When Symantec Email Security.cloud intercepts a malicious email, the service stores the email in quarantine rather than delivering it to the intended recipients.

Email Security.Cloud

You can release email from quarantine so that the email is delivered to the recipient.

Note: Before proceeding, ensure that the address [email protected] is whitelisted within your organization's on-premises mail servers.

Release email from quarantine:

1. Log in to the Symantec.cloud console.

2. Navigate to Services > Email Services > Email Quarantine for Administrators.

3. Enter the Pen ID of the virus, or any of the information that are shown in this screenshot.  Note: The Pen number is found in the malware administrator alert.

4. Click Search in order to view the quarantined emails.
5. Locate the required entry, and click Release on the right.

A confirmation message appears, and the quarantined email is delivered to the intended recipient(s).

Released email from Email Quarantine:

Malware emails released from the Email Quarantine will have the sender address "[email protected]". The original malware email will be attached to the released email with the filename "infected.eml".

Please note that Track and Trace does not log malware-released emails sent from "[email protected]", however you should be able to track these emails through your mail server. The released email will follow this format.

Request that Symantec release unreleasable emails:

If you cannot release email from the Email Quarantine for Administrators page, you can ask Symantec to release the messages that cannot be released.

Note: Symantec does not approve and perform every release request. For the safety of others, Symantec is unlikely to release the quarantined message if the message was originally for a domain other than one associated with your organization's account, or if the message has confirmed malware attached.

There are two options:

Symantec can investigate and release the email if it is clean

1. Create a support case to report an "Anti-Malware False Positive".
2. Include the following details, which can be found on the Malware notification:
   • PenID or the sender, recipient, and time stamp of the quarantined email.
   • Tell us if you want the email released if it is a false positive, along with which email address(es) the email should be released to.

Symantec can release the email without investigation or confirming it is not malicious

1. Create a support case to report an "Anti-Malware False Positive".
2. Under Download Files within this article, download the file Virus_Release_Form.cloud.doc to your local computer.
3. Open the downloaded file, and fill out the following fields:
   • Case Reference Number (case number of the case you created in step 1)
   • Date of Email
   • Virus Name (available in Email Track and Trace or the alert notification)
   • Virus Pen ID (available in the alert notification)
   • Tower/Mail Server (available in the alert notification)
   • Original Intended Recipient
   • Release Virus to Email Address (if not the same as the Original Intended Recipient)
   • Contact Name
   • Email Address ( of the contact signing the release paperwork )
   • Contact Signature
4. Save your changes, and then attach the file to your support case.

Symantec can investigate, don't release the email, provide a reason for the block and adjust detections if possible

1. Create a support case to report an "Anti-Malware False Positive".
2. Include the following details, which can be found on the Malware notification:
   • Pen ID or the sender, recipient, and time stamp of the quarantined email.

Frequently asked questions (FAQ's)

Q: How does Email Security.cloud behave when it detects a threat within a message?

• When Email Security.cloud intercepts a threat in an email, it places the infected email into a holding pen.
• Within Email Track and Trace, the Delivered column remains "Not Delivered" and the Service column displays "Anti-Malware".
• Within Email Track and Trace, the name of the virus is logged as "Reason" in the Summary of the message.
• Email Security.cloud sends a notification from [email protected] to the original recipient and the administrator of the domain protected by Email Security.cloud.
  This notification has the Subject "Subject: WARNING: Someone tried to send you a potential virus or unauthorized code", and contains the following:
  • Sender
  • Sending server IP address:
  • Recipient:
  • Subject:
  • Date:
  • Message ID:
  • Virus/Unauthorized code:
  • A line similar to the following, which explains where the email message was quarantined:
    
    Email quarantined on mail server server-x.tower-xxx.messagelabs.com (Pen ID xxxxxx_xxxxxxxxxx)
     
• The infected email is stored for up to 30 days before it is deleted. This quarantine period ensures that the virus is isolated and cannot infect the intended recipient's computer.

Q: How many days do items stay in virus pens?

Items stay in virus pens for 30 days.

Q: What conditions cause an item in a virus pen to be unreleasable?

• The item contains confirmed malware, such as a mass-mailing virus.
• Recipients were BCCs, and not the original recipient address.
• The email is an outbound email.
• The user doesn't have the correct permissions to be able to release items from quarantine.

Q: In instances where Symantec agrees to manually release a message from a virus pen, what form does the release take?

Once Symantec manually releases a message from a virus pen, the message has the following email characteristics:

• Sender: [email protected] or  [email protected] 
• Recipient: (an email address at a domain protected by Email Security.cloud which your organization controls)
• Subject: *WARNING: INFECTED MESSAGE RELEASED FROM MESSAGELABS* or  *WARNING POTENTIALLY INFECTED EMAIL RELEASED FROM SYMANTEC.CLOUD*