5.3. Quarantine

Overview

Quarantine is the safe storage for emails which were blocked or sanitized by MetaDefender Email Gateway Security.

For details about quarantine configuration, which emails are quarantined see 4.10. Quarantine configuration.

Infection risk level

The machine hosting the quarantine is safe from infections as long as items in the quarantine are not opened or executed.

Quarantine access risks

Care must be taken when granting access to the quarantine as releasing or forwarding the items from the quarantine might cause harm.

Filtering

For details see 5.2. Email History.

Email details

For details see 5.2. Email History.

Cleanup

Scheduled

For details see 4.10. Quarantine configuration.

On-demand

To clean-up quarantine on demand click the broom icon and select the time window of the cleanup.

images/download/attachments/5715882/image-20200327-115906.png images/download/attachments/5715882/image-20200327-115944.png

Pin emails

Email that are pinned won’t be removed from the quarantine by the scheduled or the on-demand cleanup.f7981316-f256-4d0c-b5da-1f341cc4a10c

Operations

Bulk operations

Use the checkbox in front of each row to select entries (or use the checkbox in the header row to select all visible items).

Only visible selected

Only visible elements are selected. Elements that are not visible (due to pagination, search or filtering) are not selected even by the select all checkbox.

images/download/attachments/5715882/image-20200326-151246.png

Single email operations

Click the ⋮ in Email details to open the single email menu.

images/download/attachments/5715882/image-20200326-151545.png

Rescan email

MetaDefender Email Gateway Security provides the capability to rescan emails that were previously blocked and ended up in the quarantine. After a rescan the email may be allowed and delivered normally. Some of the reasons why emails may be rescanned:

  • To process the email with updated scan engines that may not block the contents,

  • To process the email with an alternative rule that may give different results,

    • To sanitize a blocked email before releasing (see the section Disarm, reconstruct and release)

  • To provide password for encrypted attachments and process the decrypted contents.

Select alternative rule

images/download/attachments/5715882/image-20200326-145613.png

Provide password

For details see 5.5. Password protected attachments.

images/download/attachments/5715882/image-20200326-145635.png

Release email

This function will release the selected original emails from the quarantine and send them to the original recipients. The original emails are removed from the quarantine.

Risk of outbreak

The recipients will receive the (potentially) malicious contents.

SMTP server profile required

For this function to work correctly Settings > Alerts & Reports / SMTP server profile. For details see 4.8. Alert, notification and quarantine report emails.

Duplicate history entries

Quarantining puts the original email into the quarantine and sends a notification or a disinfected/sanitized copy to the original recipient. As a result, releasing from the quarantine virtually duplicates the history entry for the quarantined email.

These duplicates are marked with a paper plane icon in Audit > Email history. For details see 5.2. Email History.

images/download/attachments/5715882/image-20200327-114314.png

Disarm, reconstruct and release

It is a potential use case to sanitize emails before releasing them. This feature is not supported by the regular Release email function but can be achieved using Rescan email.

Preparations

  1. On MetaDefender Core servers create a rule that does not scan, but applies the desired sanitization.

    1. It is necessary to allow the not scanned results for the Core rule (in Core under Policy > Workflow rules / Add/Modify Rule / ADVANCED / OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED / NOT SCANNED)

      To allow password protected archives to be processed, the encrypted archive results must be disabled (in Core under Policy > Workflow rules / Add/Modify Rule / ADVANCED / OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED / ENCRYPTED ARCHIVE)image2018-3-10_12-32-39.png?version=1&modificationDate=1520681561381&cacheVersion=1&api=v2

  2. On Email Gateway Security create a MetaDefender Core type server profile having the Core servers and rules created in the previous step. For details see 4.6. Server profiles.

  3. On Email Gateway Security, under Security Rules create a rule using the server profile created in the previous step.

    1. Optionally set 0.0.0.0 as SENDER IP ADDRESS for this rule to not match any regular incoming emails or

    2. Set the priority of this rule accordingly if it is expected to process regular incoming emails.

Release

  1. Instead of using the Release function use the Rescan function.

  2. In the confirmation dialog select the rule created in the previous section:
    images/download/attachments/5715882/image-20200327-115213.png

  3. The email will be re-processed using the newly selected rule.

    1. If the new rule allows the email, then it gets delivered normally.