To support antivirus protection, Microsoft® Windows® SharePoint™ Services uses an API called SP VS API 1.0, the Microsoft Office SharePoint Virus Scan Engine (VSE) API, that is based on the Microsoft Exchange Server VS API 2.0. SP VS API 1.0 incorporates much of the original design but is optimized for speed in a Microsoft SQL Server™ environment. This is achieved by creating a lower-level API that integrates directly into the File/Save and File/Open paths of Windows SharePoint Services, and also by eliminating the mail dependencies of the VS API 2.0 on the Messaging Application Programming Interface (MAPI).
Because Windows SharePoint Services is a SQL document store, not a mail store, documents are scanned in real time when they are saved (uploaded) or opened (downloaded), and the user is given the result of that scan instantly.
SP VS API 1.0 architecture
Windows SharePoint Services uses an architecture that exposes the SP VS API 1.0 as a COM layer for the antivirus vendor component, known as the Virus Scan Engine (VSE), to communicate with the Antivirus Manager (AVM) that is managed by Windows SharePoint Services.
The logic used by the AVM to process files is designed to do the following:
• Support two request types: upload (save) and download (open).
• Get file properties from the Windows SharePoint Services database that indicate scanned status.
• Evaluate how to process a file by using its properties to determine whether to scan it.
• Issue the appropriate UI for the appropriate context and environment (Web page or application dialog box) or complete the desired action (open or save).
• Store file properties that indicate scanned status back to the SharePoint database.
The AVM logic design eliminates the need for the VSE to actually read or write directly to the database, because this functionality is managed by internal AVM processes. This design also enables the AVM to determine what action to take for each file, depending on the status codes returned by the VSE after scanning and cleaning the file.
VSE setup and live update
The VSE must be a module that runs in a Web server process space and scans incoming and outgoing content for virus infection. The VSE instantiates a virus scanner object that is provided by the vendor and manages a pool of threads that call the scanner to perform scanning of content. When the VSE detects new vendor code or a new signature file, it instantiates a new instance of the scanner and starts using it to schedule new requests. When all requests using the previous instance finish, the scanning VSE releases the instance. In other words, all instances complete with the old scanner version, while new instances use the latest scanner version. This ensures that no requests are lost or left unfinished during an update. However, this means that the instances that still remain do not complete with the current instance and are consequently re-scanned the next time the file is requested because the version will be marked as older.
Scanner instantiation
The VSE searches for a parameter that determines the configuration of the virus scanning solution from the vendor. This value is located in the system registry under the VSE configuration section, as in the following:
[HKLM\Software\Microsoft\Shared Tools\Web Server Extensions\AVScanner]
The parameter is a REG_SZ value that contains the CLSID of the class object implementing IMso_VirusScanner in registry format. VSE uses this value to instantiate the object. The following example shows the format of the registry value:
CLSID = "{00020906-0000-0000-C000-000000000046}"
Note This is only a sample CLSID used to illustrate the format. The VSE is expected to write its own CLSID in practice.
Live updates
The VSE has a separate thread that receives notifications when the registry configuration section changes. The VSE initiates a scanner reload, which includes instantiating the updated CLSID and initializing with new parameters, when it finds the specific value in the VSE registry configuration section:
Update = DWORD:00000001
The VSE resets the value to 0 (zero) when the reload is complete.
Virus signature update requirements
The signature update must perform vendor-specific actions to:
• Install new data files on the computer.
• Notify the VSE by setting the Update value to 1.
Virus scanner update requirements
The code update must perform vendor-specific installation actions to:
• Install the new code bits on the computer.
• Modify the VSE CLSID value to point to the new class object.
• Notify VSE by setting the Update value to 1.
Layout of the VSE registry
Following is the VSE configuration registry path:
[HKLM\Software\Microsoft\Shared Tools\Web Server Extensions\AVScanner]
The following values used for the VSE registry.
CLSID REG_SZ Specifies the virus scanner class object.
Update REG_DWORD Triggers a reload of the scanner instance when set to 1.
source msdn
Posts
