Release email quarantined by Email Security.cloud

book

Article ID: 178544

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

When Symantec Email Security.cloud intercepts an infected email, the service stores the email in quarantine rather than delivering it to the intended recipients.

You can release email from quarantine so that the email is delivered to the recipient.

Note: Before proceeding, ensure that the address [email protected] is whitelisted within your organization's on-premises mail servers.


Release email from quarantine

  1. Log in to the Symantec.cloud console.
  2. Navigate to Services > Email Services > Anti-Malware.
  3. Click the Malware Release tab
  4. Enter the Pen number of the virus. - The Pen number is found in the malware administrator alert.
  5. Click Search.
    A pop-up appears with details of the quarantined email.
  6. Locate the required entry, and then click Release on the right.
  7. Read the disclaimer that appears, and then click Release.
    A confirmation message appears, and the quarantined email is delivered to the intended recipient(s).

Request that Symantec release otherwise unreleasable email

If you cannot release email from a virus pen, you can ask Symantec to release the otherwise unreleasable messages.

Note: Before making your request, ensure that you have read and understand the entirety of this article.

Symantec does not approve and perform every release request. For the safety of others, Symantec is unlikely to release the quarantined message from the virus pen if the message was originally for a domain other than one associated with your organization's account, of if the message has confirmed malware attached.

There are two options:

Symantec can investigate and release the email if it is clean

  1. Create a support case to report an "Anti-Malware False Positive".
  2. Include the following details, which can be found on the Malware notification:
    • PenID
    • Tell us if you want the email released if it is a false positive, along with which email address(es) the email should be released to.

Symantec can release the email without investigation or confirming it is not malicious

  1. Create a support case to report an "Anti-Malware False Positive".
  2. Under Download Files within this article, download the file Virus_Release_Form.cloud.doc to your local computer.
  3. Open the downloaded file, and fill out the following fields:
    • Case Reference Number (case number of the case you created in step 1)
    • Date of Email
    • Virus Name (available in Email Track and Trace or the alert notification)
    • Virus Pen ID (available in the alert notification)
    • Tower/Mail Server (available in the alert notification)
    • Original Intended Recipient
    • Release Virus to Email Address (if not the same as the Original Intended Recipient)
    • Contact Name
    • Email Address ( of the contact signing the release paperwork )
    • Contact Signature
  4. Save your changes, and then attach the file to your support case.

Frequently asked questions (FAQ's)

Q: How does Email Security.cloud behave when it detects a threat within a message?

  • When Email Security.cloud intercepts a threat in an email, it places the infected email into a holding pen.
  • Within Email Track and Trace, the Delivered column remains "Not Delivered" and the Service column displays "Anti-Malware".
  • Within Email Track and Trace, the name of the virus is logged as "Reason" in the Summary of the message.
  • Email Security.cloud sends a notification from [email protected] to the original recipient and the administrator of the domain protected by Email Security.cloud.
    This notification has the Subject "Subject: WARNING: Someone tried to send you a potential virus or unauthorized code", and contains the following:
    • Sender
    • Sending server IP address:
    • Recipient:
    • Subject:
    • Date:
    • Message ID:
    • Virus/Unauthorized code:
    • A line similar to the following, which explains where the email message was quarantined:

      Email quarantined on mail server server-x.tower-xxx.messagelabs.com (Pen ID xxxxxx_xxxxxxxxxx)
       
  • The infected email is stored for up to 30 days before it is deleted. This quarantine period ensures that the virus is isolated and cannot infect the intended recipient's computer.

Q: How many days do items stay in virus pens?

Items stay in virus pens for 30 days.

Q: What conditions cause an item in a virus pen to be unreleasable?

  • The item contains confirmed malware, such as a mass-mailing virus.
  • Recipients were BCCs, and not the original recipient address.
  • The email is an outbound email.
  • The user doesn't have the correct permissions to be able to release items from quarantine.

Q: In instances where Symantec agrees to manually release a message from a virus pen, what form does the release take?

Once Symantec manually releases a message from a virus pen, the message has the following email characteristics:

  • Sender: [email protected]
  • Recipient: (an email address at a domain protected by Email Security.cloud which your organization controls)
  • Subject: *WARNING: INFECTED MESSAGE RELEASED FROM MESSAGELABS*

Attachments

Virus_Release_Form.cloud.doc get_app