none
Intermittent Errors 2213 and 4010

    Question

  • Hey guys. I have been noticing for some time that occasionally I get error 4010:

    Transport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '<ID@SERVER@DOMAIN.COM>' Rule ID '52b1774b-4a4c-4aba-ac8c-a3cb14f231ac' Predicate '' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: 'Scan request timed out: STREAMS

    id: 0, parent: -1
    name: "<e428b1cd53f64e3c88884d5354c4bbe1@SERVER@DOMAIN.COM>"
    types: 
    text: not available
    properties:
     - Parsing::ParsingKeys::DepthLevel: 0
     - Parsing::ParsingKeys::StreamSize: 1864
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 0

    id: 1, parent: 0
    name: "Message Body"
    types: Html, Text
    text: not available
    properties:
     - Parsing::ConfigKeys::BypassTextTruncation: 01 00 00 00 00 00 00 00
     - Parsing::ParsingKeys::CharSet: 75 00 73 00 2D 00 61 00 73 00 63 00 69 00 69 00
     - Parsing::ParsingKeys::ContentType: text/html
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::MessageBody: True
     - Parsing::ParsingKeys::PreferredBody: True
     - Parsing::ParsingKeys::StreamSize: 8631
     - Parsing::ParsingKeys::Subject: FW: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 2
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 2
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionMethod: OutsideInModule
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 2
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 08 00 00 00 00 00 00 00

    id: 2, parent: 0
    name: "image001.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 1182
     - Parsing::ParsingKeys::Subject: FW: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: DB 21 00 00 00 00 00 00

    id: 3, parent: 0
    name: "image002.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 1129
     - Parsing::ParsingKeys::Subject: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 95 26 00 00 00 00 00 00

    id: 4, parent: 0
    name: "image003.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 4104
     - Parsing::ParsingKeys::Subject: FW: SUJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 1A 2B 00 00 00 00 00 00

    id: 5, parent: 0
    name: "image004.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 4449
     - Parsing::ParsingKeys::Subject: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 3E 3B 00 00 00 00 00 00

    id: 6, parent: 0
    name: "SPREADSHEET.xlsx"
    types: XlsxOfficePackage, Zip
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 635727
     - Parsing::ParsingKeys::Subject: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 2
     - ScanningPipeline::TextExtractionKeys::TextExtractionFailedModules: AdeModule
     - ScanningPipeline::TextExtractionKeys::TextExtractionMethod: OutsideInModule
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: BB 4C 00 00 00 00 00 00

    '. See inner exception for details ---> Microsoft.Filtering.ScanTimeoutException: Scan request timed out: STREAMS

    id: 0, parent: -1
    name: "<e428b1cd53f64e3c88884d5354c4bbe1@SERVER@DOMAIN.COM>"
    types: 
    text: not available
    properties:
     - Parsing::ParsingKeys::DepthLevel: 0
     - Parsing::ParsingKeys::StreamSize: 1864
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 0

    id: 1, parent: 0
    name: "Message Body"
    types: Html, Text
    text: not available
    properties:
     - Parsing::ConfigKeys::BypassTextTruncation: 01 00 00 00 00 00 00 00
     - Parsing::ParsingKeys::CharSet: 75 00 73 00 2D 00 61 00 73 00 63 00 69 00 69 00
     - Parsing::ParsingKeys::ContentType: text/html
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::MessageBody: True
     - Parsing::ParsingKeys::PreferredBody: True
     - Parsing::ParsingKeys::StreamSize: 8631
     - Parsing::ParsingKeys::Subject: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 2
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 2
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionMethod: OutsideInModule
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 2
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 08 00 00 00 00 00 00 00

    id: 2, parent: 0
    name: "image001.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 1182
     - Parsing::ParsingKeys::SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: DB 21 00 00 00 00 00 00

    id: 3, parent: 0
    name: "image002.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 1129
     - Parsing::ParsingKeys::Subject:SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 95 26 00 00 00 00 00 00

    id: 4, parent: 0
    name: "image003.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 4104
     - Parsing::ParsingKeys::Subject: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 1A 2B 00 00 00 00 00 00

