This tip originally appeared on SearchSMB.com. For more IT articles and tips specific to small and midsized businesses, visit SearchSMB.com.
Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.
There are countless articles on how to prevent e-mail virus infections, but almost nobody talks about how to clean up a massive infection. Of course, you want to update your server's file-level and Exchange-level antivirus software, and make sure all users have up-to-date antivirus applications running on their desktops.
But sometimes these steps are not enough. If your server is heavily infected, the sheer volume of infected messages can overwhelm the machine and your antivirus software may not be able to keep pace with the server. If you find yourself in a situation like this, here are the steps you need to take.
Stop the flow of SMTP traffic
First, cut off communications between your mail server and the Internet. This will prevent your server from spewing infected messages to the outside world and stop any new messages from arriving until you've recovered from the infection.
One way of stopping the flow of SMTP traffic is to configure your organization's SMTP connector to not deliver mail:
- Open Exchange System Manager and navigate through the console tree to Administrative Groups -> your administrative group -> Routing Groups -> First Routing Group -> Connectors -> your SMTP connector.
- Right click on your SMTP connector and select Properties.
- Now choose the Delivery Options tab.
- Pick the Never Run option from the Connection time dropdown list.
While you are at it, you might also consider disabling the SMTP virtual server:
- Navigate to Administrative Groups -> your administrative group -> Servers -> your server -> Protocols -> SMTP -> Default SMTP Virtual Server.
- Right click on the Default SMTP Virtual Server object and select the Stop command.
Keep users out of Exchange
In some cases, you may also need to keep the users out of the Exchange server while you disinfect it. The easiest way to do this is to unplug the network cable from the server. This will guarantee that nobody can send or receive anything until you are ready for them to do so.
Freeze your message queues
Now it is time to begin cleaning out the message queues. To do so, you must freeze the queues and then delete the undesirable messages.
- To freeze a queue, navigate through the Exchange System Manager console to Administrative Groups -> your administrative group -> Servers -> your server -> Queues.
- The console's detail pane will display a list of the server's queues. Right click on the queue containing the offending messages and select the Freeze command. (Keep in mind that X.400 queues can't be frozen.)
If you want to freeze all the queues, simply click the Disable Outbound Mail button (click Enable Outbound Mail to re-enable mail flow).
Locate and remove infected messages
To locate infected messages and remove them from the queues:
- Click the Find Messages button.
- The easiest way to spot an infected message is usually by its subject line. Unfortunately, the Find Messages feature doesn't allow you to search by subject line. Instead, enter a large number (such as 100,000) into the Number of Messages to Be Listed In the Search field.
- Set the Show Messages Whose State Is option to All Messages and click Find Now.
- The result is that all of the messages in the queue will be displayed. You can then sort the results by subject line to make finding the infected messages easier.
- Finally, select and right click on the infected messages and select Delete (No NDR).. The infected messages will be deleted from the queue.
- Repeat the procedure on the remaining queues.
Even after all of the queues have been disinfected, there is a very good chance that some of the mailboxes on your server contain infected messages. Exchange doesn't offer any easy mechanism for manually disinfecting everyone's mailboxes. Your best option is to scan the mailboxes with an Exchange aware antivirus program. You should do this prior to allowing the users back onto the server.
Return Exchange to a functional state
The last step in the process is to bring the server back to a functional state:
- Enable mail flow and unfreeze any frozen queues.
- Enable the SMTP Virtual Server and set the connection time for your SMTP connector back to Always Run.
- Plug the network cable back in to allow users access Exchange once again.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Do you have comments on this tip? Let us know.
