Policy, Virus, and Outbreak Quarantines

This chapter contains the following sections:

Overview of Policy, Virus, and Outbreak Quarantines

“Policy, virus and outbreak quarantines” includes all non-spam quarantines, including the File Analysis quarantine.

When an appliance detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately. A quarantine holds these messages safely on the appliance or on a Cisco Content Security Management appliance for a period of time, to allow a human being to review them, or to await an update that will better evaluate the safety of the message.

Examples of how non-spam quarantines can be used in your organization:

  • Policy enforcement. Let Human Resources personnel or the Legal department review messages that may contain offensive, confidential, or otherwise disallowed information.
  • Virus quarantine. Store messages that are marked as infected, encrypted, or not scannable by the anti-virus scanning engine to prevent the spread of viruses to your users.
  • Outbreak prevention. Hold messages that are flagged by the Outbreak Filters as possibly being part of a viral outbreak or small-scale malware attack until an anti-virus or anti-spam update is released.
  • File Analysis quarantine. Store messages that have attachments that may contain malware, and that have been sent for analysis, until a verdict is reached.

Related Topic

Quarantine Types

Quarantine Type

Quarantine Name

Created by the System by Default?

Description

More Information

Advanced Malware Protection

File Analysis

Yes

Holds messages that are sent for file analysis, until a verdict is returned.

Virus

Virus

Yes

Holds messages that may be transmitting malware, as determined by the anti-virus engine.

Outbreak

Outbreak

Yes

Holds messages caught by Outbreak Filters as potentially being spam or malware.

Policy

Policy

Yes

Holds messages caught by message filters, content filters, and DLP message actions.

A default Policy quarantine has been created for you.

Unclassified

Yes

Holds messages only if a quarantine that is specified in a message filter, content filter, or DLP message action has been deleted.

You cannot assign this quarantine to any filter or message action.

(Policy quarantines that you create)

No

Policy quarantines that you create for use in message filters, content filters, and DLP message actions.

Spam

Spam

Yes

Holds spam or suspected spam messages for the message’s recipient or an administrator to review.

The spam quarantine is not included in the group of policy, virus, and outbreak quarantines and is managed separately from all other quarantines.

Spam Quarantine

Managing Policy, Virus, and Outbreak Quarantines

Disk Space Allocation for Policy, Virus, and Outbreak Quarantines

For disk space information for policy, virus, and outbreak quarantines, see Managing Disk Space.

Policy, virus, and outbreak quarantines consume some disk space on the appliance even if the quarantines are centralized.

Messages in multiple quarantines consume the same amount of disk space as a message in a single quarantine.

If Outbreak Filters and Centralized Quarantines are both enabled:

  • All disk space on the appliance that would have been allocated to local policy, virus, and outbreak quarantines is used instead to hold copies of messages in the Outbreak quarantine, in order to scan those messages each time outbreak rules are updated.

  • The disk space on the Security Management appliance for messages in the Outbreak quarantine from a particular managed

Related Topics

Retention Time for Messages in Quarantines

Messages are automatically removed from the quarantine under the following circumstances:

  • Normal Expiration—the configured retention time is met for a message in the quarantine. You specify a retention time for messages in each quarantine. Each message has its own specific expiration time, displayed in the quarantine listing. Messages are stored for the amount of time specified unless another circumstance described in this topic occurs.


    Note

    The normal retention time for messages in the Outbreak Filters quarantine is configured in the Outbreak Filters section of each mail policy, not in the outbreak quarantine.
  • Early Expiration—messages are forced from quarantines before the configured retention time is reached. This can happen when:
    • The size limit for all quarantines, as defined in Disk Space Allocation for Policy, Virus, and Outbreak Quarantines, is reached.

      If the size limit is reached, the oldest messages, regardless of quarantine, are processed and the default action is performed for each message, until the size of all quarantines is again less than the size limit. The policy is First In First Out (FIFO). Messages in multiple quarantines will be expired based on their latest expiration time.

      (Optional) You can configure individual quarantines to be exempt from release or deletion because of insufficient disk space. If you configure all quarantines to be exempt and the disk space reaches capacity, messages in the quarantine will be delivered to make room for new messages.

      You will receive alerts at disk-space milestones. See Alerts About Quarantine Disk-Space Usage.

  • You delete a quarantine that still holds messages.

When a message is automatically removed from a quarantine, the default action is performed on that message. See Default Actions for Automatically Processed Quarantined Messages.


Note

In addition to the above scenarios, messages can be automatically removed from quarantine based on the result of scanning operations (outbreak filters or file analysis.)

Effects of Time Adjustments on Retention Time

  • Daylight savings time and appliance time zone changes do not affect the retention period.
  • If you change the retention time of a quarantine, only new messages will have the new expiration time.
  • If the system clock is changed, messages that should have expired in the past will expire at the next most appropriate time.
  • System clock changes do not apply to messages that are in the process of being expired.

Default Actions for Automatically Processed Quarantined Messages

The default action is performed on messages in a policy, virus, or outbreak quarantine when any situation described in Retention Time for Messages in Quarantines, occurs.

There are two primary default actions:

  • Delete—The message is deleted.
  • Release—The message is released for delivery.

Upon release, messages may be rescanned for threats. For more information, see About Rescanning of Quarantined Messages.

In addition, messages released before their expected retention time has passed can have additional operations performed on them, such as adding an X-Header. For more information, see Configuring Policy, Virus, and Outbreak Quarantines.

Configuring Policy, Virus, and Outbreak Quarantines

Before you begin

Procedure


Step 1

You can configure Policy, Virus, and Outbreak Quarantines in any one of the following ways:

  • [ New Web Interface Only] Choose Quarantine > Other Quarantine > View > +.

  • Choose Monitor > Policy, Virus, and Outbreak Quarantines and do one of the following.

    • Click Add Policy Quarantine.

    • Click a quarantine to edit.

Step 2

Enter the following information:

Keep the following in mind:

  • Changing the retention time of the File Analysis quarantine from the default of one hour is not recommended.

  • If you do not want messages in this quarantine to be processed before the end of the Retention Period you specify, even when quarantine disk space is full, deselect Free up space by applying default action on messages upon space overflow.

    Do not select this option for all quarantines. The system must be able to make space by deleting messages from at least one quarantine.

  • If you select Release as the default action, you can specify additional actions to apply to messages that are released before their retention period has passed:

Option

Information

Modify Subject

Type the text to add and specify whether to add it to the beginning or the end of the original message subject.

For example, you might want to warn the recipient that the message may contain inappropriate content.

Note 
In order for a subject with non-ASCII characters to display correctly it must be represented according to RFC 2047.

Add X-Header

An X-Header can provide a record of actions taken on a message. This can be helpful for example when handling inquiries about why a particular message was delivered.

Enter a name and value.

Example:

Name = Inappropriate-release-early

Value = True

Strip Attachments

Stripping attachments protects against viruses that may be in such files.

Step 3

Specify the users who can access this quarantine:

User

Information

Local Users

The list of local users includes only users with roles that can access quarantines.

The list excludes users with Administrator privileges, because all Administrators have full access to quarantines.

Externally Authenticated Users

You must have configured external authentication.

Custom User Roles

You see this option only if you have created at least one custom user role with quarantine access.

Step 4

Submit and commit your changes.


What to do next

Create message and content filters and DLP message actions that will move messages to the quarantine.

About Editing Policy, Virus, and Outbreak Quarantine Settings


Note


To change quarantine settings, choose Monitor > Policy, Virus, and Outbreak Quarantines , and then click the name of a quarantine.

To change quarantine settings on the new web interface, navigate to Quarantine > Other Quarantine > View and click on the required quarantine or

Determining the Filters and Message Actions to Which a Policy Quarantine Is Assigned

You can view the message filters, content filters, Data Loss Prevention (DLP) message actions, and DMARC verification profiles that are associated with a policy quarantine.

Procedure


Step 1

[New Web Interface Only] On the appliance , click Quarantine > Other Quarantine > View.

Step 2

[New Web Interface Only] Select the required quarantine and click on the button.

Step 3

Choose Monitor > Policy, Virus, and Outbreak Quarantines.

Step 4

Click the name of the policy quarantine to check.

Step 5

Scroll to the bottom of the page and view the Associated Message Filters/Content Filters/DLP Message Actions.


About Deleting Policy Quarantines

  • Before you delete a policy quarantine, see if it is associated with any active filters or message actions. See Determining the Filters and Message Actions to Which a Policy Quarantine Is Assigned.
  • You can delete a policy quarantine even if it is assigned to a filter or message action.
  • If you delete a quarantine that is not empty, the default action defined in the quarantine will be applied to all messages, even if you have selected the option not to delete messages if the disk is full. See Default Actions for Automatically Processed Quarantined Messages.
  • After you delete the quarantine associated with a filter or message action, any messages subsequently quarantined by that filter or message action will be sent to the Unclassified quarantine. You should customize the default settings of the Unclassified quarantine before you delete quarantines.
  • You cannot delete the Unclassified quarantine.

Monitoring Quarantine Status, Capacity, and Activity

To View

Do This

Total space allocated for all non-spam quarantines

[New Web Interface Only] On the appliance , click to load the legacy web interface.

Choose Monitor > Policy, Virus, and Outbreak Quarantinesand look in the first section on the page.

To change allocations, see Managing Disk Space.

Currently available space for all non-spam quarantines

[New Web Interface Only] Choose Quarnatine > Other Quarantine.

Choose Monitor > Policy, Virus, and Outbreak Quarantines and look just below the table.

Total amount of space currently used by all quarantines

[New Web Interface Only] On the appliance , click to load the legacy web interface.

Choose Monitor > System Status and look for Queue Space Used by Quarantine.

Amount of space currently used by each quarantine

[New Web Interface Only] Choose Quarantines Quarantine > Other Quarantine > View.

Choose Monitor > Policy, Virus, and Outbreak Quarantines , click the quarantine name, and look for this information in the table row directly below the quarantine name.

Total number of messages currently in all quarantines

[New Web Interface Only] On the appliance , click to load the legacy web interface.

Choose Monitor > System Status and look for Active Messages in Quarantine.

Number of messages currently in each quarantine

[New Web Interface Only] Choose Quarantines Quarantine > Other Quarantine > View.

Choose Monitor > Policy, Virus, and Outbreak Quarantines and look at the table row for the quarantine.

Total CPU usage by all quarantines

[New Web Interface Only] On the appliance , click to load the legacy web interface.

Choose Monitor > System Status and look in the CPU Utilization section.

Date and time when the last message entered each quarantine (excluding moves between policy quarantines)

[New Web Interface Only] Choose Quarantines > Other Quarantine > View.

Choose Monitor > Policy, Virus, and Outbreak Quarantines and look at the table row for the quarantine.

Date a policy quarantine was created

[New Web Interface Only] On the appliance , click to load the legacy web interface.

Choose Monitor > Policy, Virus, and Outbreak Quarantines, click the quarantine name, and look for this information in the table row directly below the quarantine name.

Creation date and creator name are not available for system-created quarantines.

Name of policy quarantine creator

Filters and message actions associated with a policy quarantine

See Determining the Filters and Message Actions to Which a Policy Quarantine Is Assigned.

Policy Quarantine Performance

Messages stored in policy quarantines use system memory in addition to hard-drive space. Storing hundreds of thousands of messages in policy quarantines on a single appliance may cause a decrease in the appliance's performance due to excessive memory usage. The appliance takes more time to quarantine, delete, and release messages, which causes message processing to slow down and the email pipeline to back up.

Cisco recommends storing an average of less than 20,000 messages in your policy quarantines to ensure that the appliance processes email at a normal rate.

To check the number of messages in quarantines, see Monitoring Quarantine Status, Capacity, and Activity.

Alerts About Quarantine Disk-Space Usage

An alert is sent whenever the total size of the policy, virus, and outbreak quarantine reaches or passes 75 percent, 85 percent, and 95 percent of its capacity. The check is performed when a message is placed in the quarantine. For example, if adding a message to a quarantine increases the size to or past 75 percent of the total capacity, an alert is sent.

Policy Quarantines and Logging

AsyncOS individually logs all messages that are quarantined:

Info: MID 482 quarantined to "Policy" (message filter:policy_violation)

The message filter or Outbreak Filters feature rule that caused the message to be quarantined is placed in parentheses. A separate log entry is generated for each quarantine in which the message is placed.

AsyncOS also individually logs messages that are removed from quarantine:

Info: MID 483 released from quarantine "Policy" (queue full)

Info: MID 484 deleted from quarantine "Anti-Virus" (expired)

The system individually logs messages after they are removed from all quarantines and either permanently deleted or scheduled for delivery, for example

Info: MID 483 released from all quarantines

Info: MID 484 deleted from all quarantines

When a message is re-injected, the system creates a new Message object with a new Message ID (MID). This is logged using an existing log message with a new MID “byline”, for example:

Info: MID 483 rewritten to 513 by Policy Quarantine

About Distributing Message Processing Tasks to Other Users

You can distribute message review and processing tasks to other administrative users. For example:

  • The Human Resources team can review and manage the Policy Quarantine.
  • The Legal team can manage the Confidential Material Quarantine.

