Hello mon_raralio

Based on the screenshot,  the message triggers some Content Compliance rule.
Search for the initial mail under the 'Message Audit Logs (Status -> Message Audit Logs) and open the detailed view (click on the To address).  You should see the comliance name under the 'Verdict' section. 

As I presume the released mail is re-quarantined, try disabling the initially triggered Policy before releasing the mail from the Quarantine.  Re-enable the rule after releasing the mail.

As you have mentioned that the mail has a spreadsheet attachement, you could also review the following Symantec document:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/...

Cheers.

Thanks fsg, I'll try this come work day. :D
I'll keep you posted.

Hi,

Our client did as suggested to compress the file in zip format before sending. It was still quarantined and one of the tested policy is for keywords (sexual, racial, forgot the last one) which I doubt was contained in the document. If the email was released, will it still proceed with the other untested policies which was also listed in the email as untested?

There is also an existing policy to allow all word documents in the server.

(Upgrading is out of the question)

Hi mon_raralio

The triggered policies put another spin on the situation, also raise a few questions.
 - are the triggered content policies / dictionaries used custom or default ones ?
 - do you have the client's permission to view the email and attachment ? (based on the entry above the mail and attachment was not reviewed)
 - is the MS Word version used known ?
 - is the quarantined mail (shown in the screen-shot) containing the same MS Word attachment (or there are various documents) ?
 - are these emails from the same sender ?

Some testing could also eliminate possibilities:
 - find out the MS Word version used in creating the attached files.
 - create a 'clean' test word document and send it through the SBG, check the result in the Message Audit Logs
 - narrow down the quarantined mail instances (if there are various)

If the information cannot be posted, I suggest providing sample emails to Symantec (via a support case) for testing.

Cheers

The triggered policies put another spin on the situation, also raise a few questions.
 - are the triggered content policies / dictionaries used custom or default ones ? We only used some of the default policies, and have a few words in the custom words list. And the person I talked to said that it doesn't have any 'bad' words.
 - do you have the client's permission to view the email and attachment ? (based on the entry above the mail and attachment was not reviewed) No, I can't have access to that file. I also suggested that it could be a number violation, but that filter was disabled.
 - is the MS Word version used known ? It is an Excel Spread sheet. Version 2k3
 - is the quarantined mail (shown in the screen-shot) containing the same MS Word attachment (or there are various documents) ? Same Excel attachment. Tried zipping it too.
 - are these emails from the same sender ? Yes, same sender - sort of. The email was from a user which was then forwarded by an admin just to test it out.

Some testing could also eliminate possibilities:
 - find out the MS Word version used in creating the attached files.
 - create a 'clean' test word document and send it through the SBG, check the result in the Message Audit Logs - I'll try and have them do this.
 - narrow down the quarantined mail instances (if there are various) - Just this one.

If the information cannot be posted, I suggest providing sample emails to Symantec (via a support case) for testing. - The email attachment is of utmost confidentiality. :(

Cheers.

The client did a test with a blank xls file. It went through with no problems.
We'll try and review the enabled policies. Apparently, there is also a problem with the zip files.

Finally got a chance to view the file. It did contain some "sexual" keywords.
Still don't understand why it returns to the quarantine despite the admin releasing the email.
Replaced those words with a more "friendly" synonym and it got through.

BTW, @fsg, the client does not want to disable the policy even for a short time so I can't do what your first post suggested.

Well mon_raralio, based on the last few posts,  it seams that the SBG does just whit it supposed to. (quarantines the mail, based on the 'sexual' keywords).

As for why the admin could not release the mail from quarantine,  you should look at the Control Center configuration - is the downstream server used, or it is releasing the mail back into the mail-flow.  It should not re-quarantine it though - if I remember correctly - will verify the theory once I have access to the SBG.

Cheers

fsg: I'm not sure, but I think once the mail has been released, it should be out of SBG and on its way. But as it is, it just returns to quarantine like there is a loop in the message flow. If only we can mark a message as released and have another rule for that.