Eser Mail Security rules and PDF as container

[katbert 3]

I have Eset Mail Secuirity for MS Exchange, аnd rule to send to quarantine messages with danger extensions (*.js, *.vbs etc).

This rule works fine for many days, but one message was quarantined unexpectedly. This message contain only two pdf attachments. But *.pdf  don't block by my rule.

Maybe Eset analyze pdf files as containers - and name of one of parts was blocked by rule? Some other antivirus check pdf like this:

mypdf.pdf/data0001
mypdf.pdf/data0002
mypdf.pdf/data0003
mypdf.pdf/data0004

How Eset "see" parts of PDF container?

[Marcos 4,187]

Do you have that pdf so that we could use it for testing? I'd suggest contacting customer care and creating a regular support ticket for this as more iterations will be needed. You can also provide the pdf file along with ELC logs to me too via a pm.

[filips 43]

Rules analyze files inside containers as well (e.g. zip/docx..). You should check your pdf files - they may contain blocked files.

[katbert 3]

Unexpectedly quarantined message contains embedded jpg image with .com in the file name, but Outlook don't show this image as attachment.

Thanks for answers!

[Juan50 0]

Good afternoon, I commented that I have seen several spam emails with attachments that pretend to be pdf, but Eset Mail Security blocks them because it is certainly malware