Viewing quarantined items
Applies to: Forefront Protection 2010 for SharePoint
To view information about stored quarantined files by using the Forefront Protection 2010 for SharePoint Administrator Console, click Monitoring, and in Server Security Views, click Quarantine. In the Server Security Views - Quarantine pane, by default, the following information is reported for each quarantined item. You can also customize the information that appears on the Server Security Views - Quarantine pane; for more information, see Customizing the Quarantine view.
| Information | Description |
|---|---|
Detection Time |
The date and time that the infected or filtered file was detected. |
User Name |
The name of the user who uploaded or downloaded the file. |
Incident Category |
Type of incident detected, for example, Virus or Keyword filter. A value of 7 - Incident means a miscellaneous incident, such as a timeout or an exceedingly nested file. |
Incident Name |
Name of the malware or name of the filter list that was matched (for details, see Incidents reported. |
File |
Name of the file that contained malware or a filter match. |
SharePoint Path |
Location of the file on the SharePoint portal. |
Restored Time |
The date and time that the infected or filtered file was restored. |
Viewing quarantined item details
You can view additional details about each quarantined item by selecting it. The additional details appear on the Quarantined Item pane, where you can view detection details, document details, and engine details.
About detection details
When you select a quarantined item and then click the Detection Details tab, the following detection information is reported about the quarantined item.
| Information | Description |
|---|---|
ID |
Unique ID assigned to the incident, for example {700D944A-6D75-410D-A7CD-70E563134E4F}. |
Detection Time |
Date and time that the incident was detected. |
State |
Action taken on the quarantined item. |
Incident Category |
Reason for detection, for example, Virus or Keyword filter. |
Incident Name |
Name of the malware, name of the filter list that was matched, or name of other incident reported (for details, see Incidents reported). |
File |
Name of the file that was quarantined. |
Folder |
Location of the file. |
Scan Job Name |
Type of scan job (realtime, scheduled, on-demand) that quarantined the item. |
RMS Protected |
Indicates whether the detected document is from an RMS-protected library. |
Transfer Direction |
Direction of the file transfer (whether the quarantining occurred during an upload or a download). |
About document details
When you select a quarantined item and then click the Document Details tab, the following information about the infected file is reported.
| Information | Description |
|---|---|
Restored Time |
The date and time that the document was restored. |
User Name |
The name of the user who uploaded or downloaded the file. |
Author Name |
The name of the document author. |
Author Address |
The e-mail address of the document author. |
Last Modified User Name |
The name of the user who last modified the document. |
Last Modified User Address |
The e-mail address of the user who last modified the document. |
Note
-
If the quarantined item was detected by the realtime scan on SharePoint Server 2007, these field values may be blank or display as --- characters.
-
The User Name information is only populated for the realtime scan. The Author Name, Author Address, Last Modified User, and Last Modified User Address information is only populated for the scheduled and on-demand scans. The Restored Time information is populated for all scan jobs.
About engine details
When you select a quarantined item and then click the Engine Details tab, you see the following engine information for each engine that scanned the file, regardless of whether it detected the incident.
Note
This information applies only to malware detections, not filter matches.
| Information | Description |
|---|---|
Engine name |
The name of the engine that scanned the file. |
Detection type |
Type of incident detected, as reported by the engine. |
Detection name |
The name of the malware, as reported by the engine. |
Engine version |
The version of the engine. |
Definition version |
The version of the malware definition files currently in use by the engine. (This data is not available with every engine.) |
Confidence |
The confidence level that this was a correct detection, as reported by the engine. |
Severity |
The severity of the damage that the detected item could cause, as reported by the engine. |
Was cleaned |
Denotes whether the file was cleaned, as reported by the engine. |
Customizing the Quarantine view
You can customize the quarantine view by performing the following tasks on the Server Security Views - Quarantine pane:
Choosing which columns appear.
Specifying filter criteria in order to only display certain quarantine items.
Sorting quarantine items by clicking any of the columns (for example, Incident Category). This causes the quarantine items to be sorted by the values in that column.
These actions have no effect on the actual items, just on which records are displayed.
To customize which columns appear for Quarantine
On the Server Security Views - Quarantine pane, in the Actions section, click Choose Columns.
In the Choose Columns dialog box, select which columns you want to appear on the main Server Security Views - Quarantine pane, and then click OK.
To filter the quarantine view
On the Server Security Views - Quarantine pane, select the field on which you want to filter by using the Filter by option. Each choice in Filter by corresponds to one of the fields in the Server Security Views - Quarantine pane.
Specify your filter criteria as follows:
If you selected a date and time field, for example Detection Time, enter the starting date and time in the Start date and Start time fields, and the ending date and time in the End date and End time fields.
If you selected a field that has a fixed value, for example, Incident Category, select a value (for example, Virus) from the Filter Value drop-down list.
If you selected a field that for which you can type a string value, for example, Incident Name, enter a string in the Filter Value field.
Note
You can use prefix matches in order to broaden your filter search. For example, type th in order to include all fields that begin with the letters "th".
To run the filter, click the search icon (represented by a magnifying glass).
You can click the red X icon to cancel the filter and return to your original view.