Background scan and on-demand scan

Background scanning is an operation mode of Anti-Virus for the Mailbox role when Anti-Virus scans messages and other Microsoft Exchange objects stored on a Microsoft Exchange server, searching for viruses and other security threats with the latest version of the anti-virus databases. You can run a background scan manually or set up a schedule. Using background scan mode decreases the load on the servers during busy hours and increases the security level of the e-mail infrastructure in general.

On-demand scan is an operation mode of Anti-Virus for the Mailbox role in which Anti-Virus scans for viruses and other threats in messages and other Microsoft Exchange objects stored in selected mailboxes and shared folders on a Microsoft Exchange server. You can manually run an on-demand scan of selected mailboxes and shared folders. Use of an on-demand scan lets you limit the scan scope and reduce scan time. If an on-demand scan was interrupted, the scan will start from the beginning the next time it is run. This means that it scans all the selected objects again.

Hereinafter, any information and instructions on how to perform actions on messages are also applicable to other Microsoft Exchange objects (such as tasks, appointments, meetings, entries) if there is no other specifically assigned condition.

Background scanning of messages can be repeated. Anti-Virus performs repeated background scanning of messages that have been scanned earlier after you update the anti-virus databases. An on-demand scan of the same messages in selected mailboxes and shared folders is only performed once.

If a background scan was interrupted, the next time a scan is run the application scans only those mailboxes and shared folders that were not scanned during the previous interrupted scan. If a background scan was completed, the next scan will start from the beginning the next time it is run. This means that it scans all selected objects.

Background scanning may lead to a slowdown in the Microsoft Exchange server's operation. We recommend that you run a background scan when the load on mail servers is at its minimum, for example, by night. If you want to run a scan of specific mailboxes or shared folders, you can use an on-demand scan.

During a background scan and on-demand scan:

1. Kaspersky Security, in accordance with the current settings, receives from the Microsoft Exchange server the email messages and other Microsoft Exchange objects (such as tasks, appointments, meetings, and entries) located in the following areas:
   • Background scan – objects residing in protected storages.
   • On-demand scan – objects located in selected mailboxes and shared folders.
2. Kaspersky Security sends the following messages to the Anti-Virus for the Mailbox role module for processing:
   • Background scan – messages that have not been scanned using the latest version of the anti-virus databases.
   • On-demand scan – messages that are located in the selected mailboxes and shared folders and that match the on-demand scan settings.
3. When a background scan or on-demand scan detects infected objects, Anti-Virus processes them in accordance with the parameters defined in the settings of Anti-Virus for the Mailbox role, using the following algorithm:

   If an infected object is detected in a message or another Microsoft Exchange object, and the Delete object or Delete message action is selected in the settings of Anti-Virus, the latter attempts to disinfect that object.

   If disinfection has been successful, Anti-Virus replaces the infected object with the disinfected one.

   If disinfection has failed, Anti-Virus performs the actions specified in the table below.

   Actions performed by Anti-Virus if disinfection of an infected object fails

   Location where the infected object was detected	Action selected	Action of Anti-Virus
   In a message	Delete message	Anti-Virus deletes the message along with the infected object.
   	Delete object	Anti-Virus replaces the infected object (attachment) with a text file informing that the infected object was deleted.
   In another Microsoft Exchange object (such as a task, meeting, or entry)	Delete message
   	Delete object

Anti-Virus does not delete Microsoft Exchange objects completely if they are not messages, such as tasks, appointments, meetings, and entries. Only infected attachments can be deleted from them.

Saving a Backup copy of an object during a background scan and on-demand scan

If the Save a copy of the object in Backup check box is selected in the settings of Anti-Virus for the Mailbox role, Kaspersky Security moves a copy of the object to Backup before processing that object. If the object (e.g., a task) features no From or To field, this field will be replaced in Backup with the address of the user whose mailbox stores the object.

Special features of a background scan and on-demand scan

Background scan and on-demand scan functions have the following special features:

• Use of EWS (Exchange Web Services). For scans, the application uses the EWS service running locally on the protected Microsoft Exchange server. Scans on profile servers are performed in parallel using local EWS services on each of the protected servers. If the local EWS service is not available, the application logs a message containing information about the error to the event log of the protected Microsoft Exchange server.

  Be sure to use only secure TLS ciphers when using the EWS. List of secure TLS cipher suites. For instructions on how to configure TLS cipher suites, please refer to this article on the Microsoft website.

  List of secure cipher suites for TLS 1.2:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xC0, 0x30} — see RFC 5289
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xC0, 0x2F} — see RFC 5289
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = {0xC0, 0x2B} — see RFC 5289
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = {0xC0, 0x2C} — see RFC 5289
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xA8} — see RFC 7905
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAA} — see RFC 7905
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {0x00, 0x9F} — see RFC 5288

  List of secure cipher suites for TLS 1.3:

  • TLS_AES_128_GCM_SHA256 = {0x13, 0x01} — see RFC 8446
  • TLS_AES_256_GCM_SHA384 = {0x13, 0x02} — see RFC 8446
  • TLS_CHACHA20_POLY1305_SHA256 = {0x13, 0x03} — see RFC 8446
  • TLS_AES_128_CCM_SHA256 = {0x13, 0x04} — see RFC 8446
• Role of the application service account. A scan can be performed only if the application service account has been assigned the ApplicationImpersonation role from the set of built-in roles named Role Based Access Control (RBAC) of the Microsoft Exchange server. Otherwise, when attempting to run a scan, Kaspersky Security logs an error message to the Microsoft Windows Event Log. The Application Setup Wizard automatically assigns this role to the application service account when installing or upgrading the application. If this assignment has not been completed by the Application Setup Wizard due to an error, it must be performed manually with Microsoft Exchange administration tools.
• Limitations on shared folder scanning Anti-Virus scans only those shared folders that have at least one user with the following set of rights to access the shared folder:
  • Folder visible.
  • Read items.
  • Edit all.
  • Delete all.