Quarantine Parent topic

TippingPoint Advanced Threat Protection for Email quarantines that suspicious email messages that meet certain policy criteria. View details about the email message before deciding whether to delete the email message or release it to the intended recipients.
Before deciding which action to perform, query the email messages that TippingPoint Advanced Threat Protection for Email quarantined.
Perform any of the following actions:
  • Search for quarantined messages based on a variety of criteria
  • Learn more about malicious file attachments and URLs
  • Release or delete quarantined messages

Viewing Quarantined Messages Parent topic

Procedure

  1. Go to DetectionsQuarantine.
  2. Specify the search criteria.
    See Quarantine Search Filters.
  3. Click Search.
    All email messages matching the search criteria appear.
  4. View the results.
    Header
    Description
    investigate_icon.jpg
    Investigate the email message to learn more about potential threats.
    For details, see Investigating a Quarantined Email Message.
    Received
    View the date and time that the suspicious email message first passes TippingPoint Advanced Threat Protection for Email.
    Note
    Note
    There is a short delay between when TippingPoint Advanced Threat Protection for Email receives an email message and when the email message appears in the Detected Messages tab.
    Risk Level
    View the level of potential danger exhibited in a suspicious email message. For details, see Detected Risk.
    Recipients
    View the detected message recipient email addresses.
    Sender
    View the sending email address of the detected message.
    Email Subject
    View the email subject of the suspicious email message.
    links_icon.jpg
    View the number of email messages with embedded malicious links.
    attachments_icon.jpg
    View the number of email messages with malicious file attachments.
    Threat
    View the name and classification of the discovered threat. For details, see Threat Type Classifications.
    Password-protected attachment
    Select to only show quarantined messages that have password-protected attachments.
Related information

Quarantine Search Filters Parent topic

The following table explains the search filters for querying the quarantine. To view the quarantine, go to DetectionsQuarantine.
Note
Note
Search filters do not accept wildcards. TippingPoint Advanced Threat Protection for Email uses fuzzy logic to match search criteria to email message data.
Filter
Description
Risk level
Select the email message risk level. For details about risk levels, see Email Message Risk Levels.
Recipients
Specify recipient email addresses. Use a semicolon to separate multiple recipients.
Period
Select a predefined time range or specify a custom range.
Sender
Specify the sender email address. Only one address is allowed.
Links
Specify a URL.
Threat type
Select a threat type from the list. For details, see Threat Type Classifications.
Message ID
Specify the unique message ID.
Example: 950124.162336@example.com
Source IP
Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.
A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.
Note
Note
Source IP is the only search filter that requires an exact-string match. TippingPoint Advanced Threat Protection for Email does not use fuzzy logic to match search results for the source IP address.
Threat name
Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names.
Subject
Specify the email message subject.
Attachment
Specify attachment file names. Use a semicolon to separate multiple file names.
Password-protected attachment
Check if the attachement is password-protected.

Investigating a Quarantined Email Message Parent topic

Procedure

  1. Search for the email message.
    See Viewing Quarantined Messages.
  2. Click the arrow next to the email message in the table.
    The table row expands with more information.
  3. Discover the email message details.
    See Quarantined Message Details.
  4. Take action upon the quarantined message.
    • Leave the message in the quarantine.
      Note
      Note
      Quarantined messages purge based on the settings configured on the Storage Maintenance screen.
      For details, see Configuring Storage Maintenance.
    • Click delete_icon.jpg Delete to purge the email message from the quarantine.
    • Click release_icon.jpg Release to deliver the email message.
Related information

Quarantined Message Details Parent topic

The following table explains the email message details viewable after expanding the search results.
Field
Description
Overview
View the message ID, recipients, and source IP address of the email message to understand where the message came from and other tracking information.
Attachments
Get information about any files attached to the email message, including the file name, password, file type, risk level, the scan engine that identified the threat, and the name of detected threats.
Links
Get information about any embedded suspicious URLs that appeared in the email message, including the URL, site category, risk level, the scan engine that identified the threat, and the name of detected threats.
Message characteristics
Get information about any social engineering attack related characteristics that were detected in the email message, including the mail server reputation, gaps between transits, inconsistent recipient accounts, and forged sender addresses or unexpected relay servers.
Analysis Reports
View and in-depth PDF or HTML analysis report about this email message, including suspicious attachments or links, notable characteristics, callback destinations, and dropped or downloaded files.
Forensics
Get more information about this email message for further analysis. Download the email message or safely download the email message as an image.
Message Source
View the email message header content.