Microsoft KB Archive/940471

= When you receive e-mail messages from a computer that is running Forefront Security for Exchange Server 2007, the content of the e-mail messages may be replaced =

Article ID: 940471

Article Last Modified on 9/5/2007

-

APPLIES TO

 Microsoft Forefront Security for Exchange Server, when used with:  Microsoft Exchange Server 2007 Enterprise Edition

 Microsoft Exchange Server 2007 Standard Edition 

-



SYMPTOMS
When you receive e-mail messages from a Microsoft Exchange server that is running Microsoft Forefront Security for Exchange Server 2007, the content of the e-mail messages may be replaced. No files are attached to the e-mail messages. Instead, the e-mail messages contain the following deletion text:

FILE QUARANTINED

Microsoft Forefront Security for Exchange Server removed a file since it was found to match a filter.

File name: &quot;winmail.dat&quot;

Filter name: &quot;FILE FILTER= unnamed: *.exe; Container Removed&quot;

Additionally, text that resembles the following is logged in the Programlog.txt file on the Forefront Security for Exchange Server 2007 computer:

Mon Jul 23 09:12:47 2007 ( 4708- 1116), &quot;INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal

Message: RE: Good morning

Message ID:  File: winmail.dat Incident: FILE FILTER= *.exe; Container Removed

Scanner: 0

State: Removed&quot;



CAUSE
This issue may occur if one of the following conditions is true:
 * Forefront Security detects virus-infected data in the Winmail.dat file.
 * Forefront Security matches a condition that is set in a filter setting.

At first, Forefront Security converts a part of the original message into a Winmail.dat file. Then, as part of the transport scanning, Forefront Security scans the Winmail.dat file as a container file. If the original message in the Winmail.dat file contains a virus match or a filter match, Forefront Security replaces the infected component by using the deletion text. However, if the Max Container File Infections option in the General Options pane is set to zero (0) on the Forefront Server Security Administrator client, the whole container file (Winmail.dat) is deleted.



RESOLUTION
To resolve this issue, you can configure Forefront Security to replace infected content in the Winmail.dat files without removing the whole Winmail.dat file. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft Forefront Server Security, point to Exchange Server, and then click Forefront Server Security Administrator.
 * 2) In the What server you want to connect to box, click the appropriate Exchange server. Or, click Browse, and then locate the server that you want.
 * 3) Click OK.
 * 4) In Shuttle Navigator, click Settings, and then click General Options.
 * 5) In the Scanning area, type a suitable value in the Max Container File Infections box. For example, to allow up to five detections within a container file, set the value to 5.
 * 6) Click Save.
 * 7) Close Forefront Server Security Administrator.
 * 8) Click Start, click Run, type Services.msc, and then click OK.
 * 9) In the Services snap-in, restart the FSCController service.

<div class="moreinformation_section">

MORE INFORMATION
For more information about Forefront Security, visit the following Microsoft Web site:

http://www.microsoft.com/technet/antigen/2006/gettingstarted/exchange-userguide/default.mspx?mfr=true

For more information about the Winmail.dat file, click the following article number to view the article in the Microsoft Knowledge Base:

290809 How e-mail message formats affect Internet e-mail messages in Outlook

Keywords: kbtshoot kbexpertiseinter KB940471

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.