You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist.

Each user may have access to all, some, or none of the quarantines. A user who is not authorized to view a quarantine will not see any indication of its existence anywhere in the GUI or CLI listings of quarantines.

Related Topics

Which User Groups Can Access Policy, Virus, and Outbreak Quarantines

When you allow administrative users to access a quarantine, the actions that they can perform depend on their user group:

  • Users in the Administrators groups can create, configure, delete, and centralize quarantines and can manage quarantined messages.
  • Users in the Operators, Guests, Read-Only Operators, and Help Desk Users groups, as well as custom user roles with quarantine management privileges, can search for, view, and process messages in a quarantine, but cannot change the quarantine’s settings, create, delete, or centralize quarantines. You specify in each quarantine which of these users have access to that quarantine.
  • Users in the Technicians group cannot access quarantines.

Access privileges for related features, such as Message Tracking and Data Loss Prevention, also affect the options and information that an administrative user sees on Quarantine pages. For example, if a user does not have access to Message Tracking, that user will not see message tracking links and information for quarantined messages.

End users do not have see or have access to policy, virus, and outbreak quarantines.

About Policy, Virus, and Outbreak Quarantines in Cluster Configurations

Policy, virus, and outbreak quarantines are configurable only at machine level in deployments with centralized management.

Working with Messages in Policy, Virus, or Outbreak Quarantines

Related Topics

Viewing Messages in Quarantines

To

Do This

View all messages in a quarantine

[New Web Interface Only] Choose Quarantine > Other Quarantine > View.

Choose Monitor > Policy, Virus, and Outbreak Quarantines.

In the row for the relevant quarantine, click the blue number in the Messages column of the table.

View messages in the Outbreak quarantine

[New Web Interface] Choose Quarantine > Other Quarantine > View.

Choose Monitor > Policy, Virus, and Outbreak Quarantines.

In the row for the relevant quarantine, click the blue number in the Messages column of the table.

See Manage by Rule Summary Link.

Navigate through the list of messages in a quarantine

Click Previous, Next, a page number, or double-arrow link. The double arrows take you to the first (<<) or last (>>) page in the listing.

Sort the list of messages in a quarantine

Click a column heading (except columns that could include multiple items or the “In other quarantines” column).

Resize table columns

Drag the divider between column headings.

View the content that caused the message to be quarantined

See Viewing Matched Content.

Related Topics

Quarantined Messages and International Character Sets

For messages with subjects that contain characters from international character sets (double-byte, variable length, and non-ASCII encoded), the Policy Quarantine pages display subject lines in non-ASCII characters in their decoded form.

Finding Messages in Policy, Virus, and Outbreak Quarantines


Note

  • Users can find and see only the messages in quarantines to which they have access.

  • Searches in Policy, Virus, and Outbreak quarantines do not find messages in the spam quarantine.


Procedure


Step 1

[New Web Interface Only] Click the blue number link of the corresponding quarantine.

Tip 

[New Web Interface Only] For the Outbreak Quarantine, you can also find all messages quarantined by each outbreak rule: Click the Rule Summary tab in the Outbreak quarantine, and then click the relevant rule.

Step 2

[New Web Interface Only] Choose Quarantine > Other Quarantine > Search.

Step 3

[New Web Interface Only] Click the blue number link of the corresponding quarantine.

Tip 

[New Web Interface Only] For the Outbreak Quarantine, you can also find all messages quarantined by each outbreak rule: Click the Rule Summary tab in the Outbreak quarantine, and then click the relevant rule.

Step 4

Choose Monitor > Policy, Virus, and Outbreak Quarantines .

Step 5

Click the Search Across Quarantines button.

Tip 

For the Outbreak Quarantine, you can also find all messages quarantined by each outbreak rule: Click the Manage by Rule Summary link in the Outbreak table row, and then click the relevant rule.

Step 6

(Optional) Enter other search criteria.

  • For Envelope Sender and Envelope Recipient: You can enter any character(s). No validation of your entry is performed.

  • Search results include only messages that match all of the criteria you specify. For example, if you specify an Envelope Recipient and a Subject, only messages that match the terms specified in both the Envelope Recipient and the Subject are returned.


