07-15-2013 07:40 AM
I have the following messages in my ironport mail log file:
Wed Jun 26 09:04:33 2013 Info: MID 706715 attachment 'doc_129975.zip'
Wed Jun 26 09:04:33 2013 Warning: MID 706715: scanning error (name='doc_129975.exe', type=executable/exe): viewer bailed out
Wed Jun 26 09:04:33 2013 Info: MID 706715 queued for delivery
Unfortunately, this mail got delivered - but it shouldn't.
How can I configure Ironport, that mails with an error "viewer bailed out", are not delivered.
I have a C160 running 7.6.2-014
Thanks for your help.
07-15-2013 01:23 PM
Hi Joerg,
Under the mail policies what do you have set for unscannable messages?
Do you have Outbreak Filters enable?
Thanks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-15-2013 11:50 PM
Hi Luis,
Outbreak filter is enabled.
Unscannable messages are set to deliver with prepending the message with [WARNING: A/V UNSCANNABLE]. But it was delivered without the modified subject, which probably means, that wasn't recognized as unscannable message.
07-16-2013 09:43 AM
Hi Joerg,
Thanks for your response. In general, "Viewer bailed out" means that the content scanner has problems opening an attachment, because the file is corrupt or incomplete in some ways. Throwing this error is in fact working as intended, as it gives us insight of why an attachment could not be scanned completely. Setting the mail logs to Debug level also gives us more details.
HTH,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-17-2013 12:02 AM
Hi Luis
I've set the log level from mail_logs to debug. Here the result:
--- --- ---
Wed Jul 17 08:37:38 2013 Info: Start MID 721558 ICID 1396828
Wed Jul 17 08:37:38 2013 Info: MID 721558 ICID 1396828 From: <sender@sender.com>
Wed Jul 17 08:37:38 2013 Info: MID 721558 ICID 1396828 RID 0 To: <recipient@recipient.com>
Wed Jul 17 08:37:38 2013 Info: MID 721558 Message-ID '<WC20130717063703.77001C@sender.com>'
Wed Jul 17 08:37:38 2013 Info: MID 721558 Subject 'Fwd: Exe in Zip'
Wed Jul 17 08:37:38 2013 Info: MID 721558 ready 531240 bytes from <sender@sender.com>
Wed Jul 17 08:37:38 2013 Info: MID 721558 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Jul 17 08:37:39 2013 Debug: MID 721558 using engine: CASE definitely negative
Wed Jul 17 08:37:39 2013 Info: MID 721558 using engine: CASE spam negative
Wed Jul 17 08:37:39 2013 Info: MID 721558 interim AV verdict using Sophos CLEAN
Wed Jul 17 08:37:39 2013 Info: MID 721558 antivirus negative
Wed Jul 17 08:37:39 2013 Info: MID 721558 attachment 'calc.zip'
Wed Jul 17 08:37:39 2013 Debug: scanning: MID 721558 'zip' file id 1802 (d), actually not ooxml
Wed Jul 17 08:37:39 2013 Warning: MID 721558: scanning error (name='calc.exe', type=executable/exe): viewer bailed out
Wed Jul 17 08:37:39 2013 Debug: scanning: MID 721558 id 1800: ("'_stellent _stellent.check_error 113'", "
Wed Jul 17 08:37:39 2013 Info: MID 721558 Outbreak Filters: verdict positive
Wed Jul 17 08:37:39 2013 Info: MID 721558 Threat Level=3 Category=Virus Type=Viral Attachment
Wed Jul 17 08:37:39 2013 Info: MID 721558 Virus Threat Level=3
Wed Jul 17 08:37:39 2013 Info: MID 721558 attachment types zip
Wed Jul 17 08:37:40 2013 Info: MID 721558 quarantined to "Outbreak" (Outbreak rule:OUTBREAK_0006381)
--- --- --- ---
The mail was put into the outbreak quarantine, but after a while, it will be delivered without any further checking. But the policy defines, that exe-files must be deleted in any case resp copied to the policy quarantine.
07-17-2013 09:56 AM
Hi Joerg,
I found this bug CSCzv79270 but it might be fixed on the version you are running.
At this point I suggest you to raise a TAC case.
Thanks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-18-2013 12:10 AM
Hi Luis
Thank you very much for your explanations and your advice. I'll raise a TAC case and let you know.
Regards
Joerg
08-28-2013 07:56 AM
Hi Luis
Just to let you know.
I'm now on AsyncOS 7.6.3-019. Unfortunately no success. Cisco has accepted this as a bug. The Bug ID is 26487. So I'll wait for an indefinite time.
Thank you once more for your advice.
Regards
Jörg
08-28-2013 08:07 AM
Thanks for sharing your experience. At some point you can contact your Account Team to expedite the resolution of the bug since it is on "Release Pending" state.
I hope it wont take that long.
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide