If a virus outbreak does occur, speed is critical in minimizing the damage, regardless of your company's size. "If you have a virus on one workstation or one segment of your network and can trap it there, you're in much better shape," says Cobb. But the only way that's going to happen is if users know who to contact, and the notification then results in an instant response. If you don't have a defined strategy for dealing with infected e-mail or reporting outbreaks, create one.

The best way to guarantee a quick response is to provide a single point of local contact, so users don't waste time figuring out the right person to call. Designate one person on each tech-support team as the local "antivirus czar." How many you'll need depends on your company's support-personnel structure and mail-server distribution. Give each antivirus czar a cell phone and make sure everyone in the department has the number. Provide the czar with mail-server-administrator and remote-management authorization, because the less time that elapses between the call and the mail-server shutdown, the better the chance of minimizing the spread of the virus through e-mail. Finally, to stay on top of developments and virus alerts, your antivirus czar should subscribe to the various free security and virus-alert mailing lists. (Read "Take a Bite out of Viruses.")

The procedure for purging infected attachments from your mail server depends on your e-mail system. But the theory remains the same: Stop the server and delete attachments. Exchange admins have a particularly handy tool called Exmerge. You can download a copy from Microsoft's Web site, or get a more capable version in the Exchange Resource Kit or BackOffice Resource Kit. Exmerge lets you perform massive Exchange database operations, from extracting mailbox data to renaming entire folders. For antivirus purposes, you can delete attachments based on the attachment name, e-mail subject, or any other field. With the Exchange server shutdown, an admin can use Exmerge and pick out any infected bits before giving e-mail the green light and bringing the server back up.

With a typical POP3/SMTP server, such as Sendmail (Web site) or IMail (Web site), purging isn't as precise. In most cases, with the server component or background operations stopped, you delete files en masse from the main spool directory, where incoming and outgoing messages wait for the POP and SMTP processes to act on them. Then you embark on a slash-and-burn mission through individual mailboxes. This is not a gentle operation, and users will lose incoming and outgoing messages. Locking mail servers down and manually picking out infected messages is a last resort, performed only when every other antiviral safeguard fails to stymie the infiltration.