Share via


Managing quarantine

 

Applies to: Forefront Protection 2010 for SharePoint

There are several management tasks that you can perform with quarantine in Microsoft Forefront Protection 2010 for SharePoint (FPSP). You can do the following:

  • Save quarantined files to disk

  • Restore quarantined items

  • Delete quarantined items

  • Configure automatic deletion of quarantined items

  • Export a list of quarantined items to a file

  • Quarantining corrupted compressed files

  • Quarantining on timeout

Saving quarantined files to disk

You can decode and save quarantined items to disk. When doing so, you should be aware that this file is now a potentially live virus, so it is recommended that you only perform this activity for files that you believe are false positives. The files are saved with their original names; if there is a conflict, an ID is appended to the end of the file name in order to denote that there are multiple files with the same name, for example, filename_ID1.doc, filename_ ID2.doc, and so on.

To save quarantined items to disk

  1. In the Forefront Protection 2010 for SharePoint Administrator Console, click Monitoring, and in Server Security Views, click Quarantine.

  2. In the Server Security Views - Quarantine pane, select one or more items and then in the Actions section, click Save Selected Items.

  3. In the Save Selected Items dialog box, in the Output Path box, type or browse (by clicking Change) to the location where you want to save the items, and then click Save.

    If you receive a message that the file was saved successfully, you can click the Open Folder button that appears on the Save Selected Items dialog box in order to easily access the saved items.

Restoring quarantined items

You can restore quarantined items to their original locations for SharePoint Server 2010 quarantined items. SharePoint Server 2007 quarantined items that were detected by the on-demand and scheduled scans can also be restored to their original locations. However, you cannot restore SharePoint Server 2007 quarantined items that were detected by the realtime scan.

Note

You cannot restore a file detected within a container file.

Warning

When a file is restored, it is rescanned for malware and filter matches. If a file is still detected by the scan engines as containing malware or matching a filter, it will fail to be restored. Additionally, if any of the items being restored are currently checked out, the checkout will be discarded so that the restore can proceed.

To restore quarantined items

  1. Click Monitoring, and under Server Security Views, click Quarantine.

  2. On the Server Security Views - Quarantine pane, select one or more items. Right-click and then click Restore in order to restore the quarantined items.

  3. On the Restore Quarantine dialog box, view the list of files that you want to restore, and then click Restore to begin restoring the files.

Deleting quarantined items

Over time, you might find that you have accumulated a large number of quarantined items. If you find that quarantine is becoming difficult to manage or you are running low on disk space, you may want to delete selected quarantined items. If many items are selected, be aware that the deletion process can take a long time.

To delete selected quarantined items

  1. Click Monitoring, and in Server Security Views, click Quarantine.

  2. In the Server Security Views - Quarantine pane, select one or more items and then, in the Actions section, click Delete Selected Items. When you are asked to confirm your decision, click Yes. This deletes the selected items listed on the Server Security Views - Quarantine pane, as well as the files stored on disk.

You can also elect to delete all quarantined items; this is faster than deleting selected quarantined items.

To delete all quarantined items

  1. Click Monitoring, and in Server Security Views, click Quarantine.

  2. In the Server Security Views - Quarantine pane, in the Actions section, click Delete All Quarantine Data. When you are asked to confirm your decision, click Yes. This deletes all the items listed on the Server Security Views - Quarantine pane, as well as the files stored on disk.

Configuring automatic deletion of quarantined items

You can configure FPSP to automatically purge quarantined items after they are a certain number of days old. If the purge function is enabled, all quarantined items (both the displayed records and the actual files stored on disk) that are older than the specified number of days are deleted.

To purge quarantined files after a certain number of days

  1. Click Monitoring, and in Configuration, click Quarantine Options.

    If you are currently on the Server Security Views - Quarantine pane, in Actions, click Configure Quarantine Options.

  2. In the Configuration - Quarantine Options pane, select the Automatically purge quarantined items check box. This causes the Purge after (days) field to become available.

  3. In the Purge after (days) field, indicate the number of days after which items will be purged. All items older than the specified number of days will be deleted. The default is 30 days.

  4. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging

  • In the Configuration - Quarantine Options pane, clear the Automatically purge quarantined items check box, and then click Save. The value in the Purge after (days) field remains, but no purging takes place until the Automatically purge quarantined items check box is selected again.

Exporting a list of quarantined items to a file

You can export a list of filtered quarantined items, or all quarantined items, to a file. This may be useful when using an external program (for example, Microsoft Office Excel) to perform data analysis.

To export a list of quarantined items to a file

  1. Click Monitoring, and in Server Security Views, click Quarantine.

  2. If you want to export a list of filtered quarantined items, select your filter criteria (for details, see "Customizing the Quarantine view" in Viewing quarantined items). Otherwise, FPSP exports a list of all quarantined items.

  3. In the Server Security Views - Quarantine pane, in the in the Actions section, click Export Filtered Data.

  4. In the Export Filtered Data dialog box, in the Output File box, type or browse (by clicking Change) to the location where you want to export the file.

  5. Click Export to export the file.

    You should receive a message informing you that the export is in progress, followed by a message that the export was successful.

Quarantining corrupted compressed files

You can configure FPSP to quarantine corrupted compressed files.

Note

For more information about corrupted compressed files, see Deleting corrupted compressed files.

To quarantine corrupted compressed files

  1. Click Policy Management, and in Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Scan Options section, ensure that the Quarantine corrupted compressed files check box is checked (it is checked by default). This specifies that corrupted compressed files are quarantined. You can disable this option by clearing the check box and then clicking Save.

Quarantining on timeout

You can configure FPSP to quarantine a file or message when a scan job time-out occurs while the file or message is being scanned.

To quarantine on timeout

  1. Click Policy Management, and in Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Scan Options section, ensure that the Quarantine on timeout check box is checked (it is checked by default). This specifies that when a scan job time-out occurs while a file or message is being scanned, the file or message is quarantined. You can disable this option by clearing the check box and then clicking Save.

See Also

Concepts

Viewing quarantined items