none
Forefront Security - Deliver from Quarantine

    Question

  • Hello Everyone - 

    I have ran into issue and I'm a little stuck. An email came into our Exchange 2007 SP3 enviroment and was blocked by FF. Our security team would like to look at the files that were deleted.  I see the files/email listed under "Report>Quarantine". When I try and select delivery option and send it to a different mailbox FF scans and deletes the message again. I have tried to use the "extractfiles" command but I'm not sure if im doing it correctly because it doesn't extract the virus name or the zip file containing the virus. Can anyone Please Help?

    P.S. 

    Transport and Realtime Scan Jobs are set to "Delete: remove contents" and not "Purge: eliminate message". 

    Under SETTINGS, General Options I have:

    Transport Quarantine Messages: Quarantine as Single EML file

    Deliver from Quarantine Security: Compatibility Mode

    Friday, August 03, 2012 6:27 PM

Answers

  • Hi,

    Thank you for the post.

    Look at this article http://technet.microsoft.com/en-us/library/bb795089.aspx . It mentions about the extractfiles.exe tool which I suppose can do this for you.

    The ExtractFiles tool

    Forefront Security for Exchange Server includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory.

    This is the syntax of ExtractFiles:

    extractfiles <path> <type>

    Path: The absolute path of the folder in which to save the extracted quarantined files.

    Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

    Jerusalem.Standard   Extracts files that were infected with the virus named Jerusalem.Standard.

    *.doc   Extracts quarantined files having a .doc extension.

    *.*   Extracts all quarantined files

    Examples:

    extractfiles C:\temp\quarantine Jerusalem.Standard

    extractfiles C:\extract\ *.doc

    Regards,


    Nick Gu - MSFT

    Tuesday, August 07, 2012 2:45 AM
    Moderator

All replies

  • Hi,

    Thank you for the post.

    Look at this article http://technet.microsoft.com/en-us/library/bb795089.aspx . It mentions about the extractfiles.exe tool which I suppose can do this for you.

    The ExtractFiles tool

    Forefront Security for Exchange Server includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory.

    This is the syntax of ExtractFiles:

    extractfiles <path> <type>

    Path: The absolute path of the folder in which to save the extracted quarantined files.

    Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

    Jerusalem.Standard   Extracts files that were infected with the virus named Jerusalem.Standard.

    *.doc   Extracts quarantined files having a .doc extension.

    *.*   Extracts all quarantined files

    Examples:

    extractfiles C:\temp\quarantine Jerusalem.Standard

    extractfiles C:\extract\ *.doc

    Regards,


    Nick Gu - MSFT

    Tuesday, August 07, 2012 2:45 AM
    Moderator
  • Hello and Thanks Nick for the response. I tried doing this and the file i wanted to export doesn't export out correctly. Its a zip file with an .exe file within it. When i tried to run it nothing is exported to the folder i specified. Am I doing something wrong? What am I missing?
    Monday, August 13, 2012 8:42 PM
  • Hi,

    Thank you for the post.

    Look at this article http://technet.microsoft.com/en-us/library/bb795089.aspx . It mentions about the extractfiles.exe tool which I suppose can do this for you.

    The ExtractFiles tool

    Forefront Security for Exchange Server includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory.

    This is the syntax of ExtractFiles:

    extractfiles <path> <type>

    Path: The absolute path of the folder in which to save the extracted quarantined files.

    Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

    Jerusalem.Standard   Extracts files that were infected with the virus named Jerusalem.Standard.

    *.doc   Extracts quarantined files having a .doc extension.

    *.*   Extracts all quarantined files

    Examples:

    extractfiles C:\temp\quarantine Jerusalem.Standard

    extractfiles C:\extract\ *.doc

    Regards,


    Nick Gu - MSFT

    Hello and Thanks Nick for the response. I tried doing this and the file i wanted to export doesn't export out correctly. Its a zip file with an .exe file within it. When i tried to run it nothing is exported to the folder i specified. Am I doing something wrong? What am I missing?
    Monday, August 13, 2012 8:59 PM