As far as I know, this is normal behavior. Forefront Security converts a part of the original message into a Winmail.dat file. Then, as part of the transport scanning, Forefront Security scans the Winmail.dat file as a container
file. If the original message in the Winmail.dat file contains a virus match or a filter match, Forefront Security replaces the infected component by using the deletion text.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.