One of the more complex tasks that email administrators face is keeping the email coming in and out of their organizations compliant with regulations and internal policies.

 

In the McAfee Email Gateway (MEG), one of the primary tools used to achieve this is the content security engine, or CSE.  The CSE's function is to extract textual content and filter it.  The companies who develop content extraction and filtering engines have concentrated their resources into making these products world class, and McAfee licenses this capability.  Generally speaking, the engines I have worked with, while quite good at what they do, are occasionally going to run into a problem extracting text from a given file, or sometimes even from a new type of file.  This occurs because as application software evolves, it involves greater feature complexity and sometimes even fundamental file format changes.  When these applications deploy, and the resulting files start being passed around via email, sometimes we find that an engine may not be extracting and/or filtering that content properly.

 

In the MEG, the CSE is responsible for file filtering, compliance, and image filtering, so any email that is filtered by any of these types of policies is being scanned by the CSE.  Prior to version 7.6.0, a failure to properly scan was frequently accompanied by segmentation violations, also sometimes called SEGV's.  Continual resubmission of the email by the sending server sometimes led to conditions where appliance memory and CPU became overutilized.  To combat this problem, 7.6.0 implemented the "Unscannable Content" feature, which wraps the CSE with the capability to detect this condition, identifies the offending content, retries a user-configurable number of times, and quarantines it (by default) to a special queue for unscannable content if it continues to fail through the allowed number of iterations.  This is preferred behavior because a message containing content that fails to be completely filtered would not normally be allowed to be delivered by policy, but rather should be quarantined for administrator inspection. The problem is that in some cases an administrator either finds the amount of such failures unacceptable or feels the engine should have been able to extract and filter the content without error.  Note that there is not an absolute correlation between file type and success or failure; in other words, one .pptx file may process gracefully through the MEG appliance while another .pptx may not. It seems to depend more upon the component complexity of the individual files than on file type.  It goes almost without saying then (but I will), that yes, we might identify and fix one .xlsx issue for you today, and might find a different issue next month, or six months from now, because neither we nor the CSE vendors can predict with absolute certainty what new things might start to cause a problem with the engine without your help, and this is where you can assist.

 

In these cases, there is little we can do without the offending email or attachment.  If you suspect the CSE is not working right with a given file, or kind of file, you should open a case with support, and provide a sample that we and the vendor can work with if necessary.  We will use the sample to replicate the problem, and to test any fix we may receive from the CSE vendor.  We may, under some circumstances need to allow the vendor to use it to replicate, unit test and QA their fix also.  Please be patient; if the vendor has to provide a fix, we will have to incorporate it into our own release schedules.

 

As mentioned, 7.6.0 and above does provide some relief from the worst side effects of this, plus an easy way for an administrator to download a copy of the offending email from the user interface so it can be submitted.  Applying the latest patch releases for your platform is always highly recommended, and will incorporate the latest and most effective content security engines.

 

Additional information is available in the October 16th post in this blog, entitled "New Unscannable Content Feature in MEG 7.6", and also in the following KnowledgeBase articles:

 

KB79035 Email Gateway 7.6: Unscannable content detection feature

KB79617 McAfee Email Gateway Unscannable Content and Segmentation Violations