search cancel

"Macro code was removed by Symantec Disarm" string is found on a document that supports macros

book

Article ID: 163372

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A document that supports macros has been found to have the following string instead of the macro code:

"Macro code was removed by Symantec Disarm"

Cause

The file has been scanned by Symantec Messaging Gateway with Disarm Technology enabled.

Resolution

This is an expected behaviour, the Symantec Messaging Gateway is working as designed. The string is added as a disclaimer which explains that an attachment has been deconstructed, potential malicious content (PMC) has been removed by the Symantec product and the attachment has been reconstructed without its original macro code.

If there is a need to receive a file with macro content and the Disarm feature is enabled on the SMG, the following workarounds can be taken into consideration:

  • Disarm feature should be temporarily disabled from Malware tab > Disarm: Disarm attachment
  • The action for the Disarm policy should be temporarily changed to Hold the message in Spam Quarantine

Alternatively, other channels (i.e. FTP or secure file hosting) should be used for exchange files that are containing attachments containing macros or other PMC supported by Disarm. Exceptions such as identify the local users that are allowed to receive those files and create a Policy Group for which the policy will not apply may be also considered.

Note: Policy Groups only apply for local users, therefore a non-local domain cannot be added as a member of a policy group.