Allow admin to approve items quarantined by vsapi
Running the VSAPI background check seems like a nice idea at first, until it quarantines items it shouldn't, and there is no option for an admin to un-quarantine them.
We ran the background check and it quarantined important historical legal emails because they had attachments containing b2b macros that we expected to find, but which the macro checker on one of the AV engines apparently objected to.
We had previously run the background checker without an issue, but on this pass computer said NO to these items.
Now, having quarantined them via the VSAPI background checker, ME provides no option for an admin to "un-quarantine" them, with GFI support saying it's "as designed". If you try it, you get the message - Error: 'Email with id xx cannot be approved since it was blocked by VSAPI'
It is quite unacceptable that GFI denies a customer access to their own data, regardless of what risk-level an algorithm might determine.
There needs to be a way to undo this action, and allow for either unintended settings or errant scanning of mail items.
Unfortunately how VSAPI works there is no method to undo an action.
Item is deleted and the attachment is available in the quarantine, to have a copy of such deleted item.
Robert Affleck commented
This is pretty bad. My org just "lost" 1200 or so messages due to "Failed [VSE]" via Information Store Protection and they are now in a useless quarantine as I cannot approve or have them re scanned. Uncool GFI.
Roland Desort commented
Having the same problem for a few weeks now. And it's July 2017 now. Is there anyone home at GFI? We are quite near deainstalling GFI.
Mike Bundy commented
I just posted a comment and have no idea if it was successful - I'm not going to waste my time trying to rewrite the entire message.
The bottom line here is that "potentially malicious" doesn't cut it.
These items were quarantined because of a false positive, but because they were detected (incorrectly) via the VSAPI there is apparently no way to release them from quarantine, and resorting to an Exchange Backup to restore items is not a practical solution. If the items are in the quarantine database, there MUST be a way to recover/release them.
GFI does not have the right to remove access to company information, without providing a means to restore that information.
This is a limitation of the VSAPI itself.
Currently we can only remove items, however when removing items we are always removing potentially malicious items.