How to determine why Symantec Mail Security for SMTP or Symantec Brightmail product determined that a message with an attachment is UNSCANNABLE

Article:TECH90411  |  Created: 2008-01-01  |  Updated: 2011-01-28  |  Article URL http://www.symantec.com/docs/TECH90411
Article Type
Technical Solution


Issue



You send an otherwise acceptable file as an email attachment through Symantec Mail Security for SMTP 5.0.x or another Symantec Brightmail product. SMTP5 detects the attachment as UNSCANNABLE. You seek additional information on why the product determined that the attachment was UNSCANNABLE.

 


Solution



  1. Trace through the behavior.
  2. Filter the resulting logs.



To trace through the behavior

  1. In the Control Center interface, raise the logging level of the Filter-Hub to 'INFO' or 'DEBUG'
  2. Send the message back through the Scanner again to reproduce the behavior.
  3. Lower the logging level of the Filter-Hub from 'INFO' or 'DEBUG' to its previous logging level, or the default level, 'WARNING'.
  4. Collect the file filter-hub_log.txt.



To filter the resulting logs
1. Locate the UNSCANNABLE verdict using the email address presented during the SMTP command MAIL FROM: or the email address present in the FROM: header of the message.
2. Filter the logs based upon the thread number and timestamp to the second.


To locate the UNSCANNABLE verdict using an email address on a Windows system

  1. In a cmd prompt, navigate to the location containing the filter hub log file using the cd command.
  2. At the cmd prompt, type:
    find "username@domain.tld" filter-hub_log.txt | find "unscannable" >possiblethreads.txt
     
  3. Open the file possiblethreads.txt in Wordpad.
  4. Notice that each log entry contains a block similar to the following: (NOTICE:8060.5028) ...where NOTICE is the logging level of the event, 8060 is the Process ID of the filter-hub daemon, and 5028 is the thread number.
  5. Make a note of the Process ID, thread number, and time of the event to the second for the most recent event in the log.

    NOTE: You may want to investigate previous occurrences of UNSCANNABLE files but unless the log levels were already set at INFO or DEBUG when that incident occurred, you will be unable to determine the cause for the individual Unscannable occurrence.



To locate the UNSCANNABLE verdict using an email address on a Linux or Solaris system

  1. In a shell prompt, navigate to the location containing the filter-hub log file using the cd command.
  2. At the shell prompt, type:
    grep "username@domain.tld" filter-hub_log.txt | grep "unscannable" >possiblethreads.txt
     
  3. Open the file possibletreads in a text editor, such as Kate or gedit.
  4. Notice that each log entry contains a block similar to the following: (NOTICE:8060.5028) ...where NOTICE is the logging level of the event, 8060 is the Process ID of the filter-hub daemon, and 5028 is the thread number.
  5. Make a note of the Process ID, thread number, and time of the event to the second for the most recent event in the log.

    NOTE: You may want to investigate previous occurrences of UNSCANNABLE files but unless the log levels were already set at INFO or DEBUG when that incident occurred, you will be unable to determine the cause for the individual Unscannable occurrence.



To filter logs for Process ID, thread number and timestamp on a Windows system

  1. In a cmd prompt, type:
    find "12:00:00" filter-hub_log.txt | find "8060.5028" >debugtrace.txt

    ...where 12:00:00 is the actual timestamp to the second, and 8060.5028 is the Process ID and thread number as it appears in the log entry for the UNSCANNABLE entry.
     
  2. Open the file debugtrace.txt in Wordpad
  3. On the keyboard, press <CTRL>+F
  4. Type: unscannable
  5. Click Find Next.
  6. Repeat step 5 until you arrive at a line which contains text similar to "message disposition unscannable taking the lead for username@domain.tld from none"
  7. Scroll up from this event and look at the closest NOTICE entry to determine the cause for this UNSCANNABLE verdict.





 



Legacy ID



2008100111152654


Article URL http://www.symantec.com/docs/TECH90411


Terms of use for this information are found in Legal Notices