Use the Query screen to view a list of quarantined messages for your managed domains. You can review the messages, delete them, or release them for further scanning.
Queries include data for up to 30 continuous days in one calendar month. Use more than one query to search across calendar months.
You can specify up to 10 recipients or senders. Separate multiple recipients or senders by pressing the ENTER or TAB key, or using a semicolon (;).
A recipient or sender can be a specific email address or all addresses from a specific domain.
Query a specific email address by typing that email address.
Query all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the email address. For example, *@example.com will search for all email addresses in the example.com domain.
The following table displays format examples that are valid or not valid:
All: Query all quarantined messages.
Invisible to End Users: Query the quarantined messages that end users do not have access to.
Visible to End Users: Query the quarantined messages that end users have access to.
Quarantined incoming messages that end users have access to depend on your setting based on quarantine reasons on the End User Quarantine Settings screen. Quarantined outgoing messages are always invisible to end users.
Sender IP Match: The message failed Sender IP Match check.
SPF: The message failed SPF check.
DKIM: The message failed DKIM verification.
Ransomware: The message was identified as ransomware.
Advanced Persistent Threat: The message triggered the advanced threat policy.
Analyzed Advanced Threats (Files): The message was identified as advanced file threats according to Virtual Analyzer and the policy configuration.
Analyzed Advanced Threats (URLs): The message was identified as advanced URL threats according to Virtual Analyzer and the policy configuration.
Probable Advanced Threats: The message was treated as suspicious according to policy configuration or the message was not sent to Virtual Analyzer due to exceptions that occurred during analysis.
Malware: The message triggered the malware criteria. The malware may be detected by Predictive Machine Learning or traditional pattern-based scanning.
Suspicious Objects: The message contains suspicious files or suspicious URLs.
Scanning Exception: The message triggered scan exceptions.
Spam: The message was identified as spam.
BEC: The message triggered the Business Email Compromise (BEC) criteria.
Phishing: The message triggered the phishing criteria.
Graymail: The message triggered the graymail criteria.
Web Reputation: The message triggered the Web Reputation criteria.
Content Filtering - No Criteria: The message triggered the No Criteria scanning criteria in the Content Filtering policy.
Content: The message triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.
Attachment: The message triggered the message attachment criteria.
Data Loss Prevention: The message triggered the Data Loss Prevention policy.
The Rule field supports the following:
A maximum of 20 rules in use will be listed for you to choose when you click in this text box.
Select from the rules listed or type keywords for a fuzzy match.
Delete: Cancel delivery and permanently delete the message
Deliver: Release from quarantine
Released messages will no longer trigger the exact policy rule that caused the messages to be quarantined, but they will continue to be processed by Trend Micro Email Security. The following conditions apply to delivery:
If a message triggers a content-based policy rule with an Intercept action of Quarantine, it will once again appear in the quarantined message list.
If a message triggers a content-based policy rule with an Intercept action of Delete entire message or Change recipient, it will not arrive at its intended destination.
The content-based policy rule mentioned above refers to any policy rule that evaluates email messages based on message contents. Typical content-based policy rules include virus policies, spam policies, content filtering policies, and DLP policies.
When you click Download, choose whether to download the original email file or password-protected ZIP file to your local host.When you download the ZIP file, Trend Micro Email Security generates a password for decompressing the ZIP file. You can find the password on the Quarantine Query Details screen or at the end of the ZIP file name.
The Download button is available only on the Quarantine Query Details screen.