Inline "My understanding is that any anti-virus product that wants to scan inside the IS must use the VSAPI." (ruba): true, when talking about scanning inside the IS, but you can scan the message before it enters the IS and be in exchange message format, MTA message scanning for example.(Each mail on entering the Internet Mail Service is placed in the IN subdirectory. This is where antigen scans the inbound queue for infected attachment. At this stage the IMS attempts to deliver the message to the Microsoft Exchange Server computer for the final delivery by the MTA (Message Transfer Agent) or the information store to the recipients. If at this stage the recipient is not in the particular site directory the message is sent to the out - subdirectory and sent to the next IMS. At this point the message leaves the environment unscanned by VSAPI (GFI)). Also In-memory scanning done by Antigen minimizes impact on the Exchange server for optimum protection and efficiency, which can?t be done with GFI. "FYI, if a message is infected with a virus laden attachment, the message is worthless. There is no legit reason to remove or otherwise clean the message and then send it on its way. This is an extremely bad practice that some anti-virus engines insist on doing. We consider those messages worthless and only cause confusion and problems with and for users." (ruba): Actually this is exactly what am saying, GFI insists on not deleting neither the message nor the attachment, it only quarantines it if it violates the Trojan and Executable scanner rule and wait for the administrator to approve or reject the Trojan. "In best case scenario, that works. However, being proactive and watching what is happening on the server tells me a lot quicker about a new virus than waiting for a notice. I have found Sophos notices to be about the quickest, but even then it takes a hour or more for the notice to be sent out. What we have to rely on is multiple layers of defense. In my case, I ban all executable type files which has stopped cold new virus outbreaks as they start." (ruba): being proactive is not the way to go about it, being preemptive is. I mentioned the notifications because I was listing what would be good to have in GFI not because administrators should rely on the notifications. "Now, I am not saying you should use/rely on GFI, as all products have pluses and minuses." (ruba): totally agree, the exchange server anti virus shouldn?t be thought of as being the only measure to secure the network, you should look into everything else as well(starting with your router access list, hardware firewall, your ISA 2004, your VLANs segmentation filtering, your data SSLed, your wireless firewalled and separated from your wired, your VPN tunnel security, your user?s desktops firewalled and scanned, your users? security awareness, your biometrics, strong passwords, etc?this can go on for few pages) and most important is to know that after all your LAN is not 100% secure and will not be unless its basically unavailable most of the times. r.