This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange
Symptoms:
- Microsoft Office Documents are blocked as Binary Unknown files.
- Microsoft Office Documents are quarantined by the Block Unknown Attachments rule.
Causes:
MailMarshal sometimes fails to recognize certain objects embedded in Microsoft Office documents. These embedded objects are usually components like Clip-Art or something similar. You may, for example, see a Microsoft Excel spreadsheet blocked because of an embedded enhanced metafile (EMF) recognized by MailMarshal as Binary Unknown.
Reply:
One way of dealing with these embedded, but unrecognized, files is to alter your rule to allow unknown attachments through only if the attachment parent is a Microsoft Office document. This would allow you to continue to run your Unknown Attachments rule, but would allow unknown attachments through if the parent was a Microsoft Office Document.
Alter your rule as follows to allow unknown attachments through only if the attachment parent is a Microsoft Office document:
Standard Rule: Block Unknown Attachments
When a message arrives
Where the message is incoming
Where message attachment is of type 'BIN'
And where attachment parent is not of type: 'DOCUMENT'
Send a 'Administrator Generic (With message attached)' and a 'Unrecognized Attachment In' notification message
And move the message to 'Unknown Attachments'
Note: The rule uses the condition "is not of type:'DOCUMENT" (not the condition "is of type: 'DOCUMENT").
Initially, you may think this rule opens up your system to great risk. However to pass through the rule, a file must be embedded in a Microsoft Office document and MailMarshal has to fail to recognize the file type. Thus, your system is not susceptible to standard items such as MP3s, MPEGs, etc., even if these files are embedded in Microsoft Office documents.
- This article was previously published as:
- NETIQKB45343