A file quarantined by Forefront Endpoint Protection 2010 (FEP 2010) or System Center 2012 Endpoint Protection (SCEP 2012) may be restored to an alternative location by using the MPCMDRUN command-line tool. The syntax is explained below:
- -Restore
- -ListAll
- List all items that were quarantined
- -Name <name>
- Restores the most recently quarantined item based on threat name. One threat can map to more than one file
- -All
- Restores all the quarantined items based on name
- -Path
- Specify the path where the quarantined items will be restored. If not specified, the item will be restored to the original path.
- Sample syntax:
- Mpcmdrun –restore -name -path
- where -name is the threat name, not the name of the file to restore.
Things to remember:
1. When attempting to restore a file you can only restore by “threat name”, not by file name!
2. Your restore results will be that all files in the quarantine that have the same threat name get restored.
3. There is no method to restore only a single file.
4. The “threat name” is case-sensitive.
For example:
Threatname = RemoteAccess:Win32/RealVNC
This syntax is correct: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/RealVNC
This syntax is not correct and will not work: MpCmdRun.exe -Restore -Name RemoteAccess:Win32/reallvnc
NOTE: To know the exact spelling of a threat name, use the following syntax to generate the list of threat names currently in the quarantine folder:
Mpcmdrun –Restore –ListAll
- Sample Output:
- C:\Program Files\Microsoft Security Client>mpcmdrun -restore -listall
- The following items are quarantined:
- ThreatName = Backdoor:Win32/Qakbot
- file:C:\Cases\Qakbot1\bjlgoma.exe quarantined at 2/21/2013 10:39:07 PM (UTC)
- file:C:\Cases\Qakbot1\bsfsvesx.exe quarantined at 2/21/2013 10:39:07 PM (UTC)