You are going through a lot of work needlessly.
The Email Security Service (ESS) is a pass through service that keeps a history of the last 30 days of activity.
Mail that is DEFERRED is going to be retried by the sending server which will show up in the log at a later time (depending on the senders retry interval)
ESS does not accept messages, scan then and then deliver them.
ESS accepts a connection from the sender, connects to the recipients server and monitor the traffic for spam and virus content.
If ESS sees something in the traffic that is a spam or virus it stops the data transfer to the destination server but still continues to accept the entire message and shows it in the log as blocked or quarantined. ESS then sends a REJECT code to the sending server and closes the connection.
If ESS sees something in the traffic that is suspicious or that needs additional processing (virus scanning for example) then again we stop the data transfer to the destination server but still accept the full message from the sender and at the end of data returns a DEFER code to the sender so they retry the message.
Incoming mail that shows as DEFERRED in the logs will be retried by legitimate senders and usually delivered the next time through the system
For example if you are using Advanced Threat Detection (ATD) an a message with a large attachment comes in we may not be able to complete the scanning of the attachment in real time so the message is deferred while the scanning continues in the background. The sender retries that message (again a new line in the logs) and the attachment that was previously scanned is instantly resolved and the mail either delivered or blocked depending on the results of the previous scan.
The same goes for suspicious mail. Someone who sends a mass mailing to thousands of our users across multiple domains is often seen as a potential spammer. We defer their mail as suspicious. if they retry the mail we will allow it though that filter and continue with our normal scanning and either deliver or block the mail based on the scanning results.
If you access your message log and search for the subject of the deferred mail you are manually delivering you should see it normally delivered later on.
Hope this helps explain the service.