Querying the Quarantine

Use the Query screen to view a list of quarantined messages for your managed domains. You can review the messages, delete them, or release them for further scanning.

  1. In the Period field, specify the time range for your query.
    Note:

    Queries include data for up to 30 continuous days in one calendar month. Use more than one query to search across calendar months.

  2. In the Direction field, select a mail traffic direction.
  3. Type your search criteria into one or more of the following fields:
    • Recipient

    • Sender

    • Subject

    A recipient or sender can be a specific email address or all addresses from a specific domain.

    • Query a specific email address by typing that email address.

    • Query all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the email address. For example, *@example.com will search for all email addresses in the example.com domain.

    The following table displays format examples that are valid or not valid:

    Table 1. Format Examples for Mail Tracking and Quarantine Query

    Valid

    Not Valid

    name@info.example.com

    name@*.example.com

    *@example.com

    *@*.com

    *@server.example.com

    *@*

    *@*.example.com

  4. In the Visibility field, specify whether to query quarantined messages that end users have access to.
    • All: Query all quarantined messages.

    • Invisible to End Users: Query the quarantined messages that end users do not have access to.

    • Visible to End Users: Query the quarantined messages that end users have access to.

    Quarantined incoming messages that end users have access to depend on your setting based on quarantine reasons on the End User Quarantine Settings screen. Quarantined outgoing messages are always invisible to end users.

  5. In the Reason field, select the reason why the message was quarantined.
    • Sender IP Match: The message failed Sender IP Match check.

    • SPF: The message failed SPF check.

    • DKIM: The message failed DKIM verification.

    • Ransomware: The message was identified as ransomware.

    • Advanced Persistent Threat: The message triggered the advanced threat policy.

      • Analyzed Advanced Threats (Files): The message was identified as advanced file threats according to Virtual Analyzer and the policy configuration.

      • Analyzed Advanced Threats (URLs): The message was identified as advanced URL threats according to Virtual Analyzer and the policy configuration.

      • Probable Advanced Threats: The message was treated as suspicious according to policy configuration or the message was not sent to Virtual Analyzer due to exceptions that occurred during analysis.

    • Malware: The message triggered the malware criteria. The malware may be detected by Predictive Machine Learning or traditional pattern-based scanning.

    • Suspicious Objects: The message contains suspicious files or suspicious URLs.

    • Scanning Exception: The message triggered scan exceptions.

    • Spam: The message was identified as spam.

    • BEC: The message triggered the Business Email Compromise (BEC) criteria.

    • Phishing: The message triggered the phishing criteria.

    • Graymail: The message triggered the graymail criteria.

    • Web Reputation: The message triggered the Web Reputation criteria.

    • Content Filtering - No Criteria: The message triggered the No Criteria scanning criteria in the Content Filtering policy.

    • Content: The message triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.

    • Attachment: The message triggered the message attachment criteria.

    • Data Loss Prevention: The message triggered the Data Loss Prevention policy.

  6. In the Rule field, specify the rule that was triggered by the quarantined message.

    The Rule field supports the following:

    • A maximum of 20 rules in use will be listed for you to choose when you click in this text box.

    • Select from the rules listed or type keywords for a fuzzy match.

  7. Click Search.
  8. Select one or multiple messages to manage.
  9. Click one of the following buttons to manage the selected messages:
    • Delete: Cancel delivery and permanently delete the message

    • Deliver: Release from quarantine

      Note:

      Released messages are no longer marked as spam, but they will continue to be processed by Trend Micro Email Security. The following conditions apply to delivery:

      • If a message triggers a content-based policy rule with an Intercept action of Quarantine, it will once again appear in the quarantined message list.

      • If a message triggers a content-based policy rule with an Intercept action of Delete entire message or Change recipient, it will not arrive at its intended destination.

  10. Optionally click on the Date value to view the Quarantine Query Details screen for a given message.
    1. Check the summary and message view information about the message.
    2. Click Delete, Deliver, or Download to manage the message.
      Note:

      Download: Download the message to your local host.

      This button is available only on the Quarantine Query Details screen.