Share via


How to Manage Quarantined Files in Forefront Protection 2010 for Exchange Server (FPE)

For the official Microsoft topic on this subject, see Managing quarantine on the Microsoft TechNet Library.

Saving quarantined items to disk

You can decode and save quarantined items to disk. When doing so, you should be aware that this file is now a potentially live virus, so it is recommended that you only perform this activity for files that you believe are false positives. The files are saved with their original names; if there is a conflict, an ID is appended to the end of the file name in order to denote that there are multiple files with the same name, for example, filename_ID1.doc, filename_ ID2.doc, and so on.

To save quarantined items to disk

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring, and under Server Security Views, click Quarantine.

  2. On the Server Security Views - Quarantine pane, select one or more items. Right-click and then click Save.

  3. On the Save Selected Items dialog box, in the Output Path box, type or browse (by clicking Change) to the location where you want to save the items, and then click Save.

    If you receive a message that the file was saved successfully, you can click Open Folder to easily access the saved items.

Delivering quarantined items using e-mail

You can deliver quarantined items to specified recipients using e-mail. When doing so, you should be aware that this file is now a potentially live virus, so it is recommended that you only perform this activity for files that you believe are false positives.

When quarantined items are delivered to the user's mailbox, they are included as an attachment to a new e-mail message. Tag text in the subject line identifies that the message contains a delivered quarantined item. This text, which cannot be changed, is “Message delivered from Microsoft Forefront Protection for Exchange Server Quarantine”. When the user opens the attachment, the original message launches within Microsoft Office Outlook as a separate message.

On an Edge Server, because FPE has no access to Active Directory Domain Services, you must enter a full e-mail address with a fully qualified domain name, even if delivery is to an addressee inside your Exchange organization. If you don't enter a fully qualified domain name, then FPE won't be able to deliver mail from quarantine.

To deliver quarantined items

  1. Click Monitoring, and under Server Security Views, click Quarantine.

  2. On the Server Security Views - Quarantine pane, select one or more items. Right-click and then click Deliver in order to deliver the quarantined items to specified recipients.

  3. On the Deliver Selected Items dialog box, indicate the recipients for the items being delivered.

    You can select the Send to original recipients check box in order to deliver the quarantined items to the original recipients of the messages. You can also manually input e-mail addresses for the To, Cc, and Bcc recipients. You can input multiple e-mail addresses if they are separated by a semicolon (;).

  4. Click Send to deliver the quarantined items to the specified recipients.

If a delivered message is still detected by the scan engines as being an infected file, it will again fail to be delivered to the intended recipients. However, by default, delivered messages are not rescanned for filter matches. You can configure FPE to rescan delivered messages for filter matches by performing the following step: in the Configuration – Quarantine Options pane, select the Rescan filters on send check box, and then click Save.

Logging delivered quarantine items

The DeliverLog.txt text file provides a log of items that have been delivered from quarantine. When an item is delivered from quarantine the first time, DeliverLog.txt is created. Subsequent delivered quarantined items are appended to DeliverLog.txt. DeliverLog.txt is located in the FPE data folder. 

Deleting quarantined items

Over time, you might find that you have accumulated a large number of quarantined items. If you find that quarantine is becoming difficult to manage or you are running low on disk space, you may want to delete selected quarantined items. If many items are selected, be aware that the deletion process can take a long time.

To delete selected quarantined items

  1. Click Monitoring, and under Server Security Views, click Quarantine.

  2. On the Server Security Views - Quarantine pane, select one or more items. Right-click and then click Delete. When you are asked to confirm your decision, click Yes. This deletes the selected items listed on the Server Security Views - Quarantine pane, as well as the files stored on disk.

You can also elect to delete all quarantined items; this is faster than deleting selected quarantined items.

To delete all quarantined items

  1. Click Monitoring, and under Server Security Views, click Quarantine.

  2. On the Server Security Views - Quarantine pane, in the Actions section, click Delete All Quarantine Data. When you are asked to confirm your decision, click Yes. This deletes all the items listed on the Server Security Views - Quarantine pane, as well as the files stored on disk.

Configuring automatic deletion of quarantined items

You can configure FPE to automatically purge quarantined items after they are a certain number of days old. If the purge function is enabled, all quarantined items (both the displayed records and the actual files stored on disk) that are older than the specified number of days are deleted.

To purge quarantined items after a certain number of days

  1. Click Monitoring, and under Configuration, click Quarantine Options.

    If you are on the Server Security Views - Quarantine pane, under Actions, click Configure Quarantine Options.

  2. On the Configuration - Quarantine Options pane, select the Automatically purge quarantined items check box. This causes the Purge after (days) field to become available.

  3. In the Purge after (days) field, indicate the number of days after which items will be purged. All items older than the specified number of days will be deleted. The default is 30 days.

  4. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging

  • On the Configuration - Quarantine Options pane, clear the Automatically purge quarantined items check box, and then click Save. The value in the Purge after (days) field remains, but no purging takes place until the Automatically purge quarantined items check box is selected again.

Exporting a list of quarantined items to a file

You can export a list of filtered quarantined items, or all quarantined items, to a CSV file. This may be useful when using an external program (for example, Microsoft Office Excel) to perform data analysis.

To export a list of quarantined items to a text file

  1. Click Monitoring, and under Server Security Views, click Quarantine.

  2. Optionally, if you want to export a list of filtered quarantined items, select your filter criteria. Otherwise, FPE exports a list of all quarantined items.

  3. On the Server Security Views - Quarantine pane, in the Actions section, click Export Filtered Data.

  4. On the Export Filtered Data dialog box, in the Output File box, type or browse (by clicking Change) to the location where you want to export the file.

  5. Click Export to export the file.

    You should receive a message informing you that the export is in progress, followed by a message that the export was successful.

Quarantining corrupted compressed files

You can configure FPE to quarantine corrupted compressed files.

To quarantine corrupted compressed files

  1. Click Protection Settings, and under Global Settings, click Advanced Options.

  2. On the Global Settings - Advanced Options pane, ensure that the Quarantine corrupted compressed files check box is checked (it is checked by default). This specifies that corrupted compressed files are quarantined. You can disable this option by clearing the check box and then clicking Save.

Quarantining on timeout

You can configure FPE to quarantine a file or message when a scan job time-out occurs while the file or message is being scanned.

To quarantine on timeout

  1. Click Protection Settings, and under Global Settings, click Advanced Options.

  2. On the Global Settings - Advanced Options pane, ensure that the Quarantine on timeout check box is checked (it is checked by default). This specifies that when a scan job time-out occurs while a file or message is being scanned, the file or message is quarantined. You can disable this option by clearing the check box and then clicking Save.