How to restore files quarantined by Endpoint Protection to an alternative location

A file quarantined by Forefront Endpoint Protection 2010 (FEP 2010) or System Center 2012 Endpoint Protection (SCEP 2012) may be restored to an alternative location by using the MPCMDRUN command-line tool. The syntax is explained below:
      List all items that were quarantined
      -Name <name>
      Restores the most recently quarantined item based on threat name. One threat can map to more than one file
      Restores all the quarantined items based on name
      Specify the path where the quarantined items will be restored. If not specified, the item will be restored to the original path.
Sample syntax: 
Mpcmdrun –restore -name -path
where -name is the threat name, not the name of the file to restore.

Things to remember:

1.  When attempting to restore a file you can only restore by “threat name”, not by file name!

2.   Your restore results will be that all files in the quarantine that have the same threat name get restored. 

3.  There is no method to restore only a single file. 

4. The “threat name” is case-sensitive.

For example:

Threatname = RemoteAccess:Win32/RealVNC

This syntax is correct: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/RealVNC

This syntax is not correct and will not work: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/reallvnc

NOTE: To know the exact spelling of a threat name, use the following syntax to generate the list of threat names currently in the quarantine folder:

Mpcmdrun –Restore –ListAll

Sample Output:
C:\Program Files\Microsoft Security Client>mpcmdrun -restore -listall
The following items are quarantined:
ThreatName = Backdoor:Win32/Qakbot
      file:C:\Cases\Qakbot1\bjlgoma.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
      file:C:\Cases\Qakbot1\bsfsvesx.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2834037 - Last Review: 04/10/2013 15:15:00 - Revision: 2.0

Microsoft Forefront Endpoint Protection 2010, Microsoft System Center 2012 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection Service Pack 1

  • KB2834037