Managing Restore Requests

Quarantine Restore Requests

Under User Interaction > Restore Requests you can find the requests from users to restore an item from quarantine.

You may review the items the users asked to restore by clicking on the subject line, sender and recipient links, as well as reviewing the restore request.

Restore-requests

Requesting a Restore from Quarantine - End-User Experience

Using the link in the email end-users can request to release the quarantined email or attachment if a false positive is suspected.

Note - This procedure is applicable only when the email is sent to individual recipients or distribution lists. For the procedure to request to restore a quarantined email sent to groups, see Restore Requests for Quarantined/Cleaned Emails Sent to Groups.

To request for restore from quarantine:

  1. Click on the link in the email you received.
  2. On the User Verification page that appears, do these:
    1. Enter your email address and click Submit.
      Avanan sends a verification code to your email address.
    2. Enter the verification code you received and click Submit.
      User-Verification-1
      Note - Once authenticated, the user does not need to authenticate again in the same browser for the next 30 days.
  3. Enter the reason for the release of email from quarantine and click Submit.
    User-Verification-2
    You will receive a notification that the request is sent to the administrator.
    User-Verification-3
  4. If the request is approved by the administrator, the original message will be delivered to the end-user.

Restore Requests for Emails Sent to Groups - End-User Experience

This procedure is applicable when these conditions are met:

  • Threat detection policy the email is matched on is in Protect (Inline) protection mode.
  • Email is sent to groups containing multiple users (not individual recipients or distribution lists).
  • Email is quarantined or its attachments are cleaned.

End-user experience to request to restore a quarantined/cleaned email:

  1. Click on the link in the email notification you received for the quarantined/cleaned email.
  2. On the User Verification page that appears, do these:
    1. Enter your email address and click Submit.
      Avanan sends a verification code to your email address.
    2. Enter the verification code you received and click Submit.
      User-Verification-1
      Note - Once authenticated, the user does not need to authenticate again in the same browser for the next 30 days.
  3. Enter the reason for your request to restore the original email and click Submit.
    User-Verification-2
    The system shows the request status and the email is delivered to the mailbox in a couple of minutes.
    User-Verification-4
    Note - The email received time is the restore time of the email, and not the original email sent time.

Admin Quarantine Release Process

When the end-user requests to release an email, the administrator is notified via email to the configured Restore requests approver email address. The email contains a direct link to the email profile in the Avanan Portal. The administrator can do a full security review of the Malware from the Avanan Portal and can restore the email or decline the release request.


Restore-Request-Sample

Restore-request-Avanan-Portal

Restoring Quarantined Emails - End-User Experience

After the administrator approves an end-user request to restore an email from quarantine, Avanan performs these actions:

  • Removes the quarantine/clean email notifications received for the quarantined email from the end user mailbox.
  • Adds the original email to the end-user mailbox, where the email received time is the restore time of
    the email from quarantine, but not the original email sent time.

This example shows the initial email received by the end-user.

email-before-approval-by-admin

This example shows the same email received by the end-user after the administrator approved the restore request.

Note - The initial email received by the end-user is removed, and the restored email gets delivered as a new email to the end-user mailbox. The email received time is the restore time of the email by the administrator, but not the original email sent time.

email-after-approval-by-admin

 

Who Receives the Emails Restored from Quarantine

  • Emails quarantined by Avanan:
    • Depending on the configured workflow, Avanan delivers the email only to the requesting user or to all the original recipients.
      • If the user restores the email without administrator approval, Avanan delivers the email only to the requested user.
      • If the administrator releases the email from quarantine, Avanan delivers the email to all the original recipients of the email.
  • Emails quarantined in Microsoft:
    • Avanan delivers the restored emails to all the original recipients regardless of whether it is restored by the user or the administrator.

Notifying End Users about Rejected Restore Requests

To notify end users when their quarantine restore requests are rejected:

  1. Go to Security Settings > User Interaction > Restore Requests.
  2. In the User-Reported Phishing Emails section, select the Notify users when their reports are approved/declined checkbox.
  3. To configure the sender email address for notifications:
    • Friendly-From name
      • To use a customized name, select Custom and enter the sender name.
      • If no friendly-from name is required, select None.
    • From address
      • To use the default email address, select Default. The default email address is no-reply@checkpoint.com.
      • To use a custom email address, select Custom and enter the email address.
    • Reply-to address
      • To use From address as the Reply-to address, select Same as From address.
      • To use a custom email address, select Custom and enter the email address.
        Note-  If you use custom email address:
        • The domain must be one of the domains included in your organization's Microsoft / Google account.
        • You must add the Avanan include statement to the domain's DNS. The custom address won't take affect until the include statement is available in your organization's DNS.

  4. Click Save and Apply.

    Note - This will also enable end-user notifications for approved and rejected phishing reports..

To configure the notification subject and body, go to Configuration > SaaS Applications > Office 365 Mail or Gmail > Advanced and edit these templates:

  • Decline message subject
  • Decline message body

Dedicated Quarantine Mailbox / Folder

If you would like to store quarantined emails/files locally, you can configure a dedicated quarantine repository for every protected application. This repository is used to store every email / attachment / file that is  quarantined automatically according to the policy or manually by administrators.

Specifying such a mailbox/folder is not mandatory, as Avanan stores a copy of quarantined items in an S3 bucket associated with the Avanan portal.

Office 365 Mail

Note - The dedicated quarantine mailbox must be a full licensed mailbox and it cannot be a shared mailbox.

To configure the dedicated Office 365 Mail quarantine mailbox, go to Security Settings > SaaS Applications and click Configure for Office 365 Mail.

Dedicated-Quarantine-Mailbox-Office365

Gmail

To configure the dedicated Gmail quarantine mailbox, go to Security Settings > SaaS Applications and click Configure for Gmail.

Dedicated-Quarantine-Mailbox-Gmail

Restore Request Approver

When a user requests to release an email from quarantine, Avanan sends email notifications to the email accounts configured in the Send alerts on requests to restore emails from quarantine to field.

Note - This field does not determine the restore requests approver. To approve a request, the approver must have Admin role.

Office 365 Email

To add email accounts to the Send alerts on requests to restore emails from quarantine to field:

  1. Go to Security Settings > SaaS Applications.
  2. Click Configure for Office 365 Mail.
    Avanan-Restore-Request-Approves-O365
  3. In the Send alerts on requests to restore emails from quarantine to field, enter the email addresses.
  4. Click Save.

Gmail

To add email accounts to the Send alerts on requests to restore emails from quarantine to field:

  1. Go to Security Settings > SaaS Applications.
  2. Click Configure for Gmail.
    Avanan-Restore-Request-Approves-Gmail
  3. In the Send alerts on requests to restore emails from quarantine to field, enter the email addresses.
  4. Click Save.