managing_outbreaks

Managing Outbreak Situations

Outbreaks happen when viruses/malware, Trojans, worms, or other spyware/grayware suddenly attack many Exchange servers or personal computers on your network. There are many reasons why an attack might occur such as out-of-date components, poor configuration of anti-virus software, or a new malware arising for which there is not yet a pattern file. Outbreaks are a critical time when administrators must endure a chaotic, time-consuming process of communication, often to global and decentralized groups within their organizations.

The actions that administrators take when outbreaks happen can be broken down into four general stages:

1. Confirming that the security incident is a legitimate problem and not a false alarm

2. Responding to the security incident

3. Analyzing the security incident

4. Recovering the Exchange servers and mailboxes

ScanMail has some very useful features that can assist administrators in every stage of an outbreak. Consider the following features when an outbreak threatens:

1. To confirm that the security incident is truly a malware outbreak:

• Check the Trend Micro website for virus/malware alerts and the latest security advisory information.

http://www.trendmicro.com/vinfo/

• Check ScanMail notifications. ScanMail can be configured to automatically send alerts when outbreak conditions exist. In addition, ScanMail can be configured to notify administrators or other designated individuals when ScanMail takes actions against detected threats.

• For a quick analysis of the security incident, view the ScanMail Summary screen or create a one-time report. For more detailed information about the security incident, query ScanMail logs.

2. Responding

• Manually update components to immediately download the latest ScanMail components.

• Follow-up the update with a manual scan of the entire information store. Use the Trend Micro recommended defaults such as IntelliScan and ActiveAction or set even more aggressive scanning filters. If you know exactly what you are scanning for, select Specified files from the Security Risk Scan screen and type the name of the file for ScanMail to detect.

3. Analyzing

• Perform a Log Query to discover information about the attack. The log contains such useful information as the time and date, sender and receiver, and infected attachment names.

• If you need assistance to help analyze the security problem, send your virus/malware case to the Trend Micro Virus Response Service.

https://premium.trendmicro.com/virusresponse/en/us/VRS/logon/logon.asp

• If you need more assistance, contact Trend Micro support.

4. Recovering

• When you have restored your Exchange environment, consider changing your configurations and security policies. Consider the following points:

• Set ScanMail to back up files before taking action and then set very aggressive configurations. This allows ScanMail to detect and eliminate many threats without taking irreversible actions.

• Monitor the results using the real-time monitor or by generating logs and reports.

• Use the Server Management tool to quickly and easily replicate configurations from one secure and tested ScanMail server to another.

See also:

• Configuring Notification Settings

• Generating One-time Reports

• Configuring Manual Updates

• Querying Logs

• Understanding the Server Management Console