    id: 5, parent: 0
    name: "image004.png"
    types: Png
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: image/png
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 4449
     - Parsing::ParsingKeys::SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 1
     - ScanningPipeline::ElapsedTimeKeys::TextExtraction: 0
     - ScanningPipeline::TextExtractionKeys::TextExtractionAdditionalInformation: 
     - ScanningPipeline::TextExtractionKeys::TextExtractionResult: 1
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: 3E 3B 00 00 00 00 00 00

    id: 6, parent: 0
    name: "SPREADSHEET.xlsx"
    types: XlsxOfficePackage, Zip
    text: not available
    properties:
     - Parsing::ParsingKeys::ContentType: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
     - Parsing::ParsingKeys::DepthLevel: 1
     - Parsing::ParsingKeys::StreamSize: 635727
     - Parsing::ParsingKeys::Subject: FW: SUBJECT
     - ScanningPipeline::ElapsedTimeKeys::Parsing: 2
     - ScanningPipeline::TextExtractionKeys::TextExtractionFailedModules: AdeModule
     - ScanningPipeline::TextExtractionKeys::TextExtractionMethod: OutsideInModule
     - UnifiedContent::PropertyKeys::ExtractedContentOffset: 00 00 00 00 00 00 00 00
     - UnifiedContent::PropertyKeys::RawDataOffset: BB 4C 00 00 00 00 00 00


       at Microsoft.Filtering.InteropUtils.ThrowPostScanErrorAsFilteringException(WSM_ReturnCode code, String message)
       at Microsoft.Filtering.FilteringService.EndScan(IAsyncResult ar)
       at Microsoft.Filtering.FipsDataStreamFilteringService.EndScan(IAsyncResult ar)
       at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.TextExtractionComplete(IFipsDataStreamFilteringService textExtractionService, TextExtractionCompleteCallback textExtractionCompleteCallback, IAsyncResult asyncResult)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.GetUnifiedContentResults(FilteringServiceInvokerRequest filteringServiceInvokerRequest)
       at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetUnifiedContentResults()
       at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetAttachmentStreamIdentities()
       at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.GetAttachmentInfos()
       at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.get_AttachmentTypes()
       at Microsoft.Exchange.MessagingPolicies.Rules.MessageProperty.OnGetValue(RulesEvaluationContext baseContext)
       at Microsoft.Exchange.MessagingPolicies.Rules.Property.GetValue(RulesEvaluationContext context)
       at Microsoft.Exchange.MessagingPolicies.Rules.IsPredicate.Evaluate(RulesEvaluationContext context)
       at Microsoft.Exchange.MessagingPolicies.Rules.AndCondition.Evaluate(RulesEvaluationContext context)
       at Microsoft.Exchange.MessagingPolicies.Rules.RulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext)
       at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext). Message-Id:<e428b1cd53f64e3c88884d5354c4bbe1@SERVER.DOMAIN.NET>'

    This is always immediately followed by FIPS ERROR 2213:

    A scan request timed out.  ID={9a44e9c5-c363-4d63-a1f1-529980224acb}, WorkloadID=<e428b1cd53f64e3c88884d5354c4bbe1@SERVER@DOMAIN.COM>, PID=31296

    I have googled this and found one thread that was similar but was not exactly the same issue. Has anyone seen this before and does anyone know how I can resolve this?

    Thanks!

    Wednesday, August 24, 2016 8:50 PM

Answers

  • Hi,

    I notice that there's no value related to attachment, for example AttachmentNameMatchesPatterns, AttachmentContainsWords. Is there any value populated in those attribution?

    If so, please post the actual value related to attachment, run below command:

    Get-Transportrule "Attachment Filtering" | FL Identity,Description,Attachment*

    If not, please add some value for those parameters or recreate this rule for testing.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 1:05 PM
    Moderator

All replies

  • Hi,

    For your question, I want to confirm:
    1. Do you have other Exchange server in your environment?
    2. Does this issue only occur on this special server or transport rule?

