When your company's Exchange server has been hit by hundreds or thousands of messages containing viruses, you don't have to delete the offending messages by hand. Microsoft's Exmerge utility can hunt down the offending e-mail messages and delete them for you. In this Daily Drill Down, I will explain where to get Exmerge and how to use it.
There are several versions of Exmerge. For this Daily Drill Down, I’ll use Exmerge 3.71, which supports Exchange 4.0, 5.0, and 5.5. If you’re running Exchange 2000, you’ll need Exmerge 2000, which will be covered in an upcoming Daily Drill Down
What does Exmerge do, and where can I get it?
Exmerge is a great utility to help deal with problems that can occur in an Exchange database. Exmerge can extract mail from a damaged information store and place mail into .pst files that you can then import back into another undamaged information store. You can also use Exmerge to locate and remove a specific e-mail message, which can be helpful in dealing with virus attacks. If you’re moving users to a different organization, Exmerge can help you migrate users between different organizations and sites. For the purposes of this Daily Drill Down, I’ll demonstrate Exmerge’s usefulness by showing you how to search for and extract virus-infected e-mails.
Exmerge may already be installed on your Exchange server, but you want to make sure that you have version 3.62 or higher, because later versions offer more functionality. To find out if a version exists on your server, click Start | Find, type exmerge.exe in the Named field, and click OK. If you find this file in the list box at the bottom of the Find Files window, check the version by viewing the Exmerge Properties sheet and clicking the Version tab. Make sure that Exmerge is version 3.62 or later.
If you don’t find it, download the latest version from Microsoft’s Web site. It may seem odd that you’ll download a file called Iloveyouhlpi.zip, but Microsoft released the latest version of Exmerge as a part of the battle against the I Love You virus.
The file is only 1.4 MB long, so it won't take long to download. Download the file to a temporary directory on your administrative workstation. You’ll then need to create an Exmerge directory on your server, which is where you’ll run the utility from. When you extract the file into the Exmerge directory that you create, you’ll find the Exmerge executable. In addition to the Exmerge utility, the .zip file has other utilities to help you maintain your Exchange server, including the following:
- Isscan—In the Isscan directory, you will find the file Isscan.exe. This is a free tool that can be used to clean your server after infection until you receive updated signature files from your antivirus vendor; however, it's not antivirus software and won't prevent your Exchange server from becoming infected. This utility requires you to shut down Exchange services. The program doesn't remove the message that contains the virus; it only removes the infected attachment. However, it doesn't update the link in the message, which causes unnecessary errors on the client when it tries to open these messages.
- MTACLEAN and Findbin—You can clean the MTA from infected messages using an Advanced Find in MTACLEAN or using Findbin. Using the standard Windows Advanced Find, you can search for specific text in the MTA directory on your Exchange server. Once you find the files that contain the text, you can move them, not delete them, from the MTA directory to a temporary directory. The Findbin method does primarily the same thing that the Advanced Find does, except it looks through the MTA *.dat files for the hexadecimal equivalent of the text.
- Internet Mail Connector (IMC)—Using the files extracted to the IMC directory, you can search for and clean messages from the IMC. Using the Advanced Find utility, you can move the messages from the IMCDATA directory that contains specific text to another location of your choice. Once that is complete, you will have to also clean the MTS-OUT and MTS-IN mailboxes.
Before you run Exmerge
To run the Exmerge utility, you must be running Exchange 4.0, 5.0, or 5.5 on your server. Also, make sure the Exchange Server Administrator is loaded. Log on to your server with a user ID that has Service Account administrator permissions at the organization, site, and configuration levels. It is always a good idea to have a backup of your data before performing any maintenance of this type.
Next, make sure your server has enough space to run Exmerge; the actual amount of space you’ll need depends on the size of your information store, but doubling the size of it is a good rule of thumb. Your server should have enough free disk space on the drive that contains the Priv.edb database to allow it to double in size. Additionally, you also need enough disk space for the personal folders files that Exmerge creates. Ideally, you should create the .pst files on the same drive that you run Exmerge from, but Exmerge will allow you to create the files on another drive if necessary.
Exmerge has several steps, each of which can take several hours to run. Depending on hardware and other considerations, Microsoft claims that the average time for Exmerge’s first step is from 45 minutes to one hour for each GB of data. In the second step, Exmerge can take from one to two hours for each GB.
When using this utility, plan exactly which messages you are going to delete and even run a test if possible, because if you aren't careful, you can unintentionally delete hundreds or thousands of messages very quickly.
Exmerge can be extremely helpful when you experience a denial of service attack and have an information store full of unwanted e-mail messages. You could direct your users on a procedure to manually delete these messages, but Exmerge can remove them quickly and efficiently without getting your users involved.
Exmerge runs while the Exchange services are running, so it's not necessary to stop the services or have your users exit their e-mail. The only service you will need to stop would be the Norton Antivirus For Exchange. Also, you should probably run the procedure after hours, if possible, so your users aren't disrupted or confused when messages are deleted while they are using e-mail. For example, if a user has a message open that is deleted by the Exmerge procedure, it will be deleted once it has been closed. If the user tries to find the message again, it will be gone.
