email

Email Virus Outbreak Check List

March 7, 2010
Topic Questions to ask Description
Identify the attack
Virus, worm, or Trojan What kind of virus are you facing? E-mail viruses can take three forms. Knowing what kind of virus you’re dealing with will help you better figure out the severity. Don’t forget that some viruses are actually hoaxes.
The carrier Where did the virus come from? Find out where the virus came from—who e-mailed it and who in the organization got the e-mail first. This will help you warn people your organization deals with or find out how they handled it.
Virus What virus is it? The machine you’re using to make the connection needs to have one interface connected to the Internet, even if it’s only a modem, and another connected to the internal network.
Operating system What e-mail software is your server running? Different e-mail systems are affected by different viruses. For example, a virus that reacts one way on Outlook/Exchange may not affect GroupWise and GroupWise clients.
Virus scanner What virus scanner are you running? You should know what virus scanner is running on both your e-mail server and your clients, in case you need emergency updates.
Virus scanner What do the virus protection makers say? Check with the virus protection maker to see whether it has provided a patch for your virus and whether you need to obtain updates or patches.
Communicate with end users
Alternative communication How do I communicate if e-mail is down? Let users know that there’s an e-mail virus attacking the network, but do so in a manner that doesn’t cause panic. If need be, use instant messages or phone calls for notification. In a small organization, you may be able to personally deliver the warnings.
Users Who has been affected? Find out who has been infected with the virus and who hasn’t. It may help identify the source of the virus and how it’s spreading in your organization.
Stop the attack
E-mail server Do I need to bring down the e-mail server? If the virus is spreading fast, you may need to immediately disconnect your e-mail server from the network. 
Network Do I need to bring down the network? Some viruses propagate from client workstation to client workstation. If many clients are affected, you may need to bring down the whole network. The fastest way to do so may be by just shutting down hubs, routers, and switches in your organization. Warn users before doing this.
Virus scanner Do I need updates or patches? If you haven’t recently obtained virus signature updates for the server, do so immediately using a machine that hasn’t been infected. You may also need to download any special cleaning utilities the vendor has.
Clean up the mess
Virus scanner How do I get rid of the virus? Using the updated virus scanner or utilities you’ve downloaded, run them against the server and any affected workstations. You may need to use a utility like IISScan or ExMerge from Microsoft to physically delete infected messages. 
Mailboxes Do I need to recover mailboxes? Some viruses damage user mailboxes. Make sure you have backups handy to recover the mailboxes.
Workstations Do I need to reinstall client software? You may need to completely reinstall the operating system, applications, and e-mail clients on client workstations. Make sure you have backups handy.
Perform a postmortem
Analysis Who was affected? Determine who was affected by the virus and, most important, find out the complete configuration of their workstations to discover whether there was any common security hole, such as an outdated security update or virus signature.
Analysis Where did the attack come from? Once you’ve determined the source of the attack, go to the source and find out whether they’ve made precautions to keep it from happening again. 
Analysis What viruses act the same way? Like biological viruses, computer viruses run in strains that are similar. Check security Web sites to find out whether there are any other viruses similar to the one you just faced.
Analysis How long did it take to fix the problem? Document the amount of time it took to fix the problem. You may need this information for insurance purposes. Additionally, you may be able to cost-justify more staff or a different virus scanning solution if the one you had was inadequate.
Prepare for the next attack
Virus scanner Do I need to upgrade or replace my virus scanner? Some applications don’t work well through proxy servers or NATs. Check your application to see whether it will work before going to the trouble of installing a NAT.
Users How do I educate users? Make sure users know how to identify possible virus messages. Teach them to keep virus signatures up to date. Let them know the potential for data loss. Educate them using different approaches, including training sessions, e-mails, and newslet
ters.
Education How do I keep up to date on threats? Sign up for updates from CERT, Microsoft, and antivirus software manufacturers about virus threats. Don’t just count on getting all of the information from one source. You’ll get lots of redundant information, but it’s better than missing a potential attack.
Backups How important are backups? Make sure you have regular, complete backups of your e-mail server. Rotate backups on the e-mail server just as you do on your file server. Encourage users to back up their software as well and to store personal mailboxes on a server share so the server backup software can access it too.