How to allow malformed containers with Symantec Mail Security for Microsoft Exchange (SMSMSE) 6.5.5 or later

book

Article ID: 180651

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

Resolution

SMSMSE is reporting email attachments are unscannable.  An event ID 218 is logged to the Windows Application Event log similar to the following:

The message "First Test" located in SMTP has violated the following policy settings:
    Scan: Auto-Protect
    Rule: UFR - Malformed Files
The following actions were taken on it:
    The message "First Test" was marked for Quarantine for the following reason(s):
Scan Engine Error.  CSAPI DEC result: 0xA. A malformed container is detected. Engine Name: PDF. at location image1.emf within media within word

In addition SMSMSE may be quarantining these email attachments.

The remainder of this article describes how to configure SMSMSE to allow these items to pass through without changing the "Unscannable file rule".

First determine the file type SMSMSE considers the file then configure the registry to prevent those file types from being decomposed.

Determine the file type

Allow those types of files to pass through SMSMSE

32 bit systems: HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes
64 bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes
Note: This entry is case sensitive.

           Note: You can add more than one value to this key. If you'd like to add additional values separate them from the existing value with a space.

           Note: MIME should always be included in addition to other defined Engine Name values

 

  1. Check the Application event log entry for the Event ID 218 associated with the file in question.
  2. Make note of the letters after the entry Engine name:.
  3. Create the following String registry key (if it does not already exist):
  4. Double click the registry entry to display the Edit String dialog box. In the Value Data box enter the Engine Name value exactly as it appeared in the Application event log.
  5. The following is an example for defining the PDF engine.
  6. Restart the Symantec Mail Security for Microsoft Exchange service.

 

Effects of setting this registry key

Normally, SMSMSE scans all files at the top level container first, and then breaks those files down into their component parts for scanning using an engine called 'decomposer'. In order to break a file down, the decomposer engine must first identify the files type, and then apply the appropriate decomposition algorithm for that file type. If the contents of the file do not match the expected content based on the file type, or if the decomposer misidentifies the file type, this will result in a Malformed Container detection.  After implementing this key, SMSMSE will still scan the top level container, and will still attempt to decompose the file, but if the file triggers a malformed container detection, and the engine name matches one listed in this key, the file will be allowed to pass rather than being blocked.

 

 

Attachments