A file quarantined by Forefront Endpoint Protection 2010 (FEP 2010) or System Center 2012 Endpoint Protection (SCEP 2012) may be restored to an alternative location by using the MPCMDRUN command-line tool. The syntax is explained below:

-Restore

      -ListAll

      List all items that were quarantined

      -Name <name>

      Restores the most recently quarantined item based on threat name. One threat can map to more than one file

      -All

      Restores all the quarantined items based on name

      -Path

      Specify the path where the quarantined items will be restored. If not specified, the item will be restored to the original path.

Sample syntax: 

Mpcmdrun –restore -name -path

where -name is the threat name, not the name of the file to restore.

Things to remember:

  1. When attempting to restore a file you can only restore by “threat name”, not by file name!

  2. Your restore results will be that all files in the quarantine that have the same threat name get restored.

  3. There is no method to restore only a single file.

  4. The “threat name” is case-sensitive.

For example:

Threatname = RemoteAccess:Win32/RealVNC

This syntax is correct: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/RealVNC

This syntax is not correct and will not work: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/reallvnc

NOTE: To know the exact spelling of a threat name, use the following syntax to generate the list of threat names currently in the quarantine folder:

Mpcmdrun –Restore –ListAll

Sample Output:

C:\Program Files\Microsoft Security Client>mpcmdrun -restore -listall

The following items are quarantined:


ThreatName = Backdoor:Win32/Qakbot

      file:C:\Cases\Qakbot1\bjlgoma.exe quarantined at 2/21/2013 10:39:07 PM (UTC)

      file:C:\Cases\Qakbot1\bsfsvesx.exe quarantined at 2/21/2013 10:39:07 PM (UTC)

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.