Email Virus Scanner Quarantines Office 2007 Documents

When a user receives a Office 2007 documents saved in the Office OpenXML format (e.g. .docx, .xlsx, pptx) as an email attachment, occasional files may be quarantined or otherwise flagged as infected by an email antivirus program. This is caused by the virus scanner flagging the file because it contains a binary file (.bin).

The Office OpenXML format files are actually zip files which contain multiple files within them. Antivirus software may recognize them as such, unzip them, and analyze the contents individually. Among the files which an Office OpenXML document can contain are files such as oleObject1.bin (containing embedded OLE objects) or PrinterSettings1.bin (containing printer settings). These .bin files may cause the attachment to trigger a policy in the virus scanner which blocks executables or filters common executable extensions (.exe, .bin, .com, .bat, .pif, etc.).

Potential workarounds include turning off quarantining of executable attachments, allowing attachments with the .bin extension, or not scanning zips, but both of these are potentially too dangerous to seriously consider. Until the Office OpenXML format becomes more prevalent and/or the antivirus vendors find an intelligent solution to this issue, it may be easier to individually release these files from quarantine.

See this Wikipedia entry for more information on Office OpenXML.

This document describes an example of this issue with Symantec Antivirus.

Author: ASAK
Created: Feb 15 2008
Categories: Antivirus
TechByte #161

Warning: By visiting this site and/or by using any information contained herein, you agree to the Techbytes.ca terms of use.