    I find an similar thread about your issue, for your reference:
    https://social.technet.microsoft.com/Forums/office/en-US/b13d5297-c3cf-47c1-9633-c259fb4aeeb4/rule-for-searching-the-contents-of-mail-is-not-working?forum=exchangesvradmin

    Please check the file under C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Data\Engines\amd64, also, check the permission for FIP-FS folder, and ensure the permission setting for NETWORK SERVICE. You can compare the setting with other Exchange server, figure as below:


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, August 25, 2016 3:03 AM
    Moderator
  • Hello. I had actually read that thread earlier this day and when I checked those permissions they were already configured properly. I have three Exchange servers in my environment, 2 CAS+Mailbox severs as part of a DAG and then a standalone Archiving server. I have not looked at my archiving server but this is occuring on both of my CAS+Mailbox servers in my DAG.

    I hadn't noticed before, but this does seem to only be occurring on one rule - one I use for attachment filtering as a basic block for potentially dangerous files. I will paste it's configuration:




    RunspaceId                                   : 371653f4-6517-442a-a353-0a140f773093
    Priority                                     : 0
    DlpPolicy                                    :
    DlpPolicyId                                  : 00000000-0000-0000-0000-000000000000
    Comments                                     :
                                                  
    ManuallyModified                             : False
    ActivationDate                               :
    ExpiryDate                                   :
    Description                                  : If the message:
                                                       includes an attachment with executable content
                                                   Take the following actions:
                                                       Set audit severity level to 'Medium'
                                                       and reject the message and include the explanation 'This message
                                                   contains an attachment that is potentially unsafe' with the status
                                                   code: '5.7.1'
                                                  
