What can cause an "unscannable file" violation within Symantec Mail Security for Microsoft Exchange (SMSMSE) and how can they be prevented?

Article:TECH79940  |  Created: 2002-01-13  |  Updated: 2014-04-04  |  Article URL http://www.symantec.com/docs/TECH79940
Article Type
Technical Solution


Subject

Issue



What criteria can cause an "unscannable file" violation within Symantec Mail Security for Microsoft Exchange (SMSMSE)?

Conditions

  • Sending or Receiving the email or attachment multiple times through Exchange  and SMSMSE Always Results in an Unscannable Message.

If SMSMSE is not always reporting that the email or attachment is unscannable then this article does not apply.

 


Error



  • The Windows Application Event Log shows an event similar to the following:

Event Type:     Warning
Event Source:   Symantec Mail Security for Microsoft Exchange
Event Category: Unscannable
Event ID:  218
Description:
The attachment "SYQc8099371_2010_December_2_GD_review_E2K_LMS.ppt" located in message with subject "test`", located in Administrator/Sent Items has violated the following policy settings:
     Scan: Auto-Protect
     Rule: Unscannable File Rule
The following actions were taken on it:
     The attachment "SYQc8099371_2010_December_2_GD_review_E2K_LMS.ppt" was Quarantined for the following reason(s):
Scan Engine Error.  CSAPI DEC result: 0xA. A malformed container is detected. at location Package within PowerPoint Document

NOTE:  The exact error code and file name is dependent on the environment and will be different.

It is recommended to perform a search in the SMSMSE knowledge base with the specific error code.  The following are searches with specific error codes:

CSAPI DEC result: 0xA
CSAPI DEC result: 0x11


Solution



For a file to be considered unscannable by SMSMSE the following criteria must be met:

  • SMSMSE must be able to identify the data as a known file type. When the file is identified, it is then passed to the virus scanner. If the file is compressed, the file is passed to the decomposer before going to the virus scanner.
  • An attempt to access or read the file is made, either by the virus scanner or the decomposer, that results in an error.


When the previous criteria is met, the unscannable file rule is applied.

Some common examples of situations leading to this violation
The following list can lead to the unscannable file rule being applied. However, this list is only a sample and is not exhaustive.

  • Inability to access the file
    The file is correctly identified, but the software cannot gain access to the file to decompress or scan. This is commonly caused by another thread or process having access to the file. An example is when two different types of antivirus software (one a file system based version and one an email based version) attempt to scan the same file simultaneously.
  • Correct identification of a corrupt file
    The Symantec product for Microsoft Exchange correctly identifies the file, but the file cannot be opened or accessed due to corruption within the file. Typically, a file of this type will also fail to open, execute, or will be fully or partially unreadable to an end user if allowed to pass.
  • Incorrect identification of a file
    The message header leads the Symantec product for Microsoft Exchange to misidentify a file. The resulting actions performed on the file by either the decomposer or the virus scanner are incorrect and invalid for the file type. This can also occur due to problems with virus definitions or with a file containing invalid characters or values in the header. In this situation, the file may still be opened or executed by an end user if allowed to pass.
  • Correct identification of a file, but unexpected content is encountered
    The file can be correctly identified and access is granted. However, during this action, unexpected content is encountered. This results in an error by the decomposer or virus scan process. An example is file embedding, which is seen among different formats of the Microsoft Office family. A file created by Microsoft PowerPoint is correctly identified, but during the scan, an Excel table (which is embedded) is encountered. The scanner fails at this point as it is attempting to scan a PowerPoint file and not an Excel file.
  • Scanner or decomposer times out
    The antivirus scanner or decomposer times out while attempting to scan. This can occur when a file is deeply compressed, when a multilevel archive file exceeds the value set in the interface, or when a the decomposer or virus scanner exceeds the scan time limit.
  • Temporary working directory is missing or path to the directory is incorrect
  • Large compressed attachment.
    Technical Support reports, customers have seen this error with large attachments (for example 100 MB, compressed to a 4 MB zip). This problem was resolved by setting the MaxScanSize registry value to zero (this setting means no limit on the size of attachment). However this setting should be used discreetly as it can impact performance.
  • Not setting exclusions in the installed Symantec Corporate Edition product
    If you do not set exclusions in the corporate edition product for the Symantec Mail Security folders, the unscannable rule is triggered.
  • File attachments are split into multiple files
    If you use a utility to split large files into smaller sections, the product cannot determine the file type. For more information see the following article: http://www.symantec.com/docs/TECH162801
     

Note: If the Encrypted file rule is enabled, encrypted files, including items such as password protected ZIP files, will not trigger an unscannable file rule. These files will trigger an encrypted file rule and will be identified as such when notifications and event messages are logged.



If you believe your file does not match any of the above criteria and would like more information on why it was called unscannable, please contact Symantec Technical Support.  Be prepared to submit a copy of the affected file, as we will not be able to determine the root cause without the file in question.

 

Workaround

  • Allow certain file types to continue even if the file cannot be decomposed. See the following article:  How to Allow Malformed Containers with Symantec Mail Security for Microsoft Exchange (SMSMSE) 6.5.5 or later.
  • Set the Action that occurs for the unscannable file rule to 'Log Only':
        1. Open the SMSMSE console.
        2. Navigate to Policies -> Exceptions -> Unscannable File Rule.
        3. In the bottom-right portion of the screen next to 'Action to take:' click on the drop down menu to choose the action 'Log Only'.
        4. Once the changes have been made click the orange Deploy Changes button near the top of the screen.
  • Zip the affected file, and password protect the zip. This will cause SMSMSE to treat the file as Encrypted, rather than unscannable, and by default will allow the file to pass.

 

 


 



Legacy ID



2002051315535954


Article URL http://www.symantec.com/docs/TECH79940


Terms of use for this information are found in Legal Notices