Antigen or Microsoft Forefront server security products may detect a file as being infected with the UnwritableCompressedFile virus

Article translations Article translations
Article ID: 943625 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you use one of the following programs, the program may detect a file as being infected with the UnwritableCompressedFile virus:
  • Microsoft Antigen 9.0 for Exchange
  • Sybari Antigen 8.0 for Microsoft Exchange
  • Sybari Antigen 8.0 for Microsoft SharePoint Portal Server
  • Microsoft Forefront Security for Exchange Server
  • Microsoft Forefront Security for SharePoint
2007 Office files (DocX, PptX, XlsX, and so on) are detected as “UnwritableCompressedFile virus” files, and they are removed. This behavior occurs when an embedded file is removed from a 2007 Office system. Microsoft Antigen and Microsoft Forefront server products cannot subsequently write to the 2007 Office file.

CAUSE

This issue occurs if the following conditions are true:
  • Antigen or Microsoft Forefront server security products can parse the file successfully to read the contents of the file.
  • Antigen or Microsoft Forefront server security products cannot perform a write operation to the compressed file or to one or more of the files that are contained in the archive package.
For example, this issue occurs if the following conditions are true:
  • A file filter is configured to delete a particular file type or to remove a particular file type.
  • A compressed file contains one or more files that match the file filter that is configured.
  • Antigen or Microsoft Forefront server security products cannot delete the file or the files from inside the compressed file.
For 2007 Office files, this issue occurs because of the current navigator for Antigen 9 and Forefront 10. Neither Antigen nor Forefront can update 2007 Office files after an embedded file has been removed.

WORKAROUND

To work around this issue, create a "Skip: detect only" file filter for OPENXML files (2007 Office files). If you have XML file filters set, make sure that the OPENXML entries appear before the XML file filters in the list of filters that you configure. For example, set the following filter to prevent 2007 Office files from being filtered.
Filter name Filter type Action 
----------- ----------- ---------- 
* OPENXML Skip: detect only 


When you apply this file filter configuration to either Forefront or Antigen 9.0, the contents of Office 2007 files are not checked against file filtering. If a file matches a "Skip: detect only" filter, Forefront does not compare the file with any other file filters for the particular scan job.

Note The "Skip: detect only" action applies only to file filtering. Other kinds of filtering and virus scanning are still applied.

Properties

Article ID: 943625 - Last Review: March 9, 2009 - Revision: 2.1
APPLIES TO
  • Microsoft Antigen 9.0 for Exchange
  • Sybari Antigen 8.0 for Microsoft Exchange
  • Sybari Antigen 8.0 for Microsoft SharePoint Portal Server
  • Microsoft Forefront Security for Exchange Server
  • Microsoft Forefront Security for SharePoint
Keywords: 
kbspam kbtshoot kbprb KB943625

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com