    RuleVersion                                  : 15.0.1.1
    Conditions                                   : {AttachmentHasExecutableContent}
    Exceptions                                   :
    Actions                                      : {SetAuditSeverity, RejectMessage}
    State                                        : Enabled
    Mode                                         : Enforce
    RuleErrorAction                              : Ignore
    SenderAddressLocation                        : Header
    RuleSubType                                  : None
    UseLegacyRegex                               : False
    From                                         :
    FromMemberOf                                 :
    FromScope                                    :
    SentTo                                       :
    SentToMemberOf                               :
    SentToScope                                  :
    BetweenMemberOf1                             :
    BetweenMemberOf2                             :
    ManagerAddresses                             :
    ManagerForEvaluatedUser                      :
    SenderManagementRelationship                 :
    ADComparisonAttribute                        :
    ADComparisonOperator                         :
    SenderADAttributeContainsWords               :
    SenderADAttributeMatchesPatterns             :
    RecipientADAttributeContainsWords            :
    RecipientADAttributeMatchesPatterns          :
    AnyOfToHeader                                :
    AnyOfToHeaderMemberOf                        :
    AnyOfCcHeader                                :
    AnyOfCcHeaderMemberOf                        :
    AnyOfToCcHeader                              :
    AnyOfToCcHeaderMemberOf                      :
    HasClassification                            :
    HasNoClassification                          : False
    SubjectContainsWords                         :
    SubjectOrBodyContainsWords                   :
    HeaderContainsMessageHeader                  :
    HeaderContainsWords                          :
    FromAddressContainsWords                     :
    SenderDomainIs                               :
    RecipientDomainIs                            :
    SubjectMatchesPatterns                       :
    SubjectOrBodyMatchesPatterns                 :
    HeaderMatchesMessageHeader                   :
    HeaderMatchesPatterns                        :
    FromAddressMatchesPatterns                   :
    AttachmentNameMatchesPatterns                :
    AttachmentExtensionMatchesWords              :
    AttachmentPropertyContainsWords              :
    ContentCharacterSetContainsWords             :
    HasSenderOverride                            : False
    MessageContainsDataClassifications           :
    SenderIpRanges                               :
    SCLOver                                      :
    AttachmentSizeOver                           :
    MessageSizeOver                              :
    WithImportance                               :
    MessageTypeMatches                           :
    RecipientAddressContainsWords                :
    RecipientAddressMatchesPatterns              :
    SenderInRecipientList                        :
    RecipientInSenderList                        :
    AttachmentContainsWords                      :
    AttachmentMatchesPatterns                    :
    AttachmentIsUnsupported                      : False
    AttachmentProcessingLimitExceeded            : False
    AttachmentHasExecutableContent               : True
    AttachmentIsPasswordProtected                : False
    AnyOfRecipientAddressContainsWords           :
    AnyOfRecipientAddressMatchesPatterns         :
    ExceptIfFrom                                 :
    ExceptIfFromMemberOf                         :
    ExceptIfFromScope                            :
    ExceptIfSentTo                               :
    ExceptIfSentToMemberOf                       :
    ExceptIfSentToScope                          :
    ExceptIfBetweenMemberOf1                     :
    ExceptIfBetweenMemberOf2                     :
    ExceptIfManagerAddresses                     :
    ExceptIfManagerForEvaluatedUser              :
    ExceptIfSenderManagementRelationship         :
    ExceptIfADComparisonAttribute                :
    ExceptIfADComparisonOperator                 :
    ExceptIfSenderADAttributeContainsWords       :
    ExceptIfSenderADAttributeMatchesPatterns     :
    ExceptIfRecipientADAttributeContainsWords    :
    ExceptIfRecipientADAttributeMatchesPatterns  :
    ExceptIfAnyOfToHeader                        :
    ExceptIfAnyOfToHeaderMemberOf                :
    ExceptIfAnyOfCcHeader                        :
    ExceptIfAnyOfCcHeaderMemberOf                :
    ExceptIfAnyOfToCcHeader                      :
    ExceptIfAnyOfToCcHeaderMemberOf              :
    ExceptIfHasClassification                    :
    ExceptIfHasNoClassification                  : False
    ExceptIfSubjectContainsWords                 :
    ExceptIfSubjectOrBodyContainsWords           :
    ExceptIfHeaderContainsMessageHeader          :
    ExceptIfHeaderContainsWords                  :
    ExceptIfFromAddressContainsWords             :
    ExceptIfSenderDomainIs                       :
    ExceptIfRecipientDomainIs                    :
    ExceptIfSubjectMatchesPatterns               :
    ExceptIfSubjectOrBodyMatchesPatterns         :
    ExceptIfHeaderMatchesMessageHeader           :
    ExceptIfHeaderMatchesPatterns                :
    ExceptIfFromAddressMatchesPatterns           :
    ExceptIfAttachmentNameMatchesPatterns        :
    ExceptIfAttachmentExtensionMatchesWords      :
    ExceptIfAttachmentPropertyContainsWords      :
    ExceptIfContentCharacterSetContainsWords     :
    ExceptIfSCLOver                              :
    ExceptIfAttachmentSizeOver                   :
    ExceptIfMessageSizeOver                      :
    ExceptIfWithImportance                       :
    ExceptIfMessageTypeMatches                   :
    ExceptIfRecipientAddressContainsWords        :
    ExceptIfRecipientAddressMatchesPatterns      :
    ExceptIfSenderInRecipientList                :
    ExceptIfRecipientInSenderList                :
    ExceptIfAttachmentContainsWords              :
    ExceptIfAttachmentMatchesPatterns            :
    ExceptIfAttachmentIsUnsupported              : False
    ExceptIfAttachmentProcessingLimitExceeded    : False
    ExceptIfAttachmentHasExecutableContent       : False
    ExceptIfAttachmentIsPasswordProtected        : False
    ExceptIfAnyOfRecipientAddressContainsWords   :
    ExceptIfAnyOfRecipientAddressMatchesPatterns :
    ExceptIfHasSenderOverride                    : False
    ExceptIfMessageContainsDataClassifications   :
    ExceptIfSenderIpRanges                       :
    PrependSubject                               :
    SetAuditSeverity                             : Medium
    ApplyClassification                          :
    ApplyHtmlDisclaimerLocation                  :
    ApplyHtmlDisclaimerText                      :
    ApplyHtmlDisclaimerFallbackAction            :
    ApplyRightsProtectionTemplate                :
    SetSCL                                       :
    SetHeaderName                                :
    SetHeaderValue                               :
    RemoveHeader                                 :
    AddToRecipients                              :
    CopyTo                                       :
    BlindCopyTo                                  :
    AddManagerAsRecipientType                    :
    ModerateMessageByUser                        :
    ModerateMessageByManager                     : False
    RedirectMessageTo                            :
    RejectMessageEnhancedStatusCode              : 5.7.1
    RejectMessageReasonText                      : This message contains an attachment that is potentially unsafe
    DeleteMessage                                : False
    Disconnect                                   : False
    Quarantine                                   : False
    SmtpRejectMessageRejectText                  :
    SmtpRejectMessageRejectStatusCode            :
    LogEventText                                 :
    StopRuleProcessing                           : False
    SenderNotificationType                       :
    GenerateIncidentReport                       :
    IncidentReportOriginalMail                   :
    IncidentReportContent                        :
    RouteMessageOutboundConnector                :
    RouteMessageOutboundRequireTls               : False
    ApplyOME                                     : False
    RemoveOME                                    : False
    GenerateNotification                         :
    Identity                                     : Attachment Filtering
    DistinguishedName                            : CN=Attachment Filtering,CN=TransportVersioned,CN=Rules,CN=Transport
                                                   Settings,CN=First DOMAIN,CN=Microsoft
                                                   Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=com
    Guid                                         : 52b1774b-4a4c-4aba-ac8c-a3cb14f231ac
    ImmutableId                                  : 52b1774b-4a4c-4aba-ac8c-a3cb14f231ac
    OrganizationId                               :
    Name                                         : Attachment Filtering
    IsValid                                      : True
    WhenChanged                                  : 3/7/2016 4:41:31 PM
    ExchangeVersion                              : 0.1 (8.0.535.0)
    ObjectState                                  : Unchanged

