The latest round of viruses and worms has wreaked a lot of havoc on organizations' computer systems. Not surprisingly, most of the calls I got were from administrators who were spending a lot of time going through mailboxes and cleaning out the offending messages.
Luckily for them, there's an easier way than opening each mailbox manually and deleting the messages. In fact, there are two easier ways.
Using Microsoft ISSCAN
The first is a tool from Microsoft called ISSCAN that you can use to scan the Information Store and delete messages that meet certain criteria. Sounds terrific, doesn't it? Unfortunately, you have to shut down the Exchange services when you run it. That's not an optimal solution if you are hoping to be able to continue providing service to your users.
Using Microsoft ExMerge
The better solution is ExMerge. It's traditionally used to move mailboxes (or, more to the point, the contents of mailboxes) from one Exchange server to another, but the same facility that moves items out of mailboxes to move them can be used to remove them permanently as well.
ExMerge allows you to leave the Exchange services running so you have minimal downtime, and it's fairly easy to run. Although you can run it from the command-line, ExMerge is easier to run from Explorer using the Wizard. First log in with an account that has Service Account Admin privileges on the Exchange Server (otherwise the utility won't have the permissions to access all of the mailboxes). Then just double-click the ExMerge.exe file to start the Wizard.
ExMerge can be run in one-step or two-step mode. One-step mode removes the messages from the current mailbox and imports them automatically into a new mailbox. The two-step mode removes them from the old mailbox and places them into a .PST file. The second step, performed separately, puts those items into a new mailbox. Obviously, you don't want these messages put into a different mailbox, so you'll want to run ExMerge in two-step mode and only run the first step. The Wizard will prompt you for the mode in which you want to run ExMerge.
After you specify which server you want to run ExMerge against, click on the Options button to set the parameters of the operation. On the Data tab, leave the default (User Messages and Folders) specified. That's the right choice for cleaning bad items out of a mailbox.
On the Import Procedure tab, use the Archive Data setting. That removes the questionable items from the user's mailbox. Most of the other settings will leave them there, which defeats the whole purpose of this operation.
On the Folders tab, you can specify certain folders to process or ignore, but for this task (removing infected messages) I'd leave both sections empty and have it check all folders. Also, you should check the "Apply to subfolders" checkbox just in case somebody has moved an infected item to a subfolder manually or with a rule.
On the Dates tab, it's tempting to specify the specific data of the attack, but I think you're bound to miss something if you do that, so I'd leave the date set to "All."
On the Message Details tab, you can specify either one or more subjects and/or one or more attachment names, but keep in mind that if you specify either, then it will combine them to find the items. In other words, it will look for Subject A or Subject B and Attachment A or Attachment B. Items that have just one or the other won't be removed.
Don't give into the temptation to leave the subject or attachment names blank, as you might accidentally remove some items the user wants to keep. Putting them back later would be a hassle.
In the String Compare Criteria drop-down box it's probably best to make it "full string match, ignore case" rather than "exact match." This way, variants of the message with a different case still get caught. Be careful with the substring matches, because anything overly vague could result in a lot of important messages being pulled out of your user's mailboxes.
While it runs, ExMerge will pull the selected messages out of the mailbox and write them to a .PST file—one .PST file for each mailbox. So after you've finished all of the above settings, you have to tell ExMerge where you want to write these .PST files. If you have a lot of mailboxes, you're going to get a lot of .PST files (one for each mailbox) so make sure you choose a location with plenty of room. Click on Next, select your filenames (or accept the defaults), click Save Settings, and click OK.
At this point, ExMerge will start the process and give you a status screen to let you know how it's doing.
Where to Get Them
You can get both ISSCAN and ExMerge from Microsoft on their Exchange Server Hot Issues page. (They're both in the Zip archives listed there.) Be careful—there are four different versions of the ISSCAN utility: two each for Alpha or Intel platforms, one if you have Exchange 5.5 Service Pack 3 installed, and another for all earlier versions. Make sure you get the proper version for your server.
To stop infected messages from getting into the system to begin with, you might want to consider using a content scanning gateway like MIMESweeper from Content Systems. If you add keywords, subjects, or even attachment names to the filters in MIMESweeper, it will delete or quarantine those messages before they're ever even written to the store.
The first step to security, however, will always be user education. Keep your users informed, let them know what to watch out for, and continually emphasize how important it is for them to be responsible. Combine that with the tools mentioned above, and good anti-virus software, and your chances of problems are minimal.
Even so, have good backups anyway!
