PRB: Symantec Scan Engine reports "Malformed Container violation" for most messages
This article applies to:
- Trustwave SEG/MailMarshal SMTP
- Trustwave ECM/MailMarshal Exchange
- Symantec Antivirus Scan Engine
- Symantec Protection Engine
- Symantec Scan Engine detects the virus "Malformed Container violation" in most messages.
- Symantec Scan Engine virus scanner reports the virus "Malformed container violation" found when scanning a message header.
- When MailMarshal processes a message, it unpacks the message into its constituent components (header, body and attachments).
- MailMarshal sends the entire message, and also each individual component, to each configured virus scanner for scanning.
- The Symantec Scan Engine expects to receive an entire email message, which it then unpacks. When an email header component is sent to the Symantec Scan Engine, it sees this file as a corrupt email message. By default it returns the 'Malformed Container' result.
When using the Symantec Scan Engine or Protection Engine with MailMarshal, disable Malformed Container detection. Configure the Symantec Scan Engine filtering policy to allow processing of Malformed Container files.
- In the Symantec Scan Engine Console, navigate to Select Policies -> Filtering -> Container Handling -> Malformed Container File Processing.
- Deselect the 'Block malformed containers' option, or choose "log only" (depending on Symantec version).
- After correcting this configuration setting, to determine any actual virus content, reprocess affected messages that were quarantined by MailMarshal.
- Please note that changing this configuration setting does not reduce the quality of virus detection with MailMarshal. MailMarshal scans a message both as a whole and as its individual components.
- This information is confirmed in a Symantec Knowledge Base article.