Retention Time for Messages in Quarantines

Messages are automatically removed from the quarantine under the following circumstances:

  • Normal Expiration—the configured retention time is met for a message in the quarantine. You specify a retention time for messages in each quarantine. Each message has its own specific expiration time, displayed in the quarantine listing. Messages are stored for the amount of time specified unless another circumstance described in this topic occurs.

    Note
    The normal retention time for messages in the Outbreak Filters quarantine is configured in the Outbreak Filters section of each mail policy, not in the outbreak quarantine.
  • Early Expiration—messages are forced from quarantines before the configured retention time is reached. This can happen when:

    • The size limit for all quarantines, as defined in Disk Space Allocation for Policy, Virus, and Outbreak Quarantines, is reached.

      If the size limit is reached, the oldest messages, regardless of quarantine, are processed and the default action is performed for each message, until the size of all quarantines is again less than the size limit. The policy is First In First Out (FIFO). Messages in multiple quarantines will be expired based on their latest expiration time.

      (Optional) You can configure individual quarantines to be exempt from release or deletion because of insufficient disk space. If you configure all quarantines to be exempt and the disk space reaches capacity messages will be held on the Email Security appliance until space is available on the Security Management appliance.

      Because the Security Management appliance does not scan messages, a copy of each message in the centralized outbreak quarantine is stored on the Email Security appliance that originally processed the message. This allows the Email Security appliance to rescan quarantined messages each time outbreak filter rules are updated, and tell the Security Management appliance to release messages that are no longer deemed a threat. Both copies of the outbreak quarantine should hold the same set of messages at all times. Therefore, in the rare situation when disk space on the Email Security appliance becomes full, then the copies of messages in the Outbreak quarantine on both appliances will expire early, even if the centralized quarantine still has space.

      You will receive alerts at disk-space milestones. See Alerts About Quarantine Disk-Space Usage.

  • You delete a quarantine that still holds messages.

When a message is automatically removed from a quarantine, the default action is performed on that message. See Default Actions for Automatically Processed Quarantined Messages.

Note
In addition to the above scenarios, messages can be automatically removed from quarantine based on the result of scanning operations (outbreak filters or file analysis.)

Effects of Time Adjustments on Retention Time

  • Daylight savings time and appliance time zone changes do not affect the retention period.
  • If you change the retention time of a quarantine, only new messages will have the new expiration time.
  • If the system clock is changed, messages that should have expired in the past will expire at the next most appropriate time.
  • System clock changes do not apply to messages that are in the process of being expired.