Editorial: Don't Let Viruses Knock You Out
Whenever a virus of some form or other strikes, there are media stories about enterprises being knocked offline by the virus, and how many millions of dollars it costs. More often than not, this means that the network manager or IT Department simply isn't doing their job right.
If your network goes down due to a virus, or stays offline for any extended period of time due to disrupted communications, you're not doing your job. Maybe that's a bit harsh, but the fact of the matter is that these issues need to be dealt with before they occur, and you should have a plan in place to recover from it.
Whenever a virus of some form or other strikes, there are media stories (more often than not mainstream media, as opposed to the computer press) about enterprises being knocked offline by the virus, and how many millions of dollars it costs. And each time, I wonder why. Just what does the virus do that's so destructive? Viruses, Trojans, or worms don't take the servers or gateways down by themselves. In that respect, the worst they can do is create a lot of port scanning and cause what amounts to a Denial of Service (DoS) attack. In such instances, the IT Department has usually made the decision to take the network offline. I believe that often enough, it is OK to leave the network running and eradicate the virus.
"Mass Mailers" like Melissa can jam e-mail gateways, but even if you don't nip that in the bud and allow the macro to run and send huge amounts of e-mail, just what does that do to your network? (I'm not suggesting folks should let this pass -- just that many of these events are oversold.) Take the e-mail gateway down briefly and enable a filter to stop all mail with attachments for the time being. This way, the more critical communications will continue unhampered.
What To Do?
If your server(s) have been infected, you have a bigger task ahead. In that case, you can take the server(s) down, disconnect machines which attach to them, cleanse the server(s), and then attach the machines serially, putting an anti-virus scan into the network login script. In this manner, you then know that everything connecting to your servers is copasetic.
After you have the mission critical aspects of your network running, use the intervening time to assess which local PCs, if any, may require a Restore (you do back up regularly, right?) or a rebuilding of their software. Assuming you have most data on the network drives, users can continue their work from another station, if needs be. (I always like to have a couple on carts that can be deployed in minutes for such occasions.) Establish a schedule to have them dealt with, and inform the users when they can expect their original workstations to be returned. (Be conservative -- you need to properly manage their expectations. Your end-users will be happier if you tell them it might take three days and restore them in two, than if you tell them it'll take one day and end up needing two.)
After all is restored, do another, very complete, antivirus check after hours -- let everyone know that you're taking the system down at say, 6:00 PM, and then run a scan on everything. If needs be, deploy a few folks with floppy disks to do local scans. These should be boot disks so that all the workers have to do is insert the disk and let it run. Your autoexec.bat or bootup instructions might even connect to the network as Guest, and then run a virus check from there. If you want everything self-contained, consider using boot CDs or some other form of write-protected, large removable media.