Microsoft Antigen Data Execution Prevention compatibility

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2007-02-19

The Microsoft Exchange Analyzer Tool queries the Win32_Service Microsoft Windows Management Instrumentation (WMI) class to determine the value of the Started key for the Microsoft Antigen service. A value of False indicates that the service is not running. A value of True indicates that the service is running.

The Exchange Analyzer also reads the following registry entry to determine whether the Kaspersky scan engine for Microsoft Antigen is installed on the Exchange Server. This registry entry will only be present if the Kaspersky scan engine is installed on the Exchange Server.

HKEY_LOCAL_MACHINE\Software\Sybari Software\Antigen for Exchange\Scan Engines\Kaspersky

Finally, if the Exchange Server is running on Microsoft Windows Server 2003 Service Pack 1 (SP1) or a later version, the Exchange Analyzer queries the Win32_ComputerSystem WMI class to determine whether the value for the SystemStartupOptions key contains the strings '/NOEXECUTE=OPTOUT' or '/NOEXECUTE=ALWAYSON'. This indicates that Data Execution Prevention (DEP) is enabled on the server. Data Execution Prevention is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.

If the Exchange Analyzer determines that the following conditions are true, the Exchange Analyzer displays a warning:

  • The Microsoft Antigen service is enabled on the server.

  • The Kaspersky scan engine for Antigen is installed.

  • The Exchange server is running on Microsoft Windows Server 2003 Service Pack 1 (SP1) or a later version.

  • Data Execution Prevention is enabled on the server.

This warning indicates that the current server configuration may cause messaging and virus scanning performance issues.

To address this warning, follow the guidance prescribed in Microsoft Knowledge Base article 905952, "Messaging performance is slower than expected in Antigen, and the Antigen client stops responding" ( to selectively disable DEP for individual programs.

For more information about Data Execution Prevention, see Microsoft Knowledge Base article 875352 "A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003" (