Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

When you receive e-mail messages from a computer that is running Forefront Security for Exchange Server 2007, the content of the e-mail messages may be replaced


View products that this article applies to.

Symptoms

When you receive e-mail messages from a Microsoft Exchange server that is running Microsoft Forefront Security for Exchange Server 2007, the content of the e-mail messages may be replaced. No files are attached to the e-mail messages. Instead, the e-mail messages contain the following deletion text:
FILE QUARANTINED
Microsoft Forefront Security for Exchange Server removed a file since it was found to match a filter.
File name: "winmail.dat"
Filter name: "FILE FILTER= unnamed: *.exe; Container Removed"
Additionally, text that resembles the following is logged in the Programlog.txt file on the Forefront Security for Exchange Server 2007 computer:
Mon Jul 23 09:12:47 2007 ( 4708- 1116), "INFORMATION: Internet scan found virus: Folder: SMTP Messages\Internal
Message: RE: Good morning
Message ID: <AD22F5G91546DD49BCDF0BED38BFED3E17BCCED28F@contoso.com> File: winmail.dat Incident: FILE FILTER= *.exe; Container Removed
Scanner: 0
State: Removed"

↑ Back to the top


Cause

This issue may occur if one of the following conditions is true:
  • Forefront Security detects virus-infected data in the Winmail.dat file.
  • Forefront Security matches a condition that is set in a filter setting.
At first, Forefront Security converts a part of the original message into a Winmail.dat file. Then, as part of the transport scanning, Forefront Security scans the Winmail.dat file as a container file. If the original message in the Winmail.dat file contains a virus match or a filter match, Forefront Security replaces the infected component by using the deletion text. However, if the Max Container File Infections option in the General Options pane is set to zero (0) on the Forefront Server Security Administrator client, the whole container file (Winmail.dat) is deleted.

↑ Back to the top


Resolution

To resolve this issue, you can configure Forefront Security to replace infected content in the Winmail.dat files without removing the whole Winmail.dat file. To do this, follow these steps:
  1. Click Start, point to Programs, point to Microsoft Forefront Server Security, point to Exchange Server, and then click Forefront Server Security Administrator.
  2. In the What server you want to connect to box, click the appropriate Exchange server. Or, click Browse, and then locate the server that you want.
  3. Click OK.
  4. In Shuttle Navigator, click Settings, and then click General Options.
  5. In the Scanning area, type a suitable value in the Max Container File Infections box. For example, to allow up to five detections within a container file, set the value to 5.
  6. Click Save.
  7. Close Forefront Server Security Administrator.
  8. Click Start, click Run, type Services.msc, and then click OK.
  9. In the Services snap-in, restart the FSCController service.

↑ Back to the top


More information

For more information about Forefront Security, visit the following Microsoft Web site: For more information about the Winmail.dat file, click the following article number to view the article in the Microsoft Knowledge Base:
290809 How e-mail message formats affect Internet e-mail messages in Outlook

↑ Back to the top


Keywords: KB940471, kbexpertiseinter, kbtshoot

↑ Back to the top

Article Info
Article ID : 940471
Revision : 2
Created on : 9/5/2007
Published on : 9/5/2007
Exists online : False
Views : 440