Viewing and Managing the Exchange Quarantine

  • Article

 

Open the Exchange quarantine by clicking Exchange, located in the Navigation Area under Quarantine Management. From the Exchange work pane you can retrieve, view, and filter your Exchange quarantine data.

To retrieve the Exchange quarantine

  1. Click Exchange, located under Quarantine Management, to open the Exchange work pane.

  2. Click Retrieve Quarantine.

The Quarantine View will update to include the retrieved quarantined items. The time stamp above the Quarantine View displays the last time the FPSMC retrieved the quarantined data from the managed servers.

Quarantined items are listed in the Quarantine View pane. The following information is reported for each Exchange quarantined item.

Detection Time

The date and time that the quarantined item was detected.

Server Name

The name of the server that quarantined the item.

Sender Name

The display name of the person who sent the quarantined item.

Recipient Name

The display name of the person(s) to whom the quarantined item was sent.

Incident Name

The name of the malware, name of the filter list that was matched, or name of other incident reported.

Subject

The subject line of the quarantined item.

Incident Category

The reason for detection, for example Virus or Keyword Filter.

Delivered Time

The date and time that the quarantined item was delivered. If the field is empty, the item has not been delivered.

You can view additional information about each quarantined item by clicking directly on the item, which populates the Quarantine Details pane, located under the Quarantine View, with the details of the item. The pane adds the Record Id field, which is the unique ID assigned to the quarantined item, for example {15787C6B-9880-4A10-B133-F15599596E36}.

You can navigate through your quarantine data using the page navigation icons located below the Quarantine View. You can also choose to display 10, 25, or 50 records per page by clicking the preferred value next to Records per page.

Sort the quarantine data by clicking the header of the column that you wish to sort by. Clicking the header once sorts the data by the column you selected in ascending order. Clicking the header a second time sorts the data in descending order. By default, the quarantine data is listed in descending order by Detection Time.

Delivering Exchange Quarantined Items

You can deliver quarantined items to specified recipients using email. When doing so, you should be aware that this file is now a potentially live virus, so we recommend that you only perform this activity for files that you believe are false positives. When quarantined items are delivered to the user's mailbox, they are included as an attachment to a new email message. Tag text in the subject line identifies that the message contains a delivered quarantined item. This text, which cannot be changed, is Message delivered from Microsoft Forefront Protection for Exchange Server Quarantine. When the user opens the attachment, the original message launches within Microsoft Office Outlook as a separate message.

To deliver an Exchange quarantined item

  1. Click Exchange, located in the Quarantine Management section of the Navigation Area, to open the Exchange work pane.

  2. Locate the quarantined item you wish to deliver and click the Deliver icon to the left of the Detection Time. This will open the Quarantine Action work pane.

  3. Select the Send to original recipients option to deliver the item to the originally intended recipients. Add additional email addresses in the To, cc, and bcc fields as desired. Separate multiple email addresses in a single line with semicolons (;).

  4. Click Deliver.

Note

The Deliver action will fail if the malware is detected again.

Filtering Quarantined Data

Once you have retrieved the Exchange quarantine data, you can use filters to narrow the scope of the data that is displayed. To filter the quarantine data click the Filter View drop-down icon to expand the filtering options. To hide the filtering options click the Filter View drop-down icon again.

Each filter corresponds to a field in the Quarantine View pane. Enter a value into one of the filters, and then click Apply. Only those records matching the filter will continue to appear (although all the others are still present). A filter is matched if the value you enter is anywhere in the selected field. Using an asterisk (*) as a wildcard is not necessary. Click Clear to see all the records again and clear the values in the filter fields.

You can filter using multiple criteria by entering values in more than one field and selecting the And (default) or Or options. (All of the selected filters will be connected by the And or Or you select.)

You can filter the quarantine data by any of the fields displayed in the Quarantine View. To filter by detection time input the appropriate date and time values in the fields under Quarantine Span.

Note

FPSMC is not able to retrieve quarantine data older than the time specified in the Purge after (days) setting under Global Configuration.

You can sort the filtered quarantine data results using the same procedure as sorting the unfiltered data: click the header you wish to sort by and the results will be sorted in ascending order by the information in that header column. Click the header again to sort the data in descending order.

Quarantine Management with Forefront Online Protection for Exchange

If you are using Forefront Online Protection for Exchange (FOPE), any email messages quarantined by FOPE are managed through the FOPE Admin Center. Items quarantined by FOPE cannot be managed in the FPSMC. To view and manage items quarantined by FOPE, access the hosted quarantine by navigating to the Online Protection work pane and clicking Hosted Quarantine. For more information about the FOPE hosted quarantine, see the TechNet article Using Your Quarantine Mailbox (https://go.microsoft.com/fwlink/?LinkId=202867).