To start Exmerge, log in to the Exchange server using the Exchange service account. Create a folder called Exmerge and copy Exmerge.exe, Exmerge.ini, and Mfc42.dll into the folder; however, Exmerge.ini isn't necessary unless you want to use text files to store the parameters for the delete process.
You can run Exmerge from Windows Explorer by double-clicking on Exmerge.exe or running it from a command prompt by typing Exmerge while in the directory where Exmerge.exe resides. Starting the command will launch the Microsoft Exchange Merge Mailbox Wizard. A welcome screen will appear giving a brief description of the Exmerge utility.
You’ll then see Microsoft Exchange Merge Mailbox Wizard screen shown in Figure A. There are two options available: One Step Merge and Two Step Merge. The Two Step Merge gives you a little more control over the process. For the purposes of this Daily Drill Down, I'll perform the Two Step Merge. Select that option and click Next.
You’ll then see the wizard that performs the Two Step Merge, shown in Figure B. The Two Step Merge can be used to copy information to Personal Storage Files (.pst) or to merge data from .pst files into a destination Exchange server. Choose Step 1 and then choose Next to continue.
|I chose Step 1: Copy Data To Personal Folders.|
Next, you’ll see the screen shown in Figure C, where you must enter the name of the Exchange server from which you want to copy data in the Microsoft Exchange Server Name field.
The user account you are logged on with must have access to all mailboxes on the server for this procedure to work. Click the Options button to configure message selection criteria. Then, you’ll see the Data Selection Criteria sheet shown in Figure D.
|Use the Data Selection Criteria window to select the data you want to extract.|
On this screen, select the data you want to extract from the server. To choose the data based on the user, select the box next to User Messages And Folders. This option allows the program to copy all user data.
Next, choose the Import Procedure tab and click on Archive Data To Target Store to show the screen shown in Figure E.
|By selecting options on this screen, you tell Exmerge how you want to import the files.|
This option will copy data that meets the criteria you provide to a .pst file and will then delete the data from the Exchange server mailbox. This will result in the loss of data and should be given much consideration before continuing. If you decide to continue, click Apply and choose Yes to the message that warns about data loss.
Next, you can set the message criteria or attachment criteria by selecting the Message Details tab shown in Figure F.
|Enter the criteria for selecting your message at this screen.|
At this point, you can type in the subject of the message or name of the attachment to be deleted. Choosing the text for the message subject should be done very carefully. If you’re too general in your selection criteria, you may see lots of messages that aren’t relevant to what you’re really looking for. Conversely, if you’re too specific, your search may come back empty.
You can choose to match exact, ignore case, or just match a substring of the text. If a message to be deleted was forwarded with a different subject, the Exmerge utility cannot delete the message based on the original message subject line or MTS-ID. If the text I Love You is used, any message in user mailboxes you choose that contain that specific text will be deleted, not just those that contain the I Love You virus. The program is indiscriminate about the importance of a message, so depending on what you need to remove from your Exchange server; it may be safer to use the name of the attachment.
Enter your search string in the format listed in the example at the bottom of the Message Details screen. It is (Date Restriction) AND (Subj1 OR Subj2 OR..Subjn) AND (Att1 OR Att2 OR .. Attn). The separator is an AND, not an OR, between the Date, Subject, and Attachment. Therefore, if you put data in the subject field and the attachment field, it must meet both criteria. I highly recommended that you test this utility on a single test mailbox before you run it against production mailboxes.
The Dates tab will allow you to select messages based on a range of dates. It is not necessary to use dates, but it can help you to better define hour search criteria.
You’ll next see the wizard screen shown in Figure G, which displays all of the e-mail messages that match your criteria.
From there, you can choose the mailboxes to delete based on the specified criteria. As I mentioned, I recommend that you test this procedure to ensure it produces the desired results before you run it on your production mailboxes. You can choose all mailboxes at once using the Select All button. To select individual mailboxes, hold down the [Ctrl] key and click on the mailboxes you want.
Once you have chosen the mailboxes to include, click Next to continue. From the next screen, shown in Figure H, you will choose the location where the information will be copied. Each mailbox chosen in the previous step will have an individual .pst file created. The required disk space shown will probably be quite a bit more than the actual space used; it's just an estimate of the maximum amount that could be used.
|Choose the location where you want the .pst files created.|
You can click Save Settings to save the session information if you want to run the same job again or run the job in batch mode. This will also create a new Exmerge.ini file. To start the merge process, click Next.
Depending on the amount of information to be deleted, it could take several hours or several minutes to complete. Also, messages will not be automatically removed from the System Attendant Mailbox; you must do that manually. Also, if the Item Retention option is turned on, the message may still be available for recovery by the user on the Outlook client.
Exmerge is a powerful utility that you can use to maintain your Exchange information store. If you’re company is hit with a major virus attack, Exmerge can save you and your users hours of work by deleting infected messages and attachments so you won't have to do it manually. That feature alone can make it worthwhile to download and keep on hand in your administrator software toolbox.