Mails are receiving a "malformed container" verdict when using Symantec Scan Engine 5.x and Mail Marshal 5.x/6.x

book

Article ID: 177684

calendar_today

Updated On:

Products

Scan Engine

Issue/Introduction

You're using Scan Engine 5.x with MailMarshal (Native mode), and you noticed that most of the inbound emails are receiving a "Malformed Container" verdict from Scan Engine.

Cause

Symantec Scan Engine expects the entire MIME message. It extracts the contents out of it and scans for viruses. Then, any infection/violation is reported accordingly.

When MailMarshal SMTP processes a message against anti-virus rules, it unpacks the message into its constituent components, and sends the individual components to each configured virus scanner for scanning.
In case of components like message headers, Scan Engine can not assume that the rest section(s) is on its way for scanning. Hence, as MailMarshal sends the header part of mail for scanning, SSE looks for other sections of it and reports "malformed container" violation.”
When an individual email component is sent to the Symantec Scan Engine, it attempts to unpack the partial message, and falsely triggers a 'malformed container' error, believing the message to be incomplete.

Resolution

Please follow and apply the MailMarshal's KB article below in order to allow Scan Engine not to report "malformed container" errors on MailMarshal's unpacked emails:
MailMarshal Knowledge Base, Article:Q11345 - http://www.marshal8e6.com/kb/article.aspx?id=11345

Also, please note that there are no risks in configuring Symantec Scan Engine not to report "malformed containers" to MailMarshal, which will handle malformations according to its configuration.