Release email quarantined by Anti-Malware service in Email
search cancel

Release email quarantined by Anti-Malware service in Email


Article ID: 178544


Updated On:




 When Symantec Email intercepts a malicious email, the service stores the email in quarantine rather than delivering it to the intended recipients.


Symantec Email Security.Cloud


You can release email from quarantine so that the email is delivered to the recipient.

Note: Before proceeding, ensure that the address [email protected] is whitelisted within your organization's on-premises mail servers.

Release email from quarantine:

1. Log in to the console.

2. Navigate to Services > Email Services > Email Quarantine for Administrators.

3. Enter the Pen ID of the virus, or any of the information that are shown in this screenshot.  Note: The Pen number is found in the malware administrator alert.

4. Click Search in order to view the quarantined emails.
5. Locate the required entry, and then click Release on the right.

A confirmation message appears, and the quarantined email is delivered to the intended recipient(s).

Request that Symantec release unreleasable emails

If you cannot release email from the Email Quarantine for Administrators page, you can ask Symantec to release the unreleasable messages.

Note: Symantec does not approve and perform every release request. For the safety of others, Symantec is unlikely to release the quarantined message if the message was originally for a domain other than one associated with your organization's account, or if the message has confirmed malware attached.

There are two options:

Symantec can investigate and release the email if it is clean

  1. Create a support case to report an "Anti-Malware False Positive".
  2. Include the following details, which can be found on the Malware notification:
    • PenID or the sender, recipient, and time stamp of the quarantined email.
    • Tell us if you want the email released if it is a false positive, along with which email address(es) the email should be released to.

Symantec can release the email without investigation or confirming it is not malicious

  1. Create a support case to report an "Anti-Malware False Positive".
  2. Under Download Files within this article, download the file to your local computer.
  3. Open the downloaded file, and fill out the following fields:
    • Case Reference Number (case number of the case you created in step 1)
    • Date of Email
    • Virus Name (available in Email Track and Trace or the alert notification)
    • Virus Pen ID (available in the alert notification)
    • Tower/Mail Server (available in the alert notification)
    • Original Intended Recipient
    • Release Virus to Email Address (if not the same as the Original Intended Recipient)
    • Contact Name
    • Email Address ( of the contact signing the release paperwork )
    • Contact Signature
  4. Save your changes, and then attach the file to your support case.

Symantec can investigate, don't release the email, provide a reason for the block and adjust detections if possible

  1. Create a support case to report an "Anti-Malware False Positive".
  2. Include the following details, which can be found on the Malware notification:
    • PenID or the sender, recipient, and time stamp of the quarantined email.

Additional Information

Frequently asked questions (FAQ's)

Q: How does Email behave when it detects a threat within a message?

  • When Email intercepts a threat in an email, it places the infected email into a holding pen.
  • Within Email Track and Trace, the Delivered column remains "Not Delivered" and the Service column displays "Anti-Malware".
  • Within Email Track and Trace, the name of the virus is logged as "Reason" in the Summary of the message.
  • Email sends a notification from [email protected] to the original recipient and the administrator of the domain protected by Email
    This notification has the Subject "Subject: WARNING: Someone tried to send you a potential virus or unauthorized code", and contains the following:
    • Sender
    • Sending server IP address:
    • Recipient:
    • Subject:
    • Date:
    • Message ID:
    • Virus/Unauthorized code:
    • A line similar to the following, which explains where the email message was quarantined:

      Email quarantined on mail server (Pen ID xxxxxx_xxxxxxxxxx)
  • The infected email is stored for up to 30 days before it is deleted. This quarantine period ensures that the virus is isolated and cannot infect the intended recipient's computer.

Q: How many days do items stay in virus pens?

Items stay in virus pens for 30 days.

Q: What conditions cause an item in a virus pen to be unreleasable?

  • The item contains confirmed malware, such as a mass-mailing virus.
  • Recipients were BCCs, and not the original recipient address.
  • The email is an outbound email.
  • The user doesn't have the correct permissions to be able to release items from quarantine.

Q: In instances where Symantec agrees to manually release a message from a virus pen, what form does the release take?

Once Symantec manually releases a message from a virus pen, the message has the following email characteristics:

  • Sender: [email protected] or  [email protected] 
  • Recipient: (an email address at a domain protected by Email which your organization controls)

Attachments get_app