Adding extension exclusions without compromising security.
|Article:TECH154120|||||Created: 