Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Question regarding Unscannable File rule in SMSME 6.5.5

Created: 27 Mar 2012 • Updated: 27 Mar 2012 | 1 comment
This issue has been solved. See solution.

I am running Mail Security for Exchange 6.5.5 on Exchange Server 2007 SP3 Enterprise x64 which runs on Windows 2003 SP2 Standard x64

I've been having a problem with PDF files being quarantined as unscannable. I read this article http://www.symantec.com/business/support/index?page=content&id=HOWTO59051 and implemented the changes. I reconfigured the Unscannable File Rule in SMSE from Log Only to Quarantine and began getting these emails (2 examples below) in my Admin mailbox. this only happens when I implement the regedit described in the article.

 

From: Email.Administrator@MYDOMAIN.com
To: Email Administrator
Subject: Administrator Alert: Symantec Mail Security detected a message with an unscannable attachment or body

Location of the message:  SMTP
Sender of the message: MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lendlease.com
Subject of the message:  Relayed: BP2

The attachment(s) "ATT00002" and/or the message was Logged Only.

This was done due to the following Symantec Mail Security settings:
Scan: Auto-Protect
Rule: Unscannable File Rule

Server Name: MYSERVER.MYDOMAIN.com

 

 

From: Email.Administrator@MYDOMAIN.com
To: Email Administrator
Subject: Administrator Alert: Symantec Mail Security detected a message with an unscannable attachment or body

Location of the message:  SMTP
Sender of the message: MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lendlease.com
Subject of the message:  Relayed: CO2 sensors

The attachment(s) "ATT00002" and/or the message was Logged Only.

This was done due to the following Symantec Mail Security settings:
Scan: Auto-Protect
Rule: Unscannable File Rule

Server Name: USATL01MW202.amer.lendlease.com

 

Comments 1 CommentJump to latest comment

nathan_bergstrom's picture

Greetings,

 

The ATT0002 attachment is usually partial headers from a message.  When an NDR is generated by Exchange 2007 or 2010 it takes the header information that can be used by the Exchange admin to help determine why the message may have failed or at what hop the message is failing at.  This is included as an attachment or in the body of the message as an attachment.

The downside is some times the headers are including MIME boundaries.  MIME has an opening statement and a closing statement.  Most likely Exchange is not including the closing statement and when the attachment is presented to SMSMSE for scanning.  SMSMSE looks at the content and determines that it should be an email.  The boundaries are broken causing SMSMSE to call it unscannable, which it really is.

You can use the same document for the PDF unscannable verdict exclusion to include MIME.  This does not mean that PDFs and MIMEs will not be scanned, just the uncannable verdict will be ignored.

I am not sure why setting the rule to quarantine would cause NDRs.  If you can, double check the content of the quarantined file.  I do suspect that it is header information. You may be able to use Exchange message tracking to find out what really happened to the message.

SOLUTION