    Any thoughts on where to go from here? Thanks!

    Thursday, August 25, 2016 4:20 AM
  • Hello. This is a 3 server environment. 2MBX+CAS servers in a DAG and a standalone mailbox server used for archiving. The issue is occurring on both servers. I had actually read that thread earlier and when I checked those permissions everything was in order. I actually just noticed that this is only occurring one one rule, a basic attachment filtering rule used to prevent common file types that have executable content. Please see below for the rule configuration:



    RunspaceId                                   : 371653f4-6517-442a-a353-0a140f773093
    Priority                                     : 0
    DlpPolicy                                    :
    DlpPolicyId                                  : 00000000-0000-0000-0000-000000000000
    Comments                                     :
                                                  
    ManuallyModified                             : False
    ActivationDate                               :
    ExpiryDate                                   :
    Description                                  : If the message:
                                                       includes an attachment with executable content
                                                   Take the following actions:
                                                       Set audit severity level to 'Medium'
                                                       and reject the message and include the explanation 'This message
                                                   contains an attachment that is potentially unsafe' with the status
                                                   code: '5.7.1'
                                                  
    RuleVersion                                  : 15.0.1.1
    Conditions                                   : {AttachmentHasExecutableContent}
    Exceptions                                   :
    Actions                                      : {SetAuditSeverity, RejectMessage}
    State                                        : Enabled
    Mode                                         : Enforce
    RuleErrorAction                              : Ignore
    SenderAddressLocation                        : Header
    RuleSubType                                  : None
    UseLegacyRegex                               : False
    From                                         :
    FromMemberOf                                 :
    FromScope                                    :
    SentTo                                       :
    SentToMemberOf                               :
    SentToScope                                  :
    BetweenMemberOf1                             :
    BetweenMemberOf2                             :
    ManagerAddresses                             :
    ManagerForEvaluatedUser                      :
    SenderManagementRelationship                 :
    ADComparisonAttribute                        :
    ADComparisonOperator                         :
    SenderADAttributeContainsWords               :
    SenderADAttributeMatchesPatterns             :
    RecipientADAttributeContainsWords            :
    RecipientADAttributeMatchesPatterns          :
    AnyOfToHeader                                :
    AnyOfToHeaderMemberOf                        :
    AnyOfCcHeader                                :
    AnyOfCcHeaderMemberOf                        :
    AnyOfToCcHeader                              :
    AnyOfToCcHeaderMemberOf                      :
    HasClassification                            :
    HasNoClassification                          : False
    SubjectContainsWords                         :
    SubjectOrBodyContainsWords                   :
    HeaderContainsMessageHeader                  :
    HeaderContainsWords                          :
    FromAddressContainsWords                     :
    SenderDomainIs                               :
    RecipientDomainIs                            :
    SubjectMatchesPatterns                       :
    SubjectOrBodyMatchesPatterns                 :
    HeaderMatchesMessageHeader                   :
    HeaderMatchesPatterns                        :
    FromAddressMatchesPatterns                   :
    AttachmentNameMatchesPatterns                :
    AttachmentExtensionMatchesWords              :
    AttachmentPropertyContainsWords              :
    ContentCharacterSetContainsWords             :
    HasSenderOverride                            : False
    MessageContainsDataClassifications           :
    SenderIpRanges                               :
    SCLOver                                      :
    AttachmentSizeOver                           :
    MessageSizeOver                              :
    WithImportance                               :
    MessageTypeMatches                           :
    RecipientAddressContainsWords                :
    RecipientAddressMatchesPatterns              :
    SenderInRecipientList                        :
    RecipientInSenderList                        :
    AttachmentContainsWords                      :
    AttachmentMatchesPatterns                    :
    AttachmentIsUnsupported                      : False
    AttachmentProcessingLimitExceeded            : False
    AttachmentHasExecutableContent               : True
    AttachmentIsPasswordProtected                : False
    AnyOfRecipientAddressContainsWords           :
    AnyOfRecipientAddressMatchesPatterns         :
    ExceptIfFrom                                 :
    ExceptIfFromMemberOf                         :
    ExceptIfFromScope                            :
    ExceptIfSentTo                               :
    ExceptIfSentToMemberOf                       :
