Quarantine

This page includes:

• Quarantine
  • About quarantine
  • Which verdicts cause quarantine
  • Quarantine mode
  • Alerts and reports for quarantined items
  • Releasing a quarantined email
  • Sending Digest reports
  • Where do quarantined emails go
  • Listing quarantined items

About quarantine

You can configure Perception Point to quarantine potentially malicious emails and files:

Emails	When an email is quarantined, it is blocked by Perception Point, and is not sent to its original intended recipient. When an email is released from quarantine, the email is moved to the Inbox of the original recipient.
Files	When a file is quarantined in a cloud storage integration, the file is transferred to a designated location in the cloud storage system. When a file is released from quarantine, the file is moved from the quarantine location to the original recipient location in the cloud storage system.

Items are quarantined by Perception Point X‑Ray based on the assigned scan-verdicts of the items. For details about scan verdicts, see Verdicts.

Data retention: Emails that are quarantined are maintained for 180 days. After 180 days, the associated .eml file is deleted. The 180-day period can't be changed. After 180 days, details of the associated scan still appear in the Scans page in Perception Point X‑Ray - but full details of the email are no longer available.

Which verdicts cause quarantine

Quarantine is caused by the verdict that is assigned to a scan. The possible verdicts that you can select that will cause quarantine are malicious, spam, and restricted. When an organization is added to Perception Point X‑Ray, the scan verdicts that will cause quarantine are selected. You can also modify this list of verdicts after the organization has been added - by modifying the organization details [as described below].

Note: If at least one verdict has been selected to cause quarantine, Perception Point X‑Ray will be operating in blocking mode. For details, see Quarantine mode below. Quarantine does not apply to outbound emails. See Onboarding Microsoft 365 - Outbound.

To specify which scan-verdicts cause quarantine:

1. In Perception Point X‑Ray, in the left navigation menu, select Account > Bundles and Channels.

2. On the right of the Enabled Channels header, click Default Channels Settings.

   The Default Channel Settings pane opens.

3. On the right of the Default Channel Settings header, click the Edit icon [].

4. In the Detection section, under Verdicts to quarantine, select which of the scan verdicts will cause quarantine. The options are:

   • Malicious: Applies to all channels

   • Restricted: Applies to email scans only. [See Restricted file types]

   • Spam: Applies to email scans only

     

5. Click Save.

   Note: When you select verdicts to be quarantined, Perception Point X‑Ray will quarantine all future emails that have the selected verdicts - emails that were received previously will not be quarantined.

Quarantine mode

With respect to quarantine, Perception Point X‑Ray can operate in either of two modes:

• Blocking mode: At least one verdict type [malicious, spam, or restricted] has been selected to cause quarantine.

  

• Monitoring mode: [Also known as passive mode] No verdict types have been selected to cause quarantine. Monitoring mode is used typically while Perception Point X‑Ray is being evaluated in a new organization - so that the customer's business operations are not affected.

  

See Which verdicts cause quarantine above - for details on how to configure your organization for blocking mode or monitoring mode.

Note: Even when an organization is in monitoring mode, there may be certain emails that are quarantined. These are emails that have been assigned a malicious verdict with 100% confidence - typically due to the detection of high-severity BEC malware.

Alerts and reports for quarantined items

You can define alerts and reports that will be sent when an item is quarantined:

• Alerts: You can set up an alert that will send an email each time an email or a file is quarantined. The alert email can be sent to specified admin users and/or the target end-users. For details, see Alerts.

• Reports: You can configure Perception Point X‑Ray to send reports of all items that have been quarantined during the reporting period. These are called Digest reports. Digest reports can be sent 1, 2, 4, or 6 times per day. For details, see Digest reports.

If an item has been quarantined, and you think that this quarantine action may not be correct, you can request that the Perception Point IR Team analyze the scan. For details, see Requesting an investigation.

See also Releasing a quarantined email below.

Releasing a quarantined email

After an email is quarantined, you can release the email if you believe that it should not be quarantined. When you release an email, the email will proceed to the recipient's Inbox.

• You can release an email only from the detailed view in the Scans page.

• You can release an email only if it does not yet have the status Completed.

Note: Only an admin user in Perception Point X‑Ray can release quarantined emails - that have a malicious verdict. An end-user - who is not an admin user - is not able to release these quarantined malicious emails. For details about end-users releasing quarantined emails that have a spam verdict, see Configuring Digest reports.

To release a quarantined email:

1. Open the quarantined scan in the Scans-details page.

2. Click Release [].

3. Select if you want to add any of the sender's details to an allow list.

   

   Note: Adding entries to an allow list will help to ensure that similar emails are not quarantined in the future. For details about allow lists, see Allowlists.

4. Click Release email.

Note: After an email is released, the released email should appear in the user's Inbox almost immediately - within a few seconds. It is possible to select multiple quarantined scans, and then perform a bulk release of all of them. For details, see Performing bulk actions.

Sending Digest reports

You can configure Perception Point to send Digest reports. Each Digest report includes a list of the incidents that were detected in your organization during the reporting period. You define which scan verdicts to include in the reports: malicious, restricted, and/or spam. You can also specify whether the Digest reports should include only incidents that were quarantined, or all incidents, even if they were not quarantined. For details, see Digest reports.

Note: For details about end-users releasing quarantined emails that have a spam verdict, see Configuring Digest reports.

Where do quarantined emails go

The location where a quarantined email is stored depends on the integration method:

• Inline integrations: [Microsoft 365 Inline; Google Workspace; Microsoft Exchange] The email is located in the Perception Point servers.

• Microsoft 365 API: The email is located in a hidden [not visible] folder in the user's mailbox. The content and subject of the email have been changed. For details, see A bit more about the Microsoft 365 API integration.

Listing quarantined items

You can display a list of all the emails and files that are currently quarantined in your organization.

To display a list of quarantined emails and files:

1. In Perception Point X‑Ray, in the left navigation menu, select Security Operations > Scans.

2. Click on the Advanced Filter icon [] - located on the right of the Search box.

   

3. In the list of available filters, under Action, select Quarantined.

   

4. Click "Apply Filters" to display a list of all the emails that are currently quarantined.

See also: 

• Verdicts