SMSMSE is reporting email attachments are unscannable. An event ID 218 is logged to the Windows Application Event log similar to the following:
The message "First Test" located in SMTP has violated the following policy settings: Scan: Auto-Protect Rule: UFR - Malformed Files The following actions were taken on it: The message "First Test" was marked for Quarantine for the following reason(s): Scan Engine Error. CSAPI DEC result: 0xA. A malformed container is detected. Engine Name: PDF. at location image1.emf within media within word
In addition SMSMSE may be quarantining these email attachments.
The remainder of this article describes how to configure SMSMSE to allow these items to pass through without changing the "Unscannable file rule".
First determine the file type SMSMSE considers the file then configure the registry to prevent those file types from being decomposed.
Determine the file type
Allow those types of files to pass through SMSMSE
32 bit systems: HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes 64 bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\<version>\Server\AllowMalformedContainerTypes Note: This entry is case sensitive.
Note: You can add more than one value to this key. If you'd like to add additional values separate them from the existing value with a space.
Note: MIME should always be included in addition to other defined Engine Name values
Check the Application event log entry for the Event ID 218 associated with the file in question.
Make note of the letters after the entry Engine name:.
Create the following String registry key (if it does not already exist):
Double click the registry entry to display the Edit String dialog box. In the Value Data box enter the Engine Name value exactly as it appeared in the Application event log.
The following is an example for defining the PDF engine.
Restart the Symantec Mail Security for Microsoft Exchange service.
Effects of setting this registry key
Normally, SMSMSE scans all files at the top level container first, and then breaks those files down into their component parts for scanning using an engine called 'decomposer'. In order to break a file down, the decomposer engine must first identify the files type, and then apply the appropriate decomposition algorithm for that file type. If the contents of the file do not match the expected content based on the file type, or if the decomposer misidentifies the file type, this will result in a Malformed Container detection. After implementing this key, SMSMSE will still scan the top level container, and will still attempt to decompose the file, but if the file triggers a malformed container detection, and the engine name matches one listed in this key, the file will be allowed to pass rather than being blocked.
Imported Document ID: HOWTO59051
Subscribing will provide email updates when this Article is updated. Login is required.