This article applies to:
- Trustwave MailMarshal (SEG)
- McAfee for Marshal
Symptoms:
- MailMarshal is blocking all messages with zip attachments as virus infected.
- All messages with zipped attachments report a scanner error, which triggers the Block Virus rule.
- Error: 'Virus scanner ERROR ... unexpected error: File is locked or access denied.'
Causes:
The issue appears to be caused by double backslash (\\) characters in the path of the file being scanned by McAfee for Marshal. You will most likely see entries similar to the one below in the MailMarshal Engine logs:
MSMcAfee.dll: Scanning file 'C:\Program Files\Marshal\MailMarshal\\T3\U2\MsgHeader.txt'
The double backslash is usually present when there is no defined location for unpacking and virus scanning in the MailMarshal Server configuration.
Reply:
To address this issue, you will need to define a location for message unpacking and virus scanning:
- Stop all the MailMarshal services. (Note: If the problem exists on a node that also serves as an Array Manager, you will need to stop the Array Manager service as well.)
- On the problem MailMarshal node, run the MailMarshal Server Tool.
- Go to Folders | Location For Unpacking and Virus Scanning.
- Add a valid folder location for unpacking. The default location (version 8.0) is
C:\Program Files\Trustwave\Secure Email Gateway\Unpacking.
- For full details of the location for each version, see article Q10832.
- Click OK or Apply. Do NOT choose to move files when prompted.
- Restart the MailMarshal services
If the resolution above is not appropriate for your installation, please refer to the following alternative workaround:
It is possible to allow all these messages to be scanned properly by configuring the Block Virus rule not to quarantine messages in the event of these scanner errors. However, Trustwave recommends that you create separate rules to handle the anti-virus errors in a more appropriate fashion. The suggested rules for this workaround are listed below.
Create all three of these rules for correct handling of virus scanning results:
RULE 1 - should block messages if, and only if, the result is 'Contains Virus'. Uncheck all the other options in the Virus Scan Rule Condition.
Standard Rule: Block Virus
When a message arrives
Where message is incoming
Where the result of a virus scan, when scanning with all scanners, is 'Contains Virus'
Send a 'Virus In' notification message
And move the message to 'Virus'
RULE 2 - This is the rule that handles the error 'File is locked or access denied'. Note that these zip files are still scanned normally and truly infected files will still be detected as normal. This rule basically records that the error occurred and allows the message to continue processing.
Standard Rule: Virus - Unexpected error
When a message arrives
Where message is incoming
Where the result of a virus scan, when scanning with all scanners, is 'Unexpected Error'
Copy the message to 'Virus - Unexpected Error'
And pass message to the next rule for processing.
RULE 3 - handles the other problem files that your scanner may encounter. Note that with errors like 'Password Protected' and 'Corrupt File', normal virus scanning is not performed and for that reason, these message should not be allowed through. They should not, however, be labelled as viruses. Sending a notification to end users indicating these messages are infected may cause some confusion. Instead, use a notification that indicates the true nature of the problem, perhaps suggesting to resend without password protection.
Standard Rule: Virus - Unable to scan
When a message arrives
Where message is incoming
Where the result of a virus scan, when scanning with all scanners, is 'Password Protected' or 'Corrupt File' or 'Signatures Out Of Date' or 'Could Not Unpack Or Analyze'
Send a 'Virus - unable to scan' notification message
And move the message to 'Virus - Error'
- This article was previously published as:
- NETIQKB42907
