Potentially malicious content not removed from email attachments; Disarm not working


Article ID: 171119


Updated On:


Messaging Gateway


Email with potentially malicious content (PMC) is delivered to the downstream mail server, even after Symantec Messaging Gateway (SMG) scans the attachments. SMG does not disarm all files of potentially malicious content, such as macros, JavaScript, or Flash, and malicious files get through.


  • The attached file(s) may be a file type that is not scanned for potentially malicious content.
  • Disarm may not be enabled for the file type or type of potentially malicious content.
  • The Disarm policy may not be applied to the policy group of the recipient.


  1. Configure Disarm to scan the file types being allowed through. See Using Disarm to remove potentially malicious content​
  2. Apply the Disarm policy to the user's policy group in the Message Audit Log (MAL).
    1. In the SMG Control Center, navigate to Status > Message Audit Logs.
    2. Search for the recipient's email address and locate the message that's not being removed of potentially malicious content.
    3. Click on the recipient's email address to open the log.
    4. In Recipient Data, verify the Policy Group.
    5. Navigate to Administration > Policy Groups.
    6. Click the name of the policy group.
    7. Under Malware, verify that the Inbound Disarm policy is set correctly.