After upgrading to Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 or 7.5.6, PDF files that previously passed without error are called unscannable, and the action for UFR-Malformed Files is taken against the message.
Log Name: Application
Source: Symantec Mail Security for Microsoft Exchange
Date: <Date Time>
Event ID: 218
Task Category: Unscannable
Computer: <server name>
The message "<subject line>" located in <scan location> has violated the following policy settings:
Rule: UFR - Malformed Files
The following actions were taken on it:
The message "<subject line>" was marked for Quarantine for the following reason(s):
Scan Engine Error. CSAPI DEC result: 0xA. A malformed container is detected. Engine Name: PDF.
For more information, visit https://entced.symantec.com/entt?product=SMSMSE&build=symantec_ent&version=220.127.116.11&language=english&module=event_logging&error=218 .
The engine that breaks container files (PDF is a container file type) down to their component parts for scanning, called the decomposer engine, was upgraded with the 7.5.5 release. Previously, the decomposer engine would fix minor malformity in container files prior to breaking them down to their component parts. This behavior has changed, the decomposer will no longer fix minor malformity, and instead will process the file exactly as it was received.
Many PDF files contain invalid xref content, and because the repair code is not being run against these files, the invalid xref content causes these files to be legitimately deemed malformed. For details on PDF xref tables, see PDF Reference page 93, section 3.4.3 Cross-Reference Table
A PDF file with invalid xref content can still be opened by a PDF reader in many cases, it may appear the file has no malformity, but because SMSMSE is security software, it must be able to follow all links in all content in order to be able to verify the content is clean. If one of these xref links cannot be followed, the engine cannot verify the file is clean, and thus it will be deemed malformed, and the action configured for the UFR - Malformed files will be taken.
This issue has been resolved in SMSMSE 7.9.0, please upgrade to 7.9.0 to fully resolve this issue.
A Hotfix has been created to resolve this issue. To implement the hotfix you must be running Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 or 7.5.6.
Instructions to implement Hotfix:
To automatically deploy:
This will automatically stop the SMSMSE services, deploy the new binaries and start the SMSMSE services.
For manual deployment:
Workaround (Other malformed instances)
Applying this hotfix resolves a specific subset of files that are mistakenly identified as malformed. Some files are legitamately malformed and your organization may want these malformed files successfully delivered.
There are several methods available to allow malformed files if an organization requires that these files be received. See Unscannable file handling options available with Symantec Mail Security for Microsoft Exchange 7.5 and later for further details on all the options available. For most organizations, the solution in How to allow malformed containers with Symantec Mail Security for Microsoft Exchange (SMSMSE) 6.5.5 or later strikes the best balance between security and availability of email information.