Quarantine - Proofpoint Administration Guide

About the Quarantine

The Quarantine is an area where copies of messages that triggered rules can be stored for further review. The messages are stored in a database on the Proofpoint Protection Server and are accessible through the management interface. Administrators can create Quarantine Folders to further organize messages in the Quarantine. For

example, you can create separate folders for messages sent to the Quarantine that contain adult content, are infected with a virus, or trigger an Email Firewall rule.

Use the links under Quarantine in the navigation pane to configure the Quarantine and manage the messages in the Quarantine. For information about the management tasks for the Quarantine, see Viewing and Managing Messages.

The Quarantine interface is optimized for quickly finding specific messages through a powerful search mechanism and finding predefined groups of messages using queries you can create and save (for example, messages with a virus in the last 24 hours).

To ensure that the server always has enough space to quarantine messages:

• Allocate plenty of disk space for the Quarantine.

• Take disk space limits into consideration when creating rules that send copies of messages to the Quarantine.

• Be aware of the expiration period for messages in the Quarantine. When messages expire, they are removed from the Quarantine, freeing up space.

The System > Summary > Server Status page displays how much disk space is available on the Proofpoint Protection Server - be sure to check it frequently.

When several Proofpoint Protection Servers are deployed in a cluster, each agent system maintains a local Quarantine Queue and a Quarantine Consolidator. The Quarantine Consolidator is a program that transfers the messages from each Quarantine Queue to the master Proofpoint Protection Server Quarantine or, to the Quarantine Node if you have designated an agent as a Quarantine Node.

When you view and manage the messages in the Quarantine, you are managing a consolidated repository of all of the messages from all of the systems in the cluster. If for any reason the master Proofpoint Protection Server is temporarily off-line, the agent systems continue to populate their local Quarantine Queues until the master Proofpoint Protection Server is back on-line. At that point the messages are transferred from the agents to the master Proofpoint Protection Server Quarantine.

Related Topics:

See Introduction to Quarantine Folders for an overview of how to use folders to organize messages in the Quarantine.

About Message Reporting

Once a message is reported to the Proofpoint Protection Server, either from an end user or an administrator, the message follows the same path:

• The Proofpoint Protection Server looks up the message in the Quarantine.

• The Proofpoint Protection Server forwards the message using SOAP/HTTPS to Proofpoint. (If an

administrator reports a message from the Quarantine, the message also includes meta information provided by the administrator in the Report Message pop-up window.)

• Proofpoint processes and analyzes the message. The data the engineers gather from reported messages is used to train the MLX engine which is included with each spam update.

Related Topics

See Administrators Reporting False Negatives and Positives for information about message reporting from the Quarantine.

See Users Reporting False Negatives and Positives for information about message reporting from end user Digests.

Quarantine General Settings

Use the Quarantine > Settings > General page to set preferences for releasing, deleting, searching for messages in the Quarantine, and for setting timestamp preferences.

To configure general Quarantine settings, make selections or enter data fro the following parameters, and then save your changes.

• Release Subject Prefix – this is the text that appears by default in the subject header of the message when the user or administrator releases a message from the Quarantine. Enter the text you want to display in this field.

• Confirm Delete – On is selected by default. A message box prompts the administrator before deleting messages. When you delete a message from any folder, you can save a copy of the message in the Deleted Folder.

• Confirm Release – On is selected by default. A message box prompts the administrator before releasing messages from the Quarantine.

• Enable Fast Query By Default – On is selected by default, which significantly increases the speed of the query. Fast Query is a global setting and can be temporarily disabled. When Fast Query is enabled, the message count is not available (for example, Messages 41 - 60), and the Last Page / Last Message button is not available. To temporarily disable the Fast Query feature, clear the Fast Query check box in the Messages form on the Quarantine Messages page. If you clear the Fast Query check box, you will see a message warning you that the query will slow down considerably.

• Enable Resubmit Messages – if you select On, the Quarantine displays a Resubmit button. This feature allows the administrator to re-submit selected messages to the Proofpoint Protection Server for filtering. This feature is useful, for example, if you have messages in the Quarantine that are probablespam, and you have updated the Spam MLX Definitions and Spam MLX Engine, you may want to re-submit the messages for filtering with the updated Spam Detection Module. The reinject SMTP profile is used for re-submitting or re-injecting messages back into the filtering process.

• Keep Messages Selected – when you select a message in the Quarantine and apply an action, such as Redirect, the selection check box is cleared for that message. If you want to maintain the selection for a message, click the On radio button for the Keep Messages Selected parameter.

• Show Date/Time in Desktop Time – when viewing the messages in the Quarantine, the timestamp for each message displays in the Date column. This is the date and time that a copy of the message was placed in the Quarantine. By default, the timestamp reflects the time on the Proofpoint Protection Server to

which the management interface is connected. For example, if you start a browser on your local system and connect the management interface to a Proofpoint Protection Server in another time zone the timestamp reflects the time in that zone, not your local time zone. By default, if the timestamp for the message reflects the current day, only the time displays and not the current date (month, day, and year).

