To view information about stored quarantined items by using the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring, and under Server Security Views, click Quarantine. In the Server Security Views - Quarantine pane, by default, the following information is reported for each quarantined item. You can also customize the information that appears on the Server Security Views - Quarantine pane; for more information, see Customizing the Quarantine view.
| Information | Description | |
|---|---|---|
|
Detection Time |
Date and time that the quarantined item was detected. |
|
|
Sender Name |
E-mail address of the person who sent the quarantined item. |
|
|
Recipient Names |
E-mail addresses of the people to whom the quarantined item was sent. |
|
|
Subject |
Subject line of the quarantined item. |
|
|
Incident Category |
Reason for detection, for example Virus. A value of 7 - Incident means a miscellaneous incident, such as a timeout or an exceedingly nested file. |
|
|
Incident Name |
Name of the malware, name of the filter list that was matched, or name of other incident reported (for details, see Incidents reported). |
|
|
Delivered Time |
Date and time that the quarantined item was last delivered. |
|
 Note: |
|---|
| To ensure that you are viewing the most current data, under the Actions section, you can click Refresh. |
Viewing quarantined item details
You can view additional details about each quarantined item by accessing the Quarantined Item pane, where you can view detection details, message details, and engine details.
| Note: |
|---|
| You can only view information in the Quarantined Item pane for one quarantined item at a time. If you select multiple quarantined items, no details are displayed. |
About detection details
When you select a quarantined item and then click the Detection Details tab, the following detection information is reported about the quarantined item.
| Information | Description | |
|---|---|---|
|
ID |
Unique ID assigned to the quarantined item, for example {700D944A-6D75-410D-A7CD-70E563134E4F}. |
|
|
Detection Time |
Date and time that the quarantined item was detected. |
|
|
State |
Action taken on the quarantined item. |
|
|
Incident Category |
Reason for detection, for example Virus. A value of 7 - Incident means a miscellaneous incident, such as a timeout or an exceedingly nested file. |
|
|
Incident Name |
Name of the malware, name of the filter list that was matched, or name of other incident reported (for details, see Incidents reported). |
|
|
File |
Name of the file that was quarantined. |
|
|
Folder |
Name of the folder where the file was found. |
|
|
Scan Job Name |
Type of scan job (transport, realtime, scheduled, or on-demand) that quarantined the item. |
|
About message details
When you select a quarantined item and then click the Message Details tab, the following information about the infected or filtered e-mail message is reported.
| Information | Description | |
|---|---|---|
|
File Size |
File size (in bytes) of the quarantined item. |
|
|
Delivered Time |
Date and time that the quarantined item was last delivered. |
|
|
Sent Time |
Date and time that the quarantined item was sent. |
|
|
Subject |
Subject line of the quarantined item. |
|
|
Sender Name |
Name of the person who sent the quarantined item. |
|
|
Sender Address |
E-mail address of the person who sent the quarantined item. |
|
|
Sender IP |
IP address of the computer from which the quarantined item was sent. |
|
|
Sender Host |
Host name of the computer from which the quarantined item was sent. |
|
|
Sender Location |
Denotes whether the sender is internal or external to your organization. Realtime, scheduled, and on-demand scans only. |
|
|
Direction |
Direction the message was heading when caught by the transport scanner. Messages that are being relayed by the Edge Transport or Hub Transport server are reported as "inbound and outbound" to distinguish them from standard "inbound" and "outbound" messages. |
|
|
Recipient Names |
Names of the people to whom the quarantined item was sent. |
|
|
Recipient Addresses |
E-mail addresses of the people to whom the quarantined item was sent. |
|
|
Cc Names |
Names of the Cc recipients to whom the quarantined item was sent. |
|
|
Cc Addresses |
E-mail addresses of the Cc recipients to whom the quarantined item was sent. |
|
|
Bcc Names |
Names of the Bcc recipients to whom the quarantined item was sent. |
|
|
Bcc Addresses |
E-mail addresses of the Bcc recipients to whom the quarantined item was sent. |
|
|
Message ID |
Unique ID assigned to each message by the Exchange server. |
|
About engine details
When you select an incident and then click the Engine Details tab, you see the following engine information for each engine that detected the incident.
| Note: |
|---|
| This information applies only to malware detections, not filter matches. |
| Information | Description | |
|---|---|---|
|
Engine name |
Name of the engine that scanned the message. |
|
|
Detection type |
Type of detection, as reported by the engine. |
|
|
Detection name |
Name of the malware, as reported by the engine. |
|
|
Engine version |
The version of the engine. |
|
|
Definition version |
The version of the malware definition files currently in use by the engine. (This data is not available with every engine.) |
|
|
Was cleaned |
Denotes whether the quarantined item was cleaned, as reported by the engine. |
|
Customizing the Quarantine view
You can customize the FPE quarantine view by performing the following tasks on the Server Security Views - Quarantine pane:
- Choosing which columns appear.
- Specifying filter criteria in order to only
display certain quarantine items.
- Sorting quarantine items by clicking any of
the columns (for example, Incident Category). This causes
the quarantine items to be sorted by the values in that column.
These actions have no effect on the database itself, just on which records are displayed.
To customize which columns appear for quarantine-
On the Server Security Views - Quarantine pane, in the Actions section, click Choose Columns.
-
In the Choose Columns dialog box, select which columns you want to appear on the Server Security Views - Quarantine pane, and then click Apply and Close.
-
On the Server Security Views - Quarantine pane, select the field on which you want to filter by using the Filter By option. Each choice in Filter By corresponds to one of the fields in the Server Security Views - Quarantine pane.
-
Specify your filter criteria as follows:
If you selected a date and time field, for example Detection Time, enter the starting date and time in the Start date and Start time fields, and the ending date and time in the End date and End time fields.
If you selected a field for which you can type a string value, for example Sender Name, Subject, or Incident Name, enter a string in the Filter Value field.
Note:You can use prefix matches in order to broaden your filter search. For example, type th in order to include all values that begin with the letters "th". If you selected a field that has a fixed value, for example Incident Category, select a value (for example, Virus) from the Filter Value drop-down list.
-
To run the filter, click the search icon (represented by a magnifying glass).
You can click the red X icon to cancel the filter and return to your original view.