Cleaning the Exchange Environment
Review and understand the recommendations in this section before a virus attack occurs. If an outbreak occurs, implement these recommendations as appropriate, according to the level of infection within your system.
Important
Although this section discusses shutting off mail flow, shutting off mail flow every time there is an e-mail transmitted virus is not recommended, especially if such an outbreak occurs during peak mail usage, and the level of disruption caused by the virus does not warrant such a severe response. However, there may be virus outbreaks that are so disruptive that they may warrant shutting off mail flow. This section is written for such an outbreak.
The approach given here assumes a widespread infection like that found in a "Melissa" or "ILOVEYOU" type of outbreak. Your objectives in responding to such an outbreak are to shut off mail flow to and from the Internet, clean and isolate servers, run antivirus software updates, and then reestablish mail flow. To achieve these objectives, follow these steps:
Stop Internet mail flow on gateway servers.
Clean mail queues.
Disinfect servers.
Stop internal mail flow.
Isolate and clean infected mailbox servers.
Disable user access to mailboxes.
Clean SMTP and MTA queues.
Clean mailboxes.
Disinfect servers.
Apply antivirus software updates.
Apply the most recent antivirus definitions to all antivirus products (for example, at file-level, AVAPI, gateways, and mailbox servers).
Run antivirus tools to verify that the computers are clean.
Clean user workstations and update antivirus software definitions.
Reestablish user access to mailboxes.
Reestablish Internet mail flow connectivity.
The following sections describe these steps in more detail.