We just got hit with a couple viruses that would fire off messages with .pdf.zip attachments starting in the morning around 8:30 - and ruining the rest of our day trying to fight them because some users would of course open them. Luckily, PowerShell makes it a little less painful to clean up the virus and stop it from spreading (through email anyway).
The first thing I like to do is suspend all Transport Queues...this might anger some users because mailflow will stop, but they might have to live with it - at least until you get the virus cleaned up.
**Note** I do not stop the Transport Service, since that will kill all internal/external mailflow and cause mail to bounce...this doesn't inspire confidence for your clients :)
To stop the queues, you can use the Exchange Management Console (EMC) or the Exchange Management Shell (EMS).
To use the EMC, go to Toolbox > Queue Viewer > Select All the Queues > right-click > Suspend
To use the EMS, run:
Suspend-Queue -Filter {MessageCount -ge 1 -and Status -eq "Active"} -Confirm:$False
**Note** This will suspend queues with more than 1 message in them
After the queues have been stopped, you can seek & destroy the messages containing the viruses in all of the queues by running:
Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq "virus"} | Remove-Message -WithNDR $False
**Note** Change "virus" to the subject name of the messages you want to remove. This command will not send NDR's because we don't want that.
Next, we'll want to search query and delete the messages (by subject) in all users' mailboxes, by running:
Get-mailbox -resultsize unlimited | search-mailbox –searchquery “Subject:’virus’” –DeleteContent
You'll get a message asking if you want to run this on all mailboxes, you'll type an A and hit Enter.
**Note** Again, change "virus" to the subject name of the messages you want to remove
After the mailboxes and queues have been cleaned, you'll need to create a Transport Rule to filter and delete any messages that still contain the virus before they hit any mailboxes, by running:
New-TransportRule -Name "purge virus messages" -Priority '0' -Enabled $true -SubjectContainsWords 'virus' -DeleteMessage $true
**Note** Change "purge virus messages" to whatever you want to name the rule and change "virus" to the subject name of the messages you want to remove
Once you have your Transport Rule in place, you can resume the queues, by running:
Resume-Queue -Filter {Status -eq "Suspended"}
Now you have the fun task of finding "user-zero" or whomever brought the virus into your environment and cleaning up all infected machines.
Microsoft Enterprise Messaging tips, tricks, and general help.
No comments:
Post a Comment