4.3 Quarantine

Quarantine is the safe storage for emails which were blocked or sanitized by MetaDefender Email Gateway Security.

For details about quarantine configuration see 3.6 Quarantine configuration.

The machine hosting the quarantine is safe from infections as long as items in the quarantine are not opened or executed.

Quarantine

The quarantine can be accessed under Quarantine in the Web Management Console.

Quarantine moved

Starting with MetaDefender Email Gateway Security version 4.7.0, the former Dashboard > Quarantine entry has been moved to the root level Quarantine menu entry.

images/download/attachments/36832031/image2019-5-22_13-42-33.png

Safety

Unless the malicious contents are opened or executed, the quarantine does not expose the hosting machine to risk.

Care must be taken when granting access to the quarantine as releasing or forwarding the items from the quarantine might cause harm.

Quarantining conditions

Blocked emails

If

  1. the email's body and/or any of its attachments is blocked by MetaDefender Core and

  2. the email matched by a security rule on MetaDefender Email Gateway Security that marks blocked emails to be quarantined,

then the original message is kept in the quarantine.

Sanitized emails

If

  1. the email's body and/or any of its attachments is sanitized by MetaDefender Core and

  2. the email is matched by a security rule on MetaDefender Email Gateway Security that marks sanitized items to be quarantined,

then the original message is kept in the quarantine.

images/inline/749f40c192fdf24d9b93090aa1b025464bc133d3.png

Quarantine operations

Once an email is in quarantine, the following operations can be executed on it:

  1. Download

  2. Release

  3. Forward

  4. Pin

  5. Delete

  6. View details

Bulk operations

Use the checkbox in front of each row to select elements (or use the checkbox in the header row to select all visible items).

images/download/attachments/36832031/image2019-5-22_13-44-51.png

Only visible elements can be selected. Elements that are not visible (due to pagination, search or filtering) are not selected even by the select all checkbox.

Download

images/download/attachments/36832031/font-awesome_4-7-0_download_22_0_2672fb_none.png

Download the selected original emails from the quarantine to the local hard drive.

The format of the downloaded emails is zipped MIME (.eml).

images/download/attachments/36832031/image2018-1-10_13-54-14.png

File naming

Component

File name

Extension

Archive package

EmailSecurity-Quarantine-<year>-<month>-<day>-<hour>-<minute>-<second>

.zip

Email file

<subject>_<unique ID>

.eml

Release

images/download/attachments/36832031/font-awesome_4-7-0_paper-plane_22_0_007dff_none.png

Release the selected original emails from the quarantine and send them to the original recipients. The original emails are removed from the quarantine.

The recipients will receive the (potentially) malicious contents.

For this function to work correctly SMTP SERVER must be set under Notification and report settings on the Settings > Global settings tab. For details see 3.4 General settings.

Quarantining puts the original email into the quarantine and sends a notification or a disinfected/sanitized copy to the original recipient. As a result, releasing from the quarantine virtually duplicates the history entry for the quarantined email.

These duplicates are marked with a images/download/thumbnails/36832031/font-awesome_4-7-0_paper-plane_18_0_000000_none.png (paper plane) icon in front of the RECIPIENT(S) in Audit > Email history:

images/download/attachments/36832031/image2019-5-22_13-46-5.png

Forward

images/download/attachments/36832031/font-awesome_4-7-0_mail-forward_22_0_007dff_none.png

Send the selected original emails to additional recipient(s) (for investigation purposes, for example). The original emails remain in the quarantine.

The recipient(s) will receive the (potentially) malicious contents.

For this function to work correctly SMTP SERVER must be set under Notification and report settings on the Settings > Global settings tab. For details see 3.4 General settings.

Quarantining puts the original email into the quarantine and sends a notification or a disinfected/sanitized copy to the original recipient. As a result, forwarding from the quarantine virtually duplicates the history entry for the quarantined email.

These duplicates are marked with a images/download/attachments/36832031/image2018-1-10_14-23-50.png (forward) icon in front of the RECIPIENT(S) in Audit > Email history:

images/download/attachments/36832031/image2019-5-22_13-47-0.png

Pin

images/download/attachments/36832031/font-awesome_4-7-0_thumb-tack_22_0_2672fb_none.png

Pinning prevents cleaning up an email from the quarantine by the manual or automatic clean-up mechanism. For details about automatic clean-up see the Data retention section in 3.4 General settings.

You can pin multiple emails simultaneously however unpinning an email is possible only per email. For unpinning you should click on the email and uncheck the checkbox next to Pinned.

images/download/attachments/36832031/image2019-5-22_13-48-29.png

Delete

images/download/attachments/36832031/font-awesome_4-7-0_trash_22_0_007dff_none.png

Delete the original email from the quarantine.

Deleted emails can not be recovered.

Rescan

images/download/attachments/36832031/font-awesome_4-7-0_retweet_22_0_2672fb_none.png

MetaDefender Email Gateway Security provides the capability to rescan emails that were previously blocked and ended up in the quarantine. After a rescan the email may be allowed and delivered normally. Some of the reasons why emails may be rescanned:

  • To process the email with updated scan engines that may not block the contents,

  • To process the email with an alternative rule that may give different results,

    • To sanitize a blocked email before releasing

  • To provide password for encrypted attachments and process the decrypted contents.

Select alternative rule for the rescan

images/download/attachments/36832031/image_%283%29.png

Provide password for encrypted attachments

For further details see 4.7 Support for password protected attachments.

images/download/attachments/36832031/image_%284%29.png

View details

Display:

  1. The same details about the email as in Audit > Email history / Email details (see 4.4 Email history),

  2. The raw email contents:

    1. Email headers

    2. Attachments

      1. Content-Type

      2. Filename

    3. Raw email body

      images/download/attachments/36832031/image2019-5-22_13-49-34.png

Quarantine reports

MetaDefender Email Gateway Security can be configured to periodically send report emails about the quarantine status.

To set up quarantine reports see 3.6 Quarantine configuration.

For this function to work correctly SMTP SERVER must be set under Notification and report settings on the Settings > Global settings tab. For details see 3.4 General settings.

A quarantine report email looks like the one below.

images/download/attachments/36832031/quarantine_report.png