-demand scan.
Background scans and on-demand scans on Microsoft Exchange 2010 / 2013 / 2016 servers have the following features:
- Use of an EWS server. To perform background scans, the application uses an EWS server based locally on the protected Microsoft Exchange 2013 / 2016 server. When running a background scan on the Microsoft Exchange 2013 / 2016 servers included in a profile, the scan runs concurrently, using the local EWS servers, which are available on each of the protected Microsoft Exchange servers. If the local EWS server is not available, the application records a message with information about the error to the event log of the protected Microsoft Exchange server.
- Role of the application service account on Microsoft Exchange 2013 / 2016 servers. On Microsoft Exchange 2013 / 2016 servers, a background scan and on-demand scan can only be performed if the application service account has been assigned the ApplicationImpersonation role from the set of built-in roles named Role Based Access Control (RBAC) of Microsoft Exchange Server 2013 / 2016. Otherwise, when attempting to run a background scan and on-demand scan, Kaspersky Security writes an error message to Microsoft Windows Event Log. The Application Setup Wizard automatically assigns this role to the application service account when installing or upgrading the application. If this assignment has not been completed by the Application Setup Wizard due to an error, it must be performed manually with Microsoft Exchange administration tools.
- Role of the application service account on a Microsoft Exchange 2010 server. On a Microsoft Exchange 2010 server, an on-demand scan can only be performed if the application service account has been assigned the ApplicationImpersonation role from the set of built-in roles named Role Based Access Control (RBAC) of Microsoft Exchange Server 2010. Otherwise, when attempting to run an on-demand scan, Kaspersky Security writes an error message to Microsoft Windows Event Log. You must manually assign the ApplicationImpersonation role using Microsoft Exchange management tools.
- Limitations on shared folder scanning On Microsoft Exchange 2013 / 2016 servers, Anti-Virus scans only those shared folders that meet the following condition: at least one user exists who has the following set of rights to access the shared folder:
- Folder visible.
- Read items.
- Edit all.
- Delete all.