A file quarantined by Forefront Endpoint Protection 2010 (FEP 2010) or System Center 2012 Endpoint Protection (SCEP 2012) may be restored to an alternative location by using the MPCMDRUN command-line tool. The syntax is explained below:
-Restore
-ListAll
List all items that were quarantined
-Name <name>
Restores the most recently quarantined item based on threat name. One threat can map to more than one file
-All
Restores all the quarantined items based on name
-Path
Specify the path where the quarantined items will be restored. If not specified, the item will be restored to the original path.
Sample syntax:
Mpcmdrun –restore -name -path
where -name is the threat name, not the name of the file to restore.
Things to remember:
-
When attempting to restore a file you can only restore by “threat name”, not by file name!
-
Your restore results will be that all files in the quarantine that have the same threat name get restored.
-
There is no method to restore only a single file.
-
The “threat name” is case-sensitive.
For example:
Threatname = RemoteAccess:Win32/RealVNC
This syntax is correct: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/RealVNC
This syntax is not correct and will not work: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/reallvnc
NOTE: To know the exact spelling of a threat name, use the following syntax to generate the list of threat names currently in the quarantine folder:
Mpcmdrun –Restore –ListAll
Sample Output:
C:\Program Files\Microsoft Security Client>mpcmdrun -restore -listall
The following items are quarantined:
ThreatName = Backdoor:Win32/Qakbot
file:C:\Cases\Qakbot1\bjlgoma.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
file:C:\Cases\Qakbot1\bsfsvesx.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
