FCS: Retrieve Quarantined Files Remotely
There are times you may need to retrieve files quarantined by the FCS antimalware engine from a remote computer. FCS locally quarantines the files on the computer where the infection happened.
Note: This procedure requires use of Robocopy. Robocopy is resident on Windows 7 and Windows Vista, but must be added to other older operating systems. See the Windows Server 2003 Resource Kit Tools download for Robocopy for Windows Server 2003/Windows XP. Alternatively, you can use XCopy.
To retrieve the quarantined files remotely, use the following steps:
On the computer to which you want to transfer the quarantined files, open elevated command prompt.
In the command prompt window, type the following command:
robocopy "\target-machine\c$\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Quarantine" "C:\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Quarantine" /MIR
If your target computer is running Windows Vista or higher. If your target computer is running an operating system that predates Windows Vista, use the following command:
robocopy "\target-machine\c$\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Quarantine" "C:\ProgramData\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Quarantine" /MIR
Open the FCS client UI on your local computer (the destination), click Tools, and then click Quarantined items – you should now see the items that were quarantined on the remote machine.
To view the contents of the files, you must Restore the files using the Restore button.
Note: The drive/volume letter and the folder structure of the original path of quarantined files on the source computer must already exist on the destination computer
For more information about retrieving quarantined files from a remote computer, see http://support.microsoft.com/kb/953524.