Isolate and Clean Infected Servers

 

When internal Exchange servers are infected, you can take the following steps to remove the infection:

  1. Disable user access to Exchange.

  2. Clean the messaging infrastructure:

    1. Freeze and unfreeze the queue.

    2. Find and delete infected messages.

Disabling User Access to Exchange

In some outbreaks, it may become necessary to prevent users from using Exchange while the server is disinfected. Preventing user access helps to make sure that the server stays disinfected while the virus is removed from your organization. It is likely that, as part of the mailbox cleaning, you will need to run a disinfecting tool against the Exchange store. Therefore, you must keep the store mounted and running. The recommended method for disabling user access to the Exchange computer is to disconnect the physical connection to the network by unplugging the Ethernet cable.

Cleaning the Messaging Infrastructure

After you have identified the message or messages that contain viruses, you must clean, or disinfect, your messaging infrastructure. Cleaning the messaging infrastructure involves cleaning the queues, cleaning the mailboxes, and then disinfecting the servers.

Cleaning the Queues

The first step in cleaning the messaging infrastructure is to clean the queues. For each server, this task involves freezing the queue, finding the offending messages, and deleting them. For detailed steps, see the following articles:

Cleaning Mailboxes

After you delete the virus messages from the queues, you must disinfect the mailboxes. The best way to perform this task is with a third-party antivirus solution. For information about antivirus products that work with Exchange 2003, see the "Exchange Server Partners: Antivirus" Web site.

If your antivirus software does not include the functionality for deleting messages from the Exchange store, you must run the Mailbox Merge Wizard (ExMerge.exe) to delete the offending messages. For more information about deleting virus messages from Exchange by using ExMerge.exe, see the Microsoft Knowledge Base article 328202, "HOW TO: Remove a Virus-Infected Message from Mailboxes by Using the ExMerge.exe Tool."

Disinfecting Servers

After you delete the messages containing viruses from your Exchange servers, and before you bring the servers back online, you must disinfect the servers. In this context, disinfecting the servers implies a file-level scan to make sure the server itself is not infected with the virus. You can do this manually by following the instructions that are available on any number of virus-related Web sites for the given virus, or by running file-level antivirus software on the Exchange computer and updating the virus signature.