NOTE: This article only applies to environments utilizing Microsoft VSAPI technology. This technology is not available in Exchange 2013 or later.
Symantec Mail Security for Microsoft Exchange (SMSMSE) detects executable content in email messages when no executable attachments have been added an email. This behavior occurs when either File Type Filtering or File Filtering has Executable File Rule enabled.
Virus Scan API (VSAPI) is a feature of the Microsoft Exchange Information Store in Exchange 2010 and earlier. It functions by initiating virus scans on access / create of new objects in the Information Store. When VSAPI determines a scan is required on an object it will check the Windows registry to determine the location of the Antivirus Scanner and pass the content to a listening thread.
As part of the creation process objects (such as emails), Exchange may package the objects into file formats that differ from the original source content. For example, it is common when using Rich Text Format (RTF) to create emails with embedded image files for Exchange to generate a Microsoft Installer (MSI) file object prior to delivery of the message to the Exchange Transport Service. This new object will be flagged to be scanned by VSAPI and passed to the listening Antivirus scanner.
Symantec Mail Security for Microsoft Exchange (SMSMSE) has the capability to listen for VSAPI requests. It can then perform Antivirus, Content filtering, and File filtering against the objects passed by VSAPI. If SMSMSE has File Filtering enabled it is possible to receive unexpected detections such as a detection of executable files in RTF formatted messages with embedded image objects.
There are multiple options to resolve the issue depending on the version of Symantec Mail Security for Microsoft Exchange deployed inside the environment.
7.5.5 & later:
Solution #1: Disable VSAPI scanning for Executable files.
The following process will disable VSAPI scanning for Executable files. The files will still be scanned when the messages are passed into the Exchange Transport Pipeline.
In the SMSMSE console navigate to: Policies > File Type Filtering Rules > Executable File Rule
Expand Application & Executables
Uncheck "Internal message (store)
Solution #2: Disable the specific executable type causing the detection.
The following process will disable the true-type scanning of specific types for both VSAPI and Transport.
In the SMSMSE console navigate to: Policies > File Filtering Rules > Executable File Rule
Expand Application & Executables
Uncheck the specific type in which not to scan (Example: Windows Installer Package (.msi))
7.5.4 & earlier:
Solution: - Enable/Disable Executable File Rule.
For earlier versions of the product the Executable File Rule is either Enabled or Disabled. There are no granular options to choose specific executable types or to limit detection to the direction of the message. When the Executable File Rule option is enabled all messages touched by the Information Store will have a determination made against them if they contain Executable content.
You can Enable or Disable the rule by navigating to Polices>File Filtering Rules>Executable File Rule within the SMSMSE console.
Subscribing will provide email updates when this Article is updated. Login is required.