After upgrading to Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 or 7.5.6, PDF files that previously passed without error are called unscannable, and the action for UFR-Malformed Files is taken against the message.
Log Name: Application
Source: Symantec Mail Security for Microsoft Exchange
Date: <Date Time>
Event ID: 218
Task Category: Unscannable
Computer: <server name>
The message "<subject line>" located in <scan location> has violated the following policy settings:
Rule: UFR - Malformed Files
The following actions were taken on it:
The message "<subject line>" was marked for Quarantine for the following reason(s):
Scan Engine Error. CSAPI DEC result: 0xA. A malformed container is detected. Engine Name: PDF.
For more information, visit https://entced.symantec.com/entt?product=SMSMSE&build=symantec_ent&version=188.8.131.52&language=english&module=event_logging&error=218 .
The engine that breaks container files (PDF is a container file type) down to their component parts for scanning, called the decomposer engine, was upgraded with the 7.5.5 release. Previously, the decomposer engine would fix minor malformity in container files prior to breaking them down to their component parts. This behavior has changed, the decomposer will no longer fix minor malformity, and instead will process the file exactly as it was received.
Many PDF files contain invalid xref content, and because the repair code is not being run against these files, the invalid xref content causes these files to be legitimately deemed malformed. For details on PDF xref tables, see PDF Reference page 93, section 3.4.3 Cross-Reference Table
A PDF file with invalid xref content can still be opened by a PDF reader in many cases, it may appear the file has no malformity, but because SMSMSE is security software, it must be able to follow all links in all content in order to be able to verify the content is clean. If one of these xref links cannot be followed, the engine cannot verify the file is clean, and thus it will be deemed malformed, and the action configured for the UFR - Malformed files will be taken.
This issue has been resolved in SMSMSE 7.9.0, please upgrade to 7.9.0 to fully resolve this issue.
Workaround A Hotfix has been created to resolve this issue. To implement the hotfix you must be running Symantec Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 or 7.5.6.
Instructions to implement Hotfix:
Download hotfix Hotfix_4123255.zip from this article.
Extract the contents of the Hotfix to a temporary location on the server with SMSMSE installed.
To automatically deploy:
Right-click ApplyHF.ps1 and choose "Run with PowerShell".
This will automatically stop the SMSMSE services, deploy the new binaries and start the SMSMSE services.
For manual deployment:
Stop "Symantec Mail Security for Microsoft Exchange" service.
Stop "Symantec Mail Security Utility Service" service.
Copy all files from Extracted folder ...\SMSMSE_7.5_4123255_Hotfix\definitions\Decomposer to folder "C:\Program Files (x86)\Common Files\Symantec Shared\definitions\Decomposer"
Copy Dec2.dll, DecSDK.dll from Extracted folder ...\SMSMSE_7.5_4123255_Hotfix to folder <Install Dir>\SMSMSE\7.5\Server
Copy all files from Extracted folder "\SMSMSE_7.5_4123255_Hotfix\BEIK to folder <Install Dir>\SMSMSE\7.5\Server\bin
Start "Symantec Mail Security for Microsoft Exchange" service.
Start "Symantec Mail Security Utility Service" service.
Workaround(Other malformed instances)
Applying this hotfix resolves a specific subset of files that are mistakenly identified as malformed. Some files are legitamately malformed and your organization may want these malformed files successfully delivered.