Monitoring event sink # 29 – Event Sink & VSAPI

Viruses, worms, and other malicious content transmitted by e-mail systems are a destructive reality faced by most Microsoft Exchange administrators. Therefore, we should develop a defensive antivirus deployment for all messaging systems. Now we can have a look on VSAPI.

VSAPI is used for...

This enables non-Microsoft vendors to implement the virus scanners or AV's, which check each message for malicious attachments and data structures before they reach their destinations.

These features will give the antivirus products more options to delete infected messages and, with additional message properties in VSAPI 2.5, automatically send a warning message back to the sender that a virus was detected and the e-mail was deleted, thus helping prevent further spreading.

For example you can take Exchange server 2003 and its latest versions, it will give customers more confidence in the security of their e-mail infrastructures by reducing the number of infected e-mail messages end users receive and administrators have to manage and thereby mitigating the further propagation of viruses.

Where it's implemented?

This event sink is implemented in OnSubmit.dll.

Where it's registered?

This event is registered for the OnSubmission event.

Can you name couple of versions...

Exchange Server 2000: Virus Scanning API (VSAPI) version 2.0 released along with Exchange Server 2000 environment. It provided improved support for scanning Internet content and reporting on the sender and receiver of the virus.

Exchange Server 2003:

  • VSAPI 2.5 released along with Exchange Server 2003. It improves the VSAPI by allowing antivirus vendor products to run on Exchange servers that do not have resident Exchange mailboxes (for example, gateway servers or bridgehead servers).
  • Also it allows antivirus vendor products to delete an infected message and send a notification message to the sender of the infected message. The vendor products can also create additional virus status messages to allow clients to indicate the infection status of a particular message.


1) By default, transport scanning is not enabled, as it causes messages to be scanned twice, once at the SMTP layer and once in the Exchange store

2) Transport-scanning functionality is available only with Exchange virus scanners that are based on Virus Scanning Application Programming Interface (VSAPI) 2.5.

Is it VSAPI vs Event sink or ...?

VSAPI shares the same event listener and response model like any other event sink, but this special sink is implemented in the client and Transport model to check the incoming messages.

Skip to main content