For the purposes of this, I’m assuming you have set up a single (safe!) postfix instance, with messages going to the HOLD queue, before being processed by MailScanner and sent to the INCOMING queue. You also need to be saving whole messages as queue files.
In MailScanner.conf ensure that you have
# When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = yes
Quarantined emails are by default kept in /var/spool/MailScanner/quarantine and sorted into subdirectories by date. With any luck it will be dead easy to find, as MailScanner will have sent a message including text along the lines of either:
A: If it’s a quarantined virus, or other dangerous content.