The Symantec Brightmail Gateway Appliance quarantines Microsoft Office 2007 documents under the Executable File rule

Article:TECH86094  |  Created: 2007-01-26  |  Updated: 2012-01-18  |  Article URL http://www.symantec.com/docs/TECH86094
Article Type
Technical Solution

Product(s)

Issue



Why do some Microsoft Office 2007 documents and spreadsheets trigger the Executable File rule?

Symptoms
Symantec Mail Security quarantines or otherwise acts upon one or more attachments.

  • Each attachment was a file created with Microsoft Office 2007.
  • Each attachment is in an OpenXML format, such as .xlsx, .pptx, or .docx.



 


Cause



When each attachment was edited, the Print settings were altered, causing Office to store a file called PrinterSettings1.bin file within the Office document. They are therefore detected with the Executable File rule, or custom compliance rules which detect files based on a .bin extension.


Solution



Beginning with the software release of Symantec Brightmail Gateway Version 7.7.0-17 this has been resolved, but only when performing an OS Restore to this version or a later version. If the upgrade is not an option at that moment in time, please use the work around described below.

To workaround this behavior, please do one of the following:

    • Disable the relevant rule,
    • Remove the "extension is bin" condition from each relevant policy, or
    • Add the file to a password-protect zip file before sending it.



If a previous version was upgraded to 7.7.0-17 or later, and the issue still exists, please use the following steps:

Create another compliance rule to allow Office 2007 documents.
However, make sure that this rule is above the rule blocking executable files.

To create a rule to allow Office 2007 documents:

  1. Create a new attachment list "Office 2007 files" with the file extensions to be allowed: docx, xlsx, pptx
  2. Create a new compliance rule with a condition: 'If file is on the attachment list deliver message normally.'
  3. Move this new rule above the Execuatable File rule.



If version 8.0.2 or higher is already in use, it is recommended that the "extension is bin" condition be removed from the policy and instead to rely on the true file typing to protect against UNIX or Windows executable bin files. This is recommended due to the methodology used for processing policy rules changing after version 7.5, which now involves all rules being processed. This means that even if there is a rule for delivering Office documents normally, the rule for delete .bin attachments will still get activated.

.



Technical Information
The "Extension is bin" condition is part of the "Executable Files" list that comes with Symantec Mail Security by default.



 


Supplemental Materials

SourceETrack
Value31185, 32421


Legacy ID



2007122613225354


Article URL http://www.symantec.com/docs/TECH86094


Terms of use for this information are found in Legal Notices