Viewing and managing quarantine


Applies to: Forefront Protection for Exchange

Topic Last Modified: 2010-05-13

The quarantine feature provides a safe way for you to store suspicious or malicious content as identified by Forefront Protection 2010 for Exchange Server (FPE). By default, FPE creates a copy of every detected file in its original form (that is, before any action occurs). When a file is quarantined, it is encoded so that the file cannot be accidentally executed or opened. In the event of a false positive classification, you can recover the quarantined file by saving it to disk or by delivering it to recipients.

Each quarantined item is stored as its own file in the Quarantine subfolder under the FPE data folder. For the location of the default data folder on your operating system, see Default folders.

If you are using Forefront Online Protection for Exchange (FOPE), any mail quarantined by FOPE can be accessed via the FOPE Admin Center. For more information about configuring quarantine options for this optional product, see Configuring quarantine options when you integrate FOPE with FPE.
If you enable the Exchange Transport Decryption agent, Rights Management Services (RMS)-protected mail is not quarantined, though a record is still maintained in the incidents database. For more information about enabling this agent, see your Exchange server documentation.
The quarantine feature provides an added level of protection because you can retrieve a message that has been incorrectly tagged as malware. However, there is overhead involved in quarantining files, particularly if many viruses are captured each day. Large organizations can block millions of viruses in a month. Many of these, however, might be worms that are never quarantined, because all worms are purged. Ideally, you want to quarantine detected viruses and spyware, but you might determine that the better course is to simply delete them, even at the risk of losing valid e-mail message content. Not quarantining or sending notifications can greatly simplify your antimalware management, but it contains the risk of losing e-mail communications that users may want to receive.
If you decide to quarantine malware detections, you should be aware of the purge feature, which enables you save space by purging items from the database after a set period of time. For more information, see “Configuring automatic deletion of quarantined items” in Managing quarantine.