• Always Show Time With Date – click the On radio button for this parameter if you want the timestamps to always display the day, month, and year along with the time.

Enabling and Disabling Message Reporting

Enable message reporting on the Quarantine > Settings > Spam Reporting page. When enabled, a Report choice is added to the Options menu on the Quarantine Message list. Administrators can then select messages in the Quarantine to report as false positives or false negatives to the Proofpoint anti-spam laboratory for analysis.

The Enable Message Reporting parameter sends the message header and telemetry information to Proofpoint.

The Include Message By Default parameter sends the entire message, including the message header and telemetry information to Proofpoint.

The telemetry information includes which rules were triggered and what caused the trigger. Each reported message is tracked with an ID number. You can view the ID numbers by selecting the Reference ID field when you configure the Quarantine layout.

Important: You must activate the Proofpoint Protection Server before you can use this feature.

See Enabling and Providing Commands to the End Users in "End User Services" for information about allowing end users to report false negatives and false positives from their Digests.

Handling Quarantine and User Repository Errors

If you have temporarily disabled the Quarantine, you need to determine how to handle messages that have been filtered and are destined for the folders in the Quarantine. Since the Quarantine repository cannot accept messages when it is down, you can configure a rule to apply a disposition to messages that would otherwise go into the Quarantine. Configure these settings on the Quarantine > Settings > Error page.

The Quarantine Repository Error rule is configured to Reject messages that cannot be placed in the Quarantine.

You can edit the rule by clicking the Edit Rule button and changing the delivery method and delivery options.

The User Repository Error rule is configured to Reject messages when the User Repository is temporarily disabled.

You can edit the rule by clicking the Edit Rule button and changing the delivery methods and delivery options.

Important: If you change the Delivery Method to Continue for the Quarantine Repository Error rule, be aware that you may be passing messages to your email infrastructure that contain a virus, spam, or inappropriate content. These messages would typically be quarantined.

Queue Consolidation

When you have a cluster of a master server and agents, the agents use a program called the Quarantine

Consolidator to transfer the messages stored locally in their Quarantine Queue to the master Proofpoint Protection Server. The Quarantine Consolidator program uses the SOAP protocol to maximize transfer rates between the master and the agents.

Change Quarantine Queue Consolidator settings on the Quarantine > Settings > Consolidation page.

To change the default SOAP protocol settings:

1. The Quarantine Consolidator is enabled by default. If you need to temporarily disable it, click the Off radio button for the Enable parameter. For example, you might disable the Quarantine Consolidator if you need to troubleshoot or repair the database on the master Proofpoint Protection Server.

2. The Hostname field displays the name of the master Proofpoint Protection Server. By default, the agents transfer their messages to the master.

3. If applicable, enter new values into the Timeout, Maximum Messages, Block Size, and Maximum Block Length fields.

4. Click Save Changes.

Click the Default button to restore the default values.

Creating Message Templates

You can create message templates on the Quarantine > Settings > Templates page to use when you redirect messages in a Quarantine folder to another recipient. The templates save you time by automatically replacing pre-defined variables with the appropriate information. When you redirect a quarantined message, you can select a template from the list instead of entering text into the Redirect Message pop-up window.

To create a message template:

1. Click the New link to create a message template.

2. Enter a name for the template into the Quarantine Templates field. For example, VirusMessage.

3. Click in the text field, and type the message. You can insert variables from the Template Variables list by clicking the variable. For example: This message from ${OriginalSender} went into quarantine on

${InsertionDate} because it contained ${VirusName}.

Note: If you are using Chrome or Firefox browsers, you cannot insert variables by clicking them. You must copy and paste them or enter them manually into the text box.

4. Click the Save link to save the new template.

Note: When you point to a variable, a tool tip displays. See Using Variables in Rules in "Rules and Delivery Dispositions" for a description of each variable.

When you redirect a message in the Quarantine, your template appears on the Comments drop-down list of the Redirect Message pop-up window.

Setting Layout Defaults

Use the Quarantine > Settings > Layout page to control the number of messages and which columns and fields to display in the Message List on the Quarantine > Messages page. These are default parameters, and can be overridden during a search query.

Each time you click Reset and Search when searching for messages, the number of messages displayed in the list and the fields displayed will default to the settings you make on the Quarantine > Settings > Layout page.

To configure the default layout and which columns to display:

1. Select a number from the Results Per Page drop-down list.

2. For Wrap Recipient Column, click the On button if you want the entire recipient address to display (wrap) on the Message List.

Note: The Wrap Recipient Column parameter is designed to wrap multiple recipient addresses, not to wrap one long recipient address.

3. Using the right-arrow (>>) button, select the fields you want to display from the Available Fields list and move them into the Show These Fields In This Order list.

4. Using the up and down arrow buttons, arrange the order of the fields in the Show These Fields In This Order list.

Note: If you are changing the status and adding comments to messages in the Quarantine, be sure to select Comments, Status, and Status (Icon) to display on the Message list. See Changing Status and Adding Comments to Messages for more information.

5. Click Save Changes.

To restore the fields to their default settings, click Default.

Note: Any fields that you use in a query are automatically added to the Message List display whether you specify them or not.

Introduction to Quarantine Folders

The Quarantine Folders feature allows administrators to organize the messages in the Quarantine into specific folders. Each folder has its own properties: a name, folder disposition settings, message expiration mode, whether or not to expose the messages in the folder in the End User Digests, and whether or not to allow Smart Send. System folders cannot be deleted - you can only delete folders that you create. Copies of messages will automatically be placed in the Quarantine folder if you do not select a specific folder for those messages.

Important: If your organization is enforcing Folder Access Control, you may not be able to view or manage all of the folders in the Quarantine. See About Administration Privileges and Folder Access Control in Adding and Deleting Administrators for more information.

Administrators have the ability to encrypt the contents of a Quarantine folder for PCI security compliance. An encrypted folder displays a lock icon in the management interface. See Encrypting Folder Content for more information.

You can complete the following tasks from the Quarantine > Folders page:

• Create a folder.

• Change folder settings.

• View the messages in a folder.

When you delete messages manually, you have the option of keeping a copy in the Deleted folder or permanently deleting them from the currently-selected folder.

The Audit folder stores copies of messages when administrators select Include in Audit folder as a delivery option for messages that trigger a rule. Administrators can select the Include in Audit folder as a delivery option for any rule in any module. One example for using the Audit folder is for storing copies of messages that are classified as notspam by the Spam Detection Module. Administrators can configure the Proofpoint Protection Server to include the contents of the Audit folder in end user digests, and allow end users to report false negatives to Proofpoint.

When administrators create rules to send messages to the Quarantine, they specify a unique folder in which to place copies of the messages. For example, an administrator can create a spam policy for users who are on vacation. All messages containing spam for those users can be stored in a folder named Vacation that has a three-month expiration period. Users going on vacation can request or select the Vacation spam policy to handle their spam messages until they return.

Administrators can create message filtering policies and rules that send copies of messages to specific folders in the Quarantine. For example, you can create a rule in the Email Firewall Module that sends copies of messages containing words from a dictionary that you create to a Quarantine folder first, allowing the administrator an opportunity to review the messages as a precaution before releasing them to the recipients.

Note: Administrators can send copies of messages to any folder when creating a rule in any module. For example, you can create a rule in the Email Firewall Module that stores copies of messages in the Zerohour folder (which does not make sense). It is good practice to select folders that correspond to the particular filtering module when you create rules that store copies of messages in a Quarantine folder.

Related Topics:

See About the Quarantine for an introduction to Quarantine concepts.

See Users Reporting False Negatives and Positives in "End User Services" for information on allowing end users to report false negatives and positives from their Digests.

Folders and Message Expiration

Every message that is sent to the Quarantine receives a timestamp. This timestamp is used for search queries and more importantly, to manage expiration criteria. The Proofpoint Protection Server runs an expiration process periodically (internally named qexpire) that acts upon messages in a Quarantine folder according to the folder configurations and the age of the message.

Administrators can use any of these methods to manage messages in a Quarantine folder:

• Delete messages manually in a folder by selecting them in the Message List on the Quarantine >

Messages page and clicking Delete. When you delete messages by this method, you are prompted to make one of the following choices:

- Save a copy of the deleted messages in the Deleted folder.

- Permanently delete the messages from the current folder.

• Act upon messages in a Quarantine folder (apply a disposition) once messages in the folder reach a certain age. You have these choices for the action to take when a message in the folder reaches a certain age:

- Delete the message from the folder.

- Store the message in the folder for a period of time, and then resubmit it to all the filtering engines or resubmit it only to the Virus Protection Module. Your organization must be licensed for the Virus Protection Module to filter messages for virus.

- If you have the optional Zero-Hour Anti-Virus Module, you can store the message in the folder and wait for new anti-virus signature files in a specific time period, or wait for a maximum time period. Messages with this disposition are resubmitted to the filtering engines at the next process time or are delayed by hours, days, or months before being resubmitted to the filtering engines.

- Store the message in the folder for a period of time and wait for new MLX spam definitions to be distributed.

Re-submit the message to the Spam Detection Module for scanning.

Folder Disposition Parameters

A folder disposition defines the action to take when messages in the folder reach a certain age:

• Store Messages – messages are stored in the folder for a specific period of time, and then permanently deleted from the Quarantine. If you select this choice, enter a value into the field and select a period for the Messages expired after drop-down list. If you choose the Store Messages disposition, messages will automatically be deleted from the folder when they reach the age of the expiration period.

• Delay Delivery – messages are stored in the folder for a specific period of time, and then they are either resubmitted to all of the filtering modules for filtering (Resubmit), or resubmitted only to the Virus Protection Module for filtering before releasing (Release With AV Scan). If no rules are triggered, the message is

In document Proofpoint Administration Guide (Page 145-169)