The compressed file under archived files contains items that should be excluded. However, IMSS missed the scanning of the contents.
The following logs are shown in the log.imss.<date>.<count> file:
[NORMAL]scan content error:0xffffffff
[NORMAL]emanager filter getFilterNo error:-1
By default, IMSS scans the archived files. The issue occurs because the following keys in the imss.ini file disable the scanning function:
MaxDeComposeDepth=0
AllowDecompressDepthZero=yes
Both keys are supposedly added only to bypass scanning the archived files.
To solve the issue, do the following:
- Open C:\Program Files\Trend Micro\IMSS\config\imss.ini using a text editor such as Notepad.
- Comment the following keys under the general section:
[general]
MaxDeComposeDepth=0
AllowDecompressDepthZero=yesThe result should be similar to the following:
[general]
#MaxDeComposeDepth=0
#AllowDecompressDepthZero=yes - Save the changes.
- Restart the Trend Micro IMSS Scan Service.
- Verify the new settings by sending an email with a compressed file with no password protection. The file type should be included in the block attachment policy.
The contents of the compressed file that IMSS needs to block should now be excluded.