5.3. Quarantine
Overview
Quarantine is the safe storage for emails which were blocked or sanitized by MetaDefender Email Gateway Security.
For details about quarantine configuration, which emails are quarantined see 4.10. Quarantine configuration.
Infection risk level
The machine hosting the quarantine is safe from infections as long as items in the quarantine are not opened or executed.
Quarantine access risks
Care must be taken when granting access to the quarantine as releasing or forwarding the items from the quarantine might cause harm.
Search
For details see 5.2. Email History.
Filtering
For details see 5.2. Email History.
Email details
For details see 5.2. Email History.
Cleanup
Scheduled
For details see 4.10. Quarantine configuration.
On-demand
To clean-up quarantine on demand click the broom icon and select the time window of the cleanup.
Pin emails
Email that are pinned won’t be removed from the quarantine by the scheduled or the on-demand cleanup.f7981316-f256-4d0c-b5da-1f341cc4a10c
Operations
Bulk operations
Use the checkbox in front of each row to select entries (or use the checkbox in the header row to select all visible items).
Only visible selected
Only visible elements are selected. Elements that are not visible (due to pagination, search or filtering) are not selected even by the select all checkbox.
Single email operations
Click the ⋮ in Email details to open the single email menu.
Rescan email
MetaDefender Email Gateway Security provides the capability to rescan emails that were previously blocked and ended up in the quarantine. After a rescan the email may be allowed and delivered normally. Some of the reasons why emails may be rescanned:
-
To process the email with updated scan engines that may not block the contents,
-
To process the email with an alternative rule that may give different results,
-
To sanitize a blocked email before releasing (see the section Disarm, reconstruct and release)
-
-
To provide password for encrypted attachments and process the decrypted contents.
Select alternative rule
Provide password
For details see 5.5. Password protected attachments.
Release email
This function will release the selected original emails from the quarantine and send them to the original recipients. The original emails are removed from the quarantine.
Risk of outbreak
The recipients will receive the (potentially) malicious contents.
SMTP server profile required
For this function to work correctly Settings > Alerts & Reports / SMTP server profile. For details see 4.8. Alert, notification and quarantine report emails.
Duplicate history entries
Quarantining puts the original email into the quarantine and sends a notification or a disinfected/sanitized copy to the original recipient. As a result, releasing from the quarantine virtually duplicates the history entry for the quarantined email.
These duplicates are marked with a paper plane icon in Audit > Email history. For details see 5.2. Email History.
Disarm, reconstruct and release
It is a potential use case to sanitize emails before releasing them. This feature is not supported by the regular Release email function but can be achieved using Rescan email.
Preparations
-
On MetaDefender Core servers create a rule that does not scan, but applies the desired sanitization.
-
It is necessary to allow the not scanned results for the Core rule (in Core under Policy > Workflow rules / Add/Modify Rule / ADVANCED / OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED / NOT SCANNED)
To allow password protected archives to be processed, the encrypted archive results must be disabled (in Core under Policy > Workflow rules / Add/Modify Rule / ADVANCED / OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED / ENCRYPTED ARCHIVE)image2018-3-10_12-32-39.png?version=1&modificationDate=1520681561381&cacheVersion=1&api=v2
-
-
On Email Gateway Security create a MetaDefender Core type server profile having the Core servers and rules created in the previous step. For details see 4.6. Server profiles.
-
On Email Gateway Security, under Security Rules create a rule using the server profile created in the previous step.
-
Optionally set 0.0.0.0 as SENDER IP ADDRESS for this rule to not match any regular incoming emails or
-
Set the priority of this rule accordingly if it is expected to process regular incoming emails.
-
Release
-
Instead of using the Release function use the Rescan function.
-
In the confirmation dialog select the rule created in the previous section:
-
The email will be re-processed using the newly selected rule.
-
If the new rule allows the email, then it gets delivered normally.
-