Messaging gateway and Content Analysis Server integration logic and Zip attachments.
Messaging Gateway 10.7.x
SMG breaks every email down to its component parts. An email message is, itself, an archive, made up of, at a minimum, the message as a whole (including the headers) and the message body.
Most times, there is both a plain text message body, and an HTML message body. If there are embedded images, each image is a separate part, possibly there may be another email message attached to the first, and, of course, attached files. If these parts are, themselves, archives (such as attached email messages, or zip files, or some types of Microsoft documents) then those archives are broken down into their component parts, and potentially those parts are archives, and so on. This is why the Messaging Gateway (SMG) has a configurable limitation of how deeply nested SMG is allowed to go before considering a message to be unscannable (default is 20 nested layers).
Each one of these parts is scanned by all of our different technologies. For Threat Defense, before the file is passed to Content Analysis server (CAS), it is first compared to two lists of file types that are automatically excluded from being sent to CAS. The first of these is defined by Broadcom, and is not editable - it contains the file types of: text files, email messages, and XML files.
The second list is available for the customer to add files to - it is, by default, empty.
When originally designed, it was deemed best to be certain, and pass all possible files to CAS.
In circumstances where the CAS appliance was already (for example) sent a ZIP file, and then the files within that ZIP are sent to the same CAS appliance, the CAS appliance would recognize this fact, and return the cached result of the previous scan.