PDF (and other types of attachments) are Quarantined for Violating File Name Rule Configured in Symantec Mail Security for Exchange (SMSMSE)

Article:TECH155013  |  Created: 2011-03-08  |  Updated: 2014-02-20  |  Article URL http://www.symantec.com/docs/TECH155013
Article Type
Technical Solution


Issue



An email with a PDF attachment (or other type of attachment) is Quarantined due to the File Name Rule (see Error section).

If prior versions of SMSMSE were used this behavior is not seen. See this article for details of this change: See Symantec Mail Security for Microsoft Exchange (SMSMSE) Does not Decompose PDF, ACE, BZIP2 Attachments for Viruses

 


Error



The Windows Application Event log contains the 291 event similar to this:

Log Name:      Application
Source:        Symantec Mail Security for Microsoft Exchange
Date:          3/18/2011 10:16:32 AM
Event ID:      291
Task Category: Content Enforcement Rules
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      W2K8-EX2K10-65.ex2k10lab.test
Description:
The attachment "test.pdf" located in message with subject "testing with pdf", located in SMTP has violated the following policy settings:
    Scan: Auto-Protect
    Rule: File Name Rule
The following actions were taken on it:
    The attachment "test.pdf" was Quarantined for the following reason(s):
        UNAUTHORIZED FILE was found in javaScriptFile.js.

 

 

Conditions

  • Opening the PDF (or other file) does not show any attachments of the type listed in the Windows Application Event Log message.
  • File name rule is enabled.

1. Open the SMSMSE Administration Console.
2. Click on the Policies tab.
3. Click on Views|Content Filtering|File Filtering Rules.
4. The rule with the name File Name Rule has the Status Enabled.

 

 

 


Cause



SMSMSE has the ability to "decompose" and open many file types.  Typical examples are ZIP files.  However SMSMSE has the ability to open PDF and DOCX files as well.  It is not obvious by opening the PDF file there are embedded files.  When SMSMSE opens the PDF file and finds an embedded file the File Name Rule is applied to the embedded file.  This is by design.

 


Solution



Choose one of the following approaches:

  • Remove the file extension causing the quarantine from the File Name Rule.

1. Open the SMSMSE Administration Console.
2. Click on the Policies tab.
3. Click on Views|Content Filtering|File Filtering Rules.
4. Click on the rule File Name Rule.
5. Click the Select... button for Match list for prohibited file names.
6. Highlight the match list to use.
7. Click the Edit match list... button.
8. Remove the appropriate file extension.
9. Click the OK button to close the match list terms.
10. Click the Close button to close the Select a match list dialog window.
11. Click the Deploy Changes button to save the changes.

  • Configure SMSMSE to not open container attachments for File Name Rule processing.

1. Open the SMSMSE Administration Console.
2. Click on the Policies tab.
3. Click on Views|Content Filtering|File Filtering Rules.
4. Click on the rule File Name Rule.
5. Click the checkbox Bypass scanning of container files(s).
6. Click the Deploy Changes button to save the changes.

NOTE: This option skips the opening of all containers include ZIP files.
NOTE:  This option has no affect on virus scanning.  Any virus scanning options still apply to containers.

 

 


Supplemental Materials

SourceETrack
Value2325077

SourceEvent ID
Value291
Description

The attachment "<filename>" located in message with subject "<subject>", located in SMTP has violated the following policy settings:




Article URL http://www.symantec.com/docs/TECH155013


Terms of use for this information are found in Legal Notices