000033107 - How to release all quarantined emails at once in RSA Data Loss Prevention 9.6 and later versions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033107
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Enterprise Manager / Network Interceptor 
RSA Version/Condition: 9.6
Platform: Windows 2008 Server R2 Enterprise (64 bit)
TasksHow to release all the quarantined emails in an automated manner instead of releasing them manually one by one via EM GUI.
Resolution
  1. SSH to Network Interceptor with tablus account:
    • Take a backup from the quarantine queue to any other location

    •  
      cp /var/spool/mqueue-quarantine/* /home/tablus/mqueue-quarantine-backup

       
    • move all the quarantine emails to the outgoing queue to be released and forwarded to your smarthost
       
      mv /var/spool/mqueue-quarantine/* /var/spool/mqueue-out

       
  2. Login to RSA_DLP_EM Database, and execute the below query:
    update E_ABSTRACT_EVENT_ACTION set action_type='release' where action_type='quarantine'


    The above query will change all the incidents that were quarantined action to "release" status in Enterprise Manager.

Attachments

    Outcomes