    ExceptIfSentToScope                          :
    ExceptIfBetweenMemberOf1                     :
    ExceptIfBetweenMemberOf2                     :
    ExceptIfManagerAddresses                     :
    ExceptIfManagerForEvaluatedUser              :
    ExceptIfSenderManagementRelationship         :
    ExceptIfADComparisonAttribute                :
    ExceptIfADComparisonOperator                 :
    ExceptIfSenderADAttributeContainsWords       :
    ExceptIfSenderADAttributeMatchesPatterns     :
    ExceptIfRecipientADAttributeContainsWords    :
    ExceptIfRecipientADAttributeMatchesPatterns  :
    ExceptIfAnyOfToHeader                        :
    ExceptIfAnyOfToHeaderMemberOf                :
    ExceptIfAnyOfCcHeader                        :
    ExceptIfAnyOfCcHeaderMemberOf                :
    ExceptIfAnyOfToCcHeader                      :
    ExceptIfAnyOfToCcHeaderMemberOf              :
    ExceptIfHasClassification                    :
    ExceptIfHasNoClassification                  : False
    ExceptIfSubjectContainsWords                 :
    ExceptIfSubjectOrBodyContainsWords           :
    ExceptIfHeaderContainsMessageHeader          :
    ExceptIfHeaderContainsWords                  :
    ExceptIfFromAddressContainsWords             :
    ExceptIfSenderDomainIs                       :
    ExceptIfRecipientDomainIs                    :
    ExceptIfSubjectMatchesPatterns               :
    ExceptIfSubjectOrBodyMatchesPatterns         :
    ExceptIfHeaderMatchesMessageHeader           :
    ExceptIfHeaderMatchesPatterns                :
    ExceptIfFromAddressMatchesPatterns           :
    ExceptIfAttachmentNameMatchesPatterns        :
    ExceptIfAttachmentExtensionMatchesWords      :
    ExceptIfAttachmentPropertyContainsWords      :
    ExceptIfContentCharacterSetContainsWords     :
    ExceptIfSCLOver                              :
    ExceptIfAttachmentSizeOver                   :
    ExceptIfMessageSizeOver                      :
    ExceptIfWithImportance                       :
    ExceptIfMessageTypeMatches                   :
    ExceptIfRecipientAddressContainsWords        :
    ExceptIfRecipientAddressMatchesPatterns      :
    ExceptIfSenderInRecipientList                :
    ExceptIfRecipientInSenderList                :
    ExceptIfAttachmentContainsWords              :
    ExceptIfAttachmentMatchesPatterns            :
    ExceptIfAttachmentIsUnsupported              : False
    ExceptIfAttachmentProcessingLimitExceeded    : False
    ExceptIfAttachmentHasExecutableContent       : False
    ExceptIfAttachmentIsPasswordProtected        : False
    ExceptIfAnyOfRecipientAddressContainsWords   :
    ExceptIfAnyOfRecipientAddressMatchesPatterns :
    ExceptIfHasSenderOverride                    : False
    ExceptIfMessageContainsDataClassifications   :
    ExceptIfSenderIpRanges                       :
    PrependSubject                               :
    SetAuditSeverity                             : Medium
    ApplyClassification                          :
    ApplyHtmlDisclaimerLocation                  :
    ApplyHtmlDisclaimerText                      :
    ApplyHtmlDisclaimerFallbackAction            :
    ApplyRightsProtectionTemplate                :
    SetSCL                                       :
    SetHeaderName                                :
    SetHeaderValue                               :
    RemoveHeader                                 :
    AddToRecipients                              :
    CopyTo                                       :
    BlindCopyTo                                  :
    AddManagerAsRecipientType                    :
    ModerateMessageByUser                        :
    ModerateMessageByManager                     : False
    RedirectMessageTo                            :
    RejectMessageEnhancedStatusCode              : 5.7.1
    RejectMessageReasonText                      : This message contains an attachment that is potentially unsafe
    DeleteMessage                                : False
    Disconnect                                   : False
    Quarantine                                   : False
    SmtpRejectMessageRejectText                  :
    SmtpRejectMessageRejectStatusCode            :
    LogEventText                                 :
    StopRuleProcessing                           : False
    SenderNotificationType                       :
    GenerateIncidentReport                       :
    IncidentReportOriginalMail                   :
    IncidentReportContent                        :
    RouteMessageOutboundConnector                :
    RouteMessageOutboundRequireTls               : False
    ApplyOME                                     : False
    RemoveOME                                    : False
    GenerateNotification                         :
    Identity                                     : Attachment Filtering
    DistinguishedName                            : CN=Attachment Filtering,CN=TransportVersioned,CN=Rules,CN=Transport
                                                   Settings,CN=First Domain,CN=Microsoft
                                                   Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
    Guid                                         : 52b1774b-4a4c-4aba-ac8c-a3cb14f231ac
    ImmutableId                                  : 52b1774b-4a4c-4aba-ac8c-a3cb14f231ac
    OrganizationId                               :
    Name                                         : Attachment Filtering
    IsValid                                      : True
    WhenChanged                                  : 3/7/2016 4:41:31 PM
    ExchangeVersion                              : 0.1 (8.0.535.0)
    ObjectState                                  : Unchanged


