Email with PDF quarantined even with Exclusion
-
This is MD 19.5.9 x64
An email came in, had a PDF attachment. For some reason, it could not be scanned and the email was quarantined. The PDF is not password protected, so the reason it could not be scanned is unclear.
In any case, I added an exclusion of Sender *@peabody...com for *.pdf files and released the quarantined email.
The recipient is patrick@sdg...com
The recipient then tried to forward it to another account (pat@sdg...com) and that email got quarantined also, even though there was a pre-configued exclusion. (for password protected files)
I had to manually release that email also.
I have log files and a screen shot showing the settings and exclusion.
Maybe the PDF couldn't be scanned for some other reason, but how do I exclude those?
-
Arron Staff
What does the \MDaemon\SecurityPlus\Ikarus\scan.server\log\scan\scanserver.log file show happened? The log has a size limit so it may no longer have the information. If it does not, can you process the message and then check the scanserver.log file? If you are unable to reprocess the message, can you send me a copy of the PDF?
The exclusion you configured is specifically for password protected files. Since the PDF is not password protected, the exclusion will not be applied.
-
Hi Arron,
I tried to re-queue the message from archive, but it passes through with this message:
Restricted attachment processing skipped because message was manually released from quarantine queue
I'll email you directly with a link to download the email and attachment, etc.
-
Arron Staff
I've logged a bug about the message not being reprocessed when it is a requeued.
I was able to reproduce the issue with the PDF being reported as a nonscan. The IKARUS engine is flagging it as a mail bomb. This occurs when the AV engine detects that the file will expand to be significantly larger. IKARUS is intending to improve upon this functionality for the next version.
There are a couple ways you can work around this.
1. Add a password to the PDF, since you've already added the exclusions for password protected files, this should allow it to pass throug the system.
2. Add an AV exclusion to exclude the message from scanning. Unfortunately you would have to exclude all messages from or to an address.
-
Okay, thanks very much.
If it continues to be an issue from that sender, I'll think about the AV Exclusion.
-
Yep, it happened again, had to AV Exclude the sender.