Querying the Quarantine

Use the Query screen to view a list of quarantined messages for your managed domains. You can review the messages, delete them, or release them for further scanning.

  1. In the Period field, specify the time range for your query.

    Queries include data for up to 30 continuous days in one calendar month. Use more than one query to search across calendar months.

  2. In the Direction field, select a mail traffic direction.
  3. Type your search criteria into one or more of the following fields:
    • Recipient(s)

    • Sender(s)

    • Subject

    You can specify up to 10 recipients or senders. Separate multiple recipients or senders by pressing the ENTER or TAB key, or using a semicolon (;).

    A recipient or sender can be a specific email address or all addresses from a specific domain.

    • Query a specific email address by typing that email address.

    • Query all addresses from a domain by using an asterisk (*) to the left of the at sign (@) in the email address. For example, *@example.com will search for all email addresses in the example.com domain.

    The following table displays format examples that are valid or not valid:

    Table 1. Format Examples for Mail Tracking and Quarantine Query


    Not Valid








  4. In the Visibility field, specify whether to query quarantined messages that end users have access to.
    • All: Query all quarantined messages.

    • Invisible to End Users: Query the quarantined messages that end users do not have access to.

    • Visible to End Users: Query the quarantined messages that end users have access to.

    Quarantined incoming messages that end users have access to depend on your setting based on quarantine reasons on the End User Quarantine Settings screen. Quarantined outgoing messages are always invisible to end users.

  5. In the Reason field, select one or multiple reasons why the message was quarantined.
    • Sender IP Match: The message failed Sender IP Match check.

    • SPF: The message failed SPF check.

    • DKIM: The message failed DKIM verification.

    • Ransomware: The message was identified as ransomware.

    • Advanced Persistent Threat: The message triggered the advanced threat policy.

      • Analyzed Advanced Threats (Files): The message was identified as advanced file threats according to Virtual Analyzer and the policy configuration.

      • Analyzed Advanced Threats (URLs): The message was identified as advanced URL threats according to Virtual Analyzer and the policy configuration.

      • Probable Advanced Threats: The message was treated as suspicious according to policy configuration or the message was not sent to Virtual Analyzer due to exceptions that occurred during analysis.

    • Malware: The message triggered the malware criteria. The malware may be detected by Predictive Machine Learning or traditional pattern-based scanning.

    • Suspicious Objects: The message contains suspicious files or suspicious URLs.

    • Scanning Exception: The message triggered scan exceptions.

    • Spam: The message was identified as spam.

    • BEC: The message triggered the Business Email Compromise (BEC) criteria.

    • Phishing: The message triggered the phishing criteria.

    • Graymail: The message triggered the graymail criteria.

    • Web Reputation: The message triggered the Web Reputation criteria.

    • Content Filtering - No Criteria: The message triggered the No Criteria scanning criteria in the Content Filtering policy.

    • Content: The message triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.

    • Attachment: The message triggered the message attachment criteria.

    • Data Loss Prevention: The message triggered the Data Loss Prevention policy.

  6. In the Rule field, specify the rule that was triggered by the quarantined message.

    The Rule field supports the following:

    • A maximum of 20 rules in use will be listed for you to choose when you click in this text box.

    • Select from the rules listed or type keywords for a fuzzy match.

  7. Click Search.
  8. Select one or multiple messages to manage.
  9. Click one of the following buttons to manage the selected messages:
    • Delete: Cancel delivery and permanently delete the message

    • Deliver: Release from quarantine


      Released messages will no longer trigger the exact policy rule that caused the messages to be quarantined, but they will continue to be processed by Trend Micro Email Security. The following conditions apply to delivery:

      • If a message triggers a content-based policy rule with an Intercept action of Quarantine, it will once again appear in the quarantined message list.

      • If a message triggers a content-based policy rule with an Intercept action of Delete entire message or Change recipient, it will not arrive at its intended destination.

      The content-based policy rule mentioned above refers to any policy rule that evaluates email messages based on message contents. Typical content-based policy rules include virus policies, spam policies, content filtering policies, and DLP policies.

  10. Configure the password settings for downloading quarantined messages.
    1. Click Set Download Password.
    2. On the Password Settings for Message Download screen, select whether to use a random password or your own custom password for protecting the downloaded messages.

      If you use a custom password, specify a password consisting of 4 to 32 characters in the range "A-Z", "a-z", and "0-9".

    3. Select Apply password settings to all admin accounts if you want all administrators to use the same password settings for message download.

      This option is available only to the Business Account and superadmin accounts.

  11. Optionally click on the Date value to view the Quarantine Query Details screen for a given message.
    1. Check the summary and detailed information about the message.
    2. Click Delete, Deliver, or Download to manage the message.

      When you click Download, choose whether to download the original email file or password-protected ZIP file to your local host.

      When you download the ZIP file, Trend Micro Email Security generates a password for decompressing the ZIP file. You can find the password on the Quarantine Query Details screen or at the end of the ZIP file name.

      The Download button is available only on the Quarantine Query Details screen.