    Any thoughts on where to go from here? Thanks!

    Thursday, August 25, 2016 4:25 AM
  • Any more ideas on this anyone?
    Friday, August 26, 2016 2:44 PM
  • Hi,

    Thank you for your reporting back.

    To test and narrow down your issue, would you please provide the version of your Exchange servers?

    I'll test and updates.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, August 28, 2016 8:49 AM
    Moderator
  • Hello. They are exchange 2013 enterprise, CU12. Thank you!
    Sunday, August 28, 2016 9:19 PM
  • Hi,

    I notice that there's no value related to attachment, for example AttachmentNameMatchesPatterns, AttachmentContainsWords. Is there any value populated in those attribution?

    If so, please post the actual value related to attachment, run below command:

    Get-Transportrule "Attachment Filtering" | FL Identity,Description,Attachment*

    If not, please add some value for those parameters or recreate this rule for testing.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 1:05 PM
    Moderator
  • Hello. I just recreated the rule several minutes ago. There are no values for AttachmentNameMatchesPatterns or AttachmentContainsWords in the new rule. Based off of my understanding I do not believe these attributes need values, but maybe I am wrong. Can you tell me what these should be?
    Saturday, September 3, 2016 4:39 PM
  • Hi,

    It should contain words if you add rule to detect attachment.

    Normally, you can create transport rule by EAC, then you select "Any attachment's content includes", "Any attachment's content matches" or other conditions about attachment, we need a value so that transport agent to filter messages.

    More details about Transport Rule Conditions, for your reference: https://technet.microsoft.com/en-us/library/dd638183(v=exchg.150).aspx


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, September 4, 2016 6:10 AM
    Moderator