Microsoft KB Archive/939413

= Forefront Security deletes all 2007 Office files =

Article ID: 939413

Article Last Modified on 9/21/2007

-

APPLIES TO


 * Microsoft Forefront Security for Exchange Server
 * Microsoft Forefront Security for SharePoint

-



SYMPTOMS
Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint delete all 2007 Microsoft Office files.



CAUSE
This issue occurs if the following conditions are true:
 * You have an *.xml file filter enabled in Forefront Security.
 * The Max Container File Infections option is set to 5.

Note Five is the default value for the Max Container File Infections option.

Forefront Security parses a .docx file as it does with any other compressed file. Forefront Security scans all XML files that are contained in a .docx file. Then, Forefront Security matches each XML file together with the .xml file filter that is enabled.

In this situation, after Forefront Security scans the first five XML files and then deletes the first five XML files, Forefront Security detects the sixth XML file as infected. Then, Forefront Security deletes the .docx file. Additionally, Forefront Security reports this sixth incident as ExceedingInfected. This behavior is an expected behavior.



WORKAROUND
To work around this issue, create a &quot;Skip: detect only&quot; file filter for OPENXML files (2007 Office files). Make sure that these file filters appear above XML file filters in the list of filters that you configure.

For example, you can create a list of file filters that resembles the following.

When you apply this file filter configuration, Forefront Security applies the regular file filters first. Next, Forefront Security applies the 2007 Office &quot;Skip: detect only&quot; file filters. Then, Forefront Security applies the XML filters.

If a file matches a &quot;Skip: detect only&quot; filter, Forefront Security does not compare the file with any other file filters for the particular scan job. Therefore, the XML filters are not applied to the 2007 Office files.

Note The &quot;Skip: detect only&quot; action applies only to file filtering. Other types of filtering are still applied.



MORE INFORMATION
For more information about how to create &quot;Skip: detect only&quot; file filters, see the Forefront Security for Exchange Server User Guide and the Forefront Security for SharePoint User Guide.

For more information about the Office Open XML File Formats, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa338205.aspx

Keywords: kbtshoot kbexpertiseadvanced kbprb KB939413

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.