What to do next

You can use the search results in the same way that you use the quarantine listings. For more information, see Manually Processing Messages in a Quarantine.

Manually Processing Messages in a Quarantine

Manually processing messages means to manually select a Message Action for the message from the Message Actions page.

You can perform the following actions on messages:

  • Delete

  • Release

  • Delay Scheduled Exit from quarantine

  • Send a Copy of messages to email addresses that you specify

  • Move a message from one quarantine to another

Generally, you can perform actions on messages in the lists that are displayed when you do the following. However, not all actions are available in all situations.

  • From the list of quarantines on the Monitor > Policy, Virus, and Outbreak Quarantines or [New Web Interface Only] Quarantine > Other Quarantine > View page, click the number of messages in a quarantine.

  • Click Search Across Quarantines.

  • Click a quarantine name and search within a quarantine.

You can perform these actions on multiple messages at one time by:

  • Choosing an option from the pick list at the top of the list of messages.

  • Selecting the check box beside each message listed on a page.

  • Selecting the check box in the table heading at the top of a list of messages. This applies the action to all messages visible on the screen. Messages on other pages are not affected.

Additional options are available for messages in the outbreak quarantine. See

Related Topics

Sending a Copy of the Message

Only users who belong to the Administrators group may send copies of a message.

To send a copy of the message, enter an email address in the Send Copy To: field and click Submit. Sending a copy of a message does not cause any other action to be performed on the message.

About Moving Messages Between Policy Quarantines

You can manually move messages from one policy quarantine to another on a single appliance .

When you move a message to a different quarantine:

  • The expiration time is unchanged. The message keeps the retention time of the original quarantine.
  • The reason the message was quarantined, including the matched content and other relevant details, does not change.
  • If a message is in multiple quarantines and you move the message to a destination that already holds a copy of that message, the expiration time and reason for quarantine of the moved copy of the message overwrite those of the copy of the message that was originally in the destination quarantine.

Messages in Multiple Quarantines

If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines.

A message in multiple quarantines:

  • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered.
  • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides.

Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply:

  • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides.
  • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)

If a message is queued in multiple quarantines and a user does not have access to one or more of the other quarantines:

  • The user will be informed whether the message is present in each of the quarantines to which the user has access.
  • The GUI shows only the scheduled exit time from the quarantines to which the user has access. (For a given message, there is a separate exit time for each quarantine.)
  • The user will not be told the names of the other quarantine(s) holding the message.
  • The user will not see matched content that caused the message to be placed into quarantines that the user does not have access to.
  • Releasing a message affects only the queues to which the user has access.
  • If the message is also queued in other quarantines not accessible to the user, the message will remain in quarantine, unchanged, until acted upon by users who have the required access to the remaining quarantines (or until the message is released “normally” via early or normal expiration).

Message Details and Viewing Message Content

Click on the subject line of a message to view that message’s content and to access the Quarantined Message page.

The Quarantined Message page has two sections: Quarantine Details and Message Details.

From the Quarantined Message page, you can read the message, select a Message Actionsend a copy of the message, or test for viruses. You can also see if a message will be encrypted upon release from the quarantine due to the Encrypt on Delivery filter action.

The Message Details section displays the message body, message headers, and attachments. Only the first 100 K of the message body is displayed. If the message is longer, the first 100 K is shown, followed by an ellipsis (...). The actual message is not truncated. This is for display purposes only. You can download the message body by clicking [message body] in the Message Parts section at the bottom of Message Details. You can also download any of the message’s attachments by clicking the attachment’s filename.

If you view a message that contains a virus and you have desktop anti-virus software installed on your computer, your anti-virus software may complain that it has found a virus. This is not a threat to your computer and can be safely ignored.

To view additional details about the message, click the Message Tracking link.


Note

For the special Outbreak quarantine, additional functionality is available. See The Outbreak Quarantine.

Related Topics

Viewing Matched Content

When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message. When you display the message body, the matched content is highlighted in yellow, except for DLP policy violation matches. You can also use the $MatchedContent action variable to include the matched content from message or content filter matches in the message subject.

If the attachment contains the matched content, the attachment’s contents are displayed, as well as the reason it was quarantined, whether it was due to a DLP policy violation, content filter condition, message filter condition, or Image Analysis verdict.

When you view messages in the local quarantine that have triggered message or content filter rules, the GUI may display content that did not actually trigger the filter action (along with content that triggered the filter action). The GUI display should be used as a guideline for locating content matches, but does not necessarily reflect an exact list of content matches. This occurs because the GUI uses less strict content matching logic than is used in the filters. This issue applies only to the highlighting in the message body. The table that lists the matched strings in each part of the message, along with the associated filter rule, is correct.

Figure 1. Matched Content Viewed in the Policy Quarantine


Downloading Attachments

You can download a message attachment by clicking the attachment’s file name in the Message Parts or Matched Content section. AsyncOS displays a warning that attachments from unknown sources may contain viruses and asks you if you want to continue. Download attachments that may contain viruses at your own risk. You can also download the message body by clicking [message body] in the Message Parts section.

Testing for Viruses

To test the message for viruses, click Start Test. Use a quarantine to hold messages until you are sure that your anti-virus signatures have been updated.

Testing for viruses sends a copy of the message to the anti-virus engine, not the message itself. The verdict from the anti-virus engine is returned and displayed above the Quarantines area.

About Rescanning of Quarantined Messages

When a message is released from all queues in which is has been quarantined, the following rescanning occurs, depending on the features enabled for the appliance and for the mail policy that originally quarantined the message:

  • Messages released from Policy and Virus quarantines are rescanned by the anti-virus, advanced malware protection, and graymail engines.
  • Messages released from the Outbreak quarantine are rescanned by the anti-spam, AMP, and anti-virus engines. (For information about rescanning of messages while in the Outbreak quarantine, see )
  • Messages released from the File Analysis quarantine are rescanned for threats.
  • Messages with attachments are rescanned by the file reputation service upon release from Policy, Virus, and Outbreak quarantines.

Upon rescanning, if the verdict produced matches the verdict produced the previous time the message was processed, the message is not re-quarantined. Conversely, if the verdict is different, the message could be sent to another quarantine.

The rationale is to prevent messages from looping back to the quarantine indefinitely. For example, suppose a message is encrypted and therefore sent to the Virus quarantine. If an administrator releases the message, the anti-virus engine will still not be able to decrypt it; however, the message should not be re-quarantined or a loop will be created and the message will never be released from the quarantine. Since the two verdicts are the same, the system bypasses the Virus quarantine the second time.

The Outbreak Quarantine

The Outbreak quarantine is present when a valid Outbreak Filters feature license key has been entered. The Outbreak Filters feature sends messages to the Outbreak quarantine, depending on the threshold set. For more information, see

The Outbreak quarantine functions just like other quarantines—you can search for messages, release or delete messages, and so on.

  • Standard

  • Rule Summary

The Outbreak quarantine has some additional features not available in other quarantines: the Manage by Rule Summary link, the Send to Cisco feature when viewing message details, and the option to sort messages in search results by the Scheduled Exit time.

If the license for the Outbreak Filters feature expires, you will be unable to add more messages to the Outbreak quarantine. Once the messages currently in the quarantine have expired and the Outbreak quarantine becomes empty, it is no longer shown in the Quarantines listing in the GUI.

Related Topics

Rescanning Messages in an Outbreak Quarantine

Messages placed in the Outbreak quarantine are automatically released if newly published rules deem the quarantined message no longer a threat.

If anti-spam and anti-virus are enabled on the appliance , the scanning engines scan every message released from the Outbreak quarantine based on the mail flow policy that applies to the message.

Manage by Rule Summary Link

Click the Manage by Rule Summary link next to the Outbreak quarantine in the quarantine listing to view the Manage by Rule Summary page. You can perform message actions (Release, Delete, Delay Exit) on all of the messages in the quarantine based on which outbreak rule caused the message to be quarantined. This is ideal for clearing out large numbers of messages from the Outbreak quarantine. For more information, see the topics under Outbreak Quarantine and the Manage by Rule Summary View

Reporting False Positives or Suspicious Messages to Cisco Systems

When viewing message details for a message in the Outbreak quarantine, you can send the message to Cisco to report false positives or suspicious messages.

Procedure

Step 1

Navigate to a message in the Outbreak quarantine.

Step 2

In the Message Details section, select the Send a Copy to Cisco Systems check box.

Step 3

In the new web interface, click the blue number in the Message column of the outbreak filters entry in the table and select the check box of the message(s) and select Send a Copy .

Step 4

Enter the recipient address and click Send.