SMSMSE is reporting email attachments are unscannable. An event ID 218 is logged to the Windows Application Event log similar to the following:
The message "First Test" located in SMTP has violated the following policy settings:
Rule: UFR - Malformed Files
The following actions were taken on it:
The message "First Test" was marked for Quarantine for the following reason(s):
Scan Engine Error. CSAPI DEC result: 0xA. A malformed container is detected. Engine Name: PDF. at location image1.emf within media within word
In addition SMSMSE may be quarantining these email attachments.
The remainder of this article describes how to configure SMSMSE to allow these items to pass through without changing the "Unscannable file rule".
First determine the file type SMSMSE considers the file then configure the registry to prevent those file types from being decomposed.
Determine the file type
Allow those types of files to pass through SMSMSE
32 bit systems: HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes
64 bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes
Note: This entry is case sensitive.
Note: You can add more than one value to this key. If you'd like to add additional values separate them from the existing value with a space.
Note: MIME should always be included in addition to other defined Engine Name values
Effects of setting this registry key
Normally, SMSMSE scans all files at the top level container first, and then breaks those files down into their component parts for scanning using an engine called 'decomposer'. In order to break a file down, the decomposer engine must first identify the files type, and then apply the appropriate decomposition algorithm for that file type. If the contents of the file do not match the expected content based on the file type, or if the decomposer misidentifies the file type, this will result in a Malformed Container detection. After implementing this key, SMSMSE will still scan the top level container, and will still attempt to decompose the file, but if the file triggers a malformed container detection, and the engine name matches one listed in this key, the file will be allowed to pass rather than being blocked.