How to allow malformed containers with Symantec Mail Security for Microsoft Exchange (SMSMSE) 6.5.5 or later
|Article:HOWTO59051|||||Created: 2011-08-25|||||Updated: 2012-07-31|||||Article URL http://www.symantec.com/docs/HOWTO59051|
SMSMSE is reporting email attachments are unscannable. An event ID 218 is logged to the Windows Application Event log similar to the following:
Source: Symantec Mail Security for Microsoft Exchange
The attachment "Pack.QPACK" located in message with subject "Sample File", located in SMTP has violated the following policy settings:
Rule: Unscannable File Rule
The following actions were taken on it:
The attachment "Pack.QPACK" was Quarantined for the following reason(s):
Scan Engine Error. CSAPI DEC result: 0xA. A malformed container is detected at location Pack.QPACK
In addition SMSMSE may be quarantining these email attachments.
The remainder of this article describes how to configure SMSMSE to allow these items to pass through without changing the "Unscannable file rule".
First determine the file type SMSMSE considers the file then configure the registry to prevent those file types from being decomposed.
Determine the file type
- Enable Debug log capture as per How to Obtain Debug Logs for Symantec Mail Security for Microsoft Exchange (SMSMSE). Use the section To enable logging for Service related issues.
- Reproduce the unscannable file detection by re-sending a copy of the file in question with DebugView running.
- Look for an entry in the DebugView log similar to the following:
SAVFMSESp(868) 2011-08-26 09:09:07 0265ms:
MALFORMED_CONTAINER_DETECTED. Engine name: PDF
- Make note of the letters after the entry Engine name:. In the example above the engine name is PDF.
Allow those types of files to pass through SMSMSE
- Create the following String registry key (if it does not already exist):
32 bit systems: HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\6.5\Server\AllowMalformedContainerTypes
64 bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\6.5\Server\AllowMalformedContainerTypes
Note: This entry is case sensitive.
- Double click the registry entry to display the Edit String dialog box. In the Value Data box enter the Engine Name value exactly as it appeared in the DebugView window.
Note: You can add more than one value to this key. If you'd like to add additional values separate them from the existing value with a space.
The following is an example with the value set to allow both PDF and MIME:
- Restart the Symantec Mail Security for Microsoft Exchange service.
Effects of setting this registry key
Normally, SMSMSE scans all files at the top level container first, and then breaks those files down into their component parts for scanning using an engine called 'decomposer'. In order to break a file down, the decomposer engine must first identify the files type, and then apply the appropriate decomposition algorithm for that file type. If the contents of the file do not match the expected content based on the file type, or if the decomposer misidentifies the file type, this will result in a Malformed Container detection. After implementing this key, SMSMSE will still scan the top level container, and will still attempt to decompose the file, but if the file triggers a malformed container detection, and the engine name matches one listed in this key, the file will be allowed to pass rather than being blocked.
Article URL http://www.symantec.com/docs/HOWTO59051