Quarantine | Trend Micro Service Central

Views:

Deep Discovery Email Inspector quarantines suspicious email messages that meet certain policy criteria. View details about an email message before deciding whether to delete the email message, release it to the intended recipients, or resume processing.

Before deciding which action to perform, query the email messages that Deep Discovery Email Inspector quarantined.

The following table describes the actions you can perform on the Quarantine screen.

Action

Description

Search for quarantined messages

Configure the search filters to search for quarantined messages.

For more information on the available filters, see Quarantine Search Filters.

View message details

Click the right-arrow icon (

) to view detailed information.

For more information, see Quarantined Message Details.

Release to all recipients directly without reprocessing

Click Release to All to deliver the email message to all recipients.

Release to selected recipients directly without reprocessing

Select a quarantined message and click Release to Selected Users; then, on the dialog box that appears, select one or more recipients from the list and click Release.

Note

You can only release one quarantined message to selected recipients at a time.
After releasing the message, the system automatically removes the selected recipients from the message.

Resume processing quarantined messages

Click Resume Process to set Deep Discovery Email Inspector to continue message scanning from the last scan checkpoint.

Unlock password-protected files for processing

Click Unlock and Reprocess to open password-protected files in unscannable messages using the specified password and the settings on the File Passwords screen, and perform threat scans on messages.

Delete messages

Click Delete to purge the email message from the quarantine.

Search for quarantined messages based on a variety of criteria
Learn more about malicious file attachments and URLs
Release quarantined messages
Delete quarantined messages
Resume processing of messages that are quarantined due to spam detection, content violation, or DLP incidents
Unlock password-protected files in messages to perform a threat scan

Viewing Quarantined Messages

Procedure

Go to Detections → Quarantine.
Specify the search criteria.

See Quarantine Search Filters.
Press ENTER.

All email messages matching the search criteria appear.

View the results.

Header

Description

Investigate the email message to learn more about potential threats.

For details, see Investigating a Quarantined Email Message.

Detected

View the date and time that the suspicious email message was first detected and quarantined in Deep Discovery Email Inspector.

Note

There is a short delay between when Deep Discovery Email Inspector receives an email message and when the email message appears on the Quarantine screen.

Risk Level

View the level of potential danger exhibited in a suspicious email message.

Recipients

View the detected message recipient email addresses.

Email Header (To)

View the primary recipient email address in the email header.

Sender

View the sending email address of the detected message.

Email Header (From)

View the author email address in the email header.

Email Subject

View the email subject of the suspicious email message.

View the number of email messages with embedded malicious links.

View the number of file attachments that are detected by policy rules.

Threat

View the name and classification of the discovered threat.

Quarantine Reason

View the reason why an email message is quarantined.

For more information, see Quarantine Reasons.

Quarantine Search Filters

The following table explains the basic search filters for querying the quarantined email messages. To apply advanced filters, see Applying Advanced Filters.

To view the quarantine, go to Detections → Quarantine.

Note

Search filters do not accept wildcards. Deep Discovery Email Inspector uses fuzzy logic to match search criteria to email message data.

Filter	Description
Threat type	Select All or a threat type from the list. For details, see Threat Type Classifications.
Risk level	Select All or the email message risk level.
Quarantine reason	Select All or a quarantine reason.
Period	Select a predefined time range or specify a custom range.

Applying Advanced Filters

In addition to basic filters, you can apply advanced filters to query suspicious messages.

Procedure

Click Show advanced filters.

Specify the information to filter.

Filter

Description

Sender

Specify the sender email address.

Email header (To)

Specify a primary recipient email address in the email header.

Message ID

Specify the unique message ID.

Example: 20160603021433.F0304120A7A@example.com

Subject

Specify the email message subject.

Direction

Specify the message direction.

Rule

Specify a rule name.

Email header (From)

Specify the author email address in the email header.

URL

Specify a URL.

Source IP

Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.

A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.

Note

The Source IP search filter requires an exact-string match. Deep Discovery Email Inspector does not use fuzzy logic to match search results for the source IP address.

File name

Specify an attachment file name.

Data identifier

Specify a data identifier name.

YARA rule name

Specify the name of a YARA rule.

Recipient

Specify a recipient email address. Only one address is allowed.

Threat name

Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names.

For information about threat discovery capabilities, see Scanning / Analysis.

Sender IP

Specify the sender IP address.

If you deploy Deep Discovery Email Inspector as an edge MTA in your network, the sender IP address is the public IP address of the external MTA nearest to your network.

If you deploy Deep Discovery Email Inspector as a non-edge MTA in your network, the sender IP address is the IP address of the MTA nearest to the edge MTA relay server.

Note

The Sender IP search filter requires an exact-string match. Deep Discovery Email Inspector does not use fuzzy logic to match search results for the sender IP address.

Policy

Specify a policy name.

DLP template

Specify a DLP template name.

YARA rule file name

Specify the name of a YARA rule file.

Password-protected attachment

Select email messages that contain a password-protected file.

Manual email submissions

Select email messages that are manually submitted to Deep Discovery Email Inspector for analysis by the administrator.

For more information, see Email Submissions.

Click Search.

Quarantine Reasons

The following table describes the quarantine reasons that display on the Quarantine screen.

Quarantine Reason	Description
Content violation	Messages with content that matches a content filtering rule.
DLP incident	Messages with one or more data loss prevention (DLP) policy violations.
Malformed	Messages that cannot be opened for processing.
Spam detection	Messages that are detected as spam/graymail.
Threat detection	Messages that are detected to contain malware.
Unscannable	Messages that are not scannable.
Unsuccessful encryption	Messages that cannot be encrypted.
Unsuccessful decryption	Messages that cannot be decrypted.
Virtual Analyzer error	Messages that are not analyzed because of an unexpected error in Virtual Analyzer (for example, processing time-out).
Virtual Analyzer time-out	Messages that are not analyzed because of processing time-out in Virtual Analyzer.

Investigating a Quarantined Email Message

Procedure

Search for the email message.

See Viewing Quarantined Messages.
Click the arrow next to the email message in the table.

The table row expands with more information.
Discover the email message details.

See Quarantined Message Details.

Take action upon the quarantined message.

Leave the message in the quarantine.

Note

You can configure settings to purge quarantined messages on the Storage Maintenance screen.

For details, see Configuring Storage Maintenance.
Click Delete to purge the email message from the quarantine.
Click Release to All to deliver the email message to all recipients.

Click Release to Selected Users to deliver the email message to selected recipients only.

Note

You can only release one quarantined message to selected recipients at a time.
After releasing the message, the system automatically removes the selected recipients from the message.

Click Resume Process to set Deep Discovery Email Inspector to continue message scanning from the last scan checkpoint.

Note

Deep Discovery Email Inspector can only continue processing of messages that were quarantined due to spam detection, content violation, or DLP incidents.

Click Unlock and Reprocess to open password-protected files in unscannable messages using the specified password and the settings on the File Passwords screen, and perform threat scans on messages.

Quarantined Message Details

The following table explains the email message details viewable after expanding the search results. The display fields vary depending on the type of detected threats.

Field

Description

View in Threat Connect

Click View in Threat Connect to get correlated information about suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network, which provides relevant and actionable intelligence.

View Virtual Analyzer Report

Click View Virtual Analyzer Report to view the analysis report in HTML or PDF format.

View Screenshot

Click View Screenshot to safely display the email message as an image.

Download

Select an option from the drop-down list to download the information for further investigation.

Overview

View the message ID, recipients, last detection time, sender and source IP addresses, and direction of the email message to understand where the message came from and other tracking information.

Note

For sender and source IP addresses, Unknown indicates that the detected messages are from an unknown origin (both the location and IP address information is not available), and No data indicates that the location information is not available.

Get information about the policy rules that the email message violates.

Messages

View the name of the scanning engine and the category for detected email messages that are considered as spam or graymail.

Attachments

Get information about any files attached to the email message, including the file name, password, file type, risk level, SHA-1 and SHA-256 hash values, the scan engine that identified the threat, and the name of detected threats.

YARA Detection

Get information about the detected files based on matched YARA rules in the associated YARA rule files.

Links

Get information about any embedded suspicious URLs that appeared in the email message, including the URL, site category, risk level, extraction source, the scan engine that identified the threat, and the name of detected threats.

Message Characteristics

Get information about any social engineering attack related characteristics that were detected in the email message, including the mail server reputation, gaps between transits, inconsistent recipient accounts, and forged sender addresses or unexpected relay servers, etc.

Content Keyword/Expression Match

Get information about the content keywords or expressions that are matched in the email message.

DLP Incident

Get information about the data identifiers and DLP templates that are matched in the email message, message location, and forensic data.

Email Header

View the email message header content.

Keywords: view,investigate,suspicious messages,message details,quarantine,search filters