How to restore files quarantined by Endpoint Protection to an alternative location

Article ID: 2834037 - View products that this article applies to.
Expand all | Collapse all

Summary

A file quarantined by Forefront Endpoint Protection 2010 (FEP 2010) or System Center 2012 Endpoint Protection (SCEP 2012) may be restored to an alternative location by using the MPCMDRUN command-line tool. The syntax is explained below:
-Restore
 
      -ListAll
      List all items that were quarantined
 
      -Name <name>
      Restores the most recently quarantined item based on threat name. One threat can map to more than one file
 
      -All
      Restores all the quarantined items based on name
 
      -Path
      Specify the path where the quarantined items will be restored. If not specified, the item will be restored to the original path.
 
Sample syntax: 
 
Mpcmdrun –restore -name -path
 
where -name is the threat name, not the name of the file to restore.

Things to remember:

1.  When attempting to restore a file you can only restore by “threat name”, not by file name!

2.   Your restore results will be that all files in the quarantine that have the same threat name get restored. 

3.  There is no method to restore only a single file. 

4. The “threat name” is case-sensitive.

For example:

Threatname = RemoteAccess:Win32/RealVNC

This syntax is correct: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/RealVNC

This syntax is not correct and will not work: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/reallvnc

NOTE: To know the exact spelling of a threat name, use the following syntax to generate the list of threat names currently in the quarantine folder:

Mpcmdrun –Restore –ListAll

Sample Output:
 
C:\Program Files\Microsoft Security Client>mpcmdrun -restore -listall
The following items are quarantined:
 
ThreatName = Backdoor:Win32/Qakbot
      file:C:\Cases\Qakbot1\bjlgoma.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
      file:C:\Cases\Qakbot1\bsfsvesx.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2834037 - Last Review: April 10, 2013 - Revision: 2.0
Applies to
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft System Center 2012 Endpoint Protection
  • Microsoft System Center 2012 Endpoint Protection Service Pack 1
Keywords: 
KB2834037

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com