Trend ScanMail is configured to process messages twice

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool queries the Win32_Service Microsoft Windows® Management Instrumentation (WMI) class to determine the value of the Started key for the ScanMail_RealTimeScan service. A value of True indicates the ScanMail_RealTimeScan service is started, and a value of False indicates the ScanMail_RealTimeScan service is not started. The ScanMail_RealTimeScan service is a component of the Trend Micro ScanMail for Microsoft Exchange application. Trend Micro ScanMail for Microsoft Exchange provides antivirus protection for Exchange.

In addition, the Exchange Server Analyzer reads the following registry entry to determine the setting for the Enabled value:


A value of 1 for Enabled indicates that transport-level antivirus scanning (sometimes referred to as Simple Mail Transfer Protocol (SMTP) scanning) is enabled, and a value of 0 indicates that SMTP scanning is not enabled.

If the Exchange Server Analyzer finds Enabled set to 1, and the value of the Started key for the ScanMail_RealTimeScan service set to True, a warning is displayed.

This warning indicates that messages flowing through this Exchange Server computer are being scanned twice by the same application and virus scanning engine. Scanning the same message twice as it moves through the transport and storage components of Exchange Server needlessly consumes resources and does not provide any extra protection or benefits. It is recommended that you keep Virus Scanning API (VSAPI) virus scanning enabled, and disable SMTP mail scanning using the ScanMail Management Console.

It is generally recommended that you deploy antivirus software designed for messaging systems at either the SMTP gateway or at the Exchange servers that host mailboxes. For the most protection, run antivirus software at the gateway that scans the inbound MIME messages and a scanner on the Exchange Server that uses VSAPI 2.5. In addition, you should be running client antivirus software on the user desktop. If you are running antivirus software designed for messaging systems (it can parse and scan MIME) at the gateway or on the Exchange server, running a file-level scanner at the desktop is sufficient.

  1. Open the ScanMail Management Console and enter your logon credentials.

  2. On the Virus Scan | Options page, ensure that the Enable VS API virus scanning check box is selected.

  3. On this same page, clear the Enable SMTP mail scanning check box.

  4. Click Apply to save your changes.

  5. Close the ScanMail Management Console.

For more information about Trend Micro ScanMail for Microsoft Exchange, see the Trend Web site (

Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.

For more information about using antivirus software with Exchange Server, see the following Microsoft Knowledge Base articles:


Community Additions