CorruptedCompressed uuencodeFile

All Replies

• Friday, January 25, 2013 8:15 AM

   

   
  

  0

  Hi,

  first of all make sure you are running the latest build of FPE which is Rollup 4 (http://support.microsoft.com/kb/2619883).

  The problem is that FPE can't inspect the file against malware so it is blocked. If you create a whitelist the email would also be inspected and gets blocked. The only way to allow those messages is to uncheck the option Delete corrupted UUEncoded files.

  More details here:

  http://technet.microsoft.com/en-us/library/cc561156.aspx

  Greetings

  Christian

  ---

  Christian Groebner MVP Forefront

  • Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, February 07, 2013 4:24 AM
  •  
  • Reply
  • Quote

   
• Friday, January 25, 2013 3:03 PM

   

   
  

  0

  Really apreciate the feedback. 

  1. Any reason that rollup isn't released to all servers via Windows Update yet?  This doesn't make me feel any better:

  WARNING   This hotfix has not undergone full testing. Therefore, it is intended only for systems or computers that are experiencing the exact problem that is described in the one or more Microsoft Knowledge Base articles that are listed in "KB Article Numbers" field in the table at the end of this e-mail message. If you are not sure whether any special compatibility or installation issues are associated with this hotfix, we encourage you to wait for the next service pack release. The service pack will include a fully tested version of this fix. We understand that it can be difficult to determine whether any compatibility or installation issues are associated with a hotfix. If you want confirmation that this hotfix addresses your specific problem, or if you want to confirm whether any special compatibility or installation issues are associated with this hotfix, support professionals in Customer Support Services can help you with that. For information about how to contact support, copy the following link and then paste it into your Web browser:

  2. By no longer deleting corrupted UUEncoded files what vulnerabilities am I opening my environment up to? I assume that it is on by defualt for some reason.

  Jason

  ---

  Jason Meyer

  • Reply
  • Quote

   
• Monday, January 28, 2013 8:07 AM

   

   
  

  0

  Hi,

  I don't see a risk in installing RU4 because it's out now for several month now.

  The reason why corrupted UUEncoded files are blocked is that the antimalware engine can't inspect them. And the risk is that the file contains a virus that FPE can't filter out. There I personally don't see a risk too because you have an antimalware tool running on your clients that should recognize the malware when you try to open the file.

  Greetings

  Christian

  ---

  Christian Groebner MVP Forefront

  • Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Wednesday, January 30, 2013 5:55 AM
  • Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Sunday, February 03, 2013 3:08 PM
  •  
  • Reply
  • Quote

   
• Wednesday, March 27, 2013 3:28 PM

   

   
  

  0

  OK, installed RU4, issue remains, question remains:

  1. I would like to be able to release the e-mail to the intended recipient 
  unchanged, is this possible with ForeFront?   As is I can deliver the message to 
  the recipient from the quarantine but it is a stripped apart e-mail, now sent to 
  him from the ForeFront address and is the body of the e-mail only.

  2. The information that is getting stripped out by ForeFront with Incident Name CorruptedCompressedUuencodeFile.  Is there anything that I can look for in the e-mail to tell the person generating it to change?  The attachment that forefront sends me is just 3KB of plain text that looks fine to me.  I can cut/paste this information into another e-mail and it comes through fine.

  3. Still no ability to just 'whitelist' this particual e-mail sender from the CorruptedCompressedUuencodeFile filter?  Currently my best option is to completely turn off this filter.  What is the value of ForeFront if I am just disabling the filters for all senders/recipients?

  I appreciate the feedback,   

  Jason

  ---

  Jason Meyer

  • Reply
  • Quote

   
• Wednesday, March 27, 2013 4:08 PM

   

   
  

  0

  Hi,

  1. FPE does an AV check when you try to deliver an email out of quarantine. That's why the email is stripped because FPE can't inspect it.

  2. I don't know why FPE dectects your file as corrupted. Maybe the generator of the file can change something?

  3. The only way to fix this is to disable checking of CorruptedCompressedUuencoded files. There is no whitelist possible because FPE can't inspect it.

  Greetings

  Christian

  ---

  Christian Groebner MVP Forefront

  • Reply
  • Quote

   
• Wednesday, March 27, 2013 4:36 PM

   

   
  

  0

  1. When I release the e-mail out of quarantine an e-mail notification from ForeFront is delivered with a 'Body of Message' named file, no extension.  If we open that with Notepad or IE or Word it is just text.   There is a URL address but other than that it is just text.   I don't believe anything is getting stripped out when I release the e-mail from the quarantine or if I save it from the quarantine the data is the same.

  2. If I knew what to tell them to change I'd be happy to do so.

  Again, thanks for the input.

  ---

  Jason Meyer

  • Reply
  • Quote

   
• Tuesday, April 16, 2013 4:59 PM

   

   
  

  0

  I did end up disabling CorruptedCompressedUuencoded files on my HUB servers which did stop the false positives from occurring.

  I still see this as an unresolved problem, any thoughts or progress from Microsoft?

  Jason

  ---

  Jason Meyer

  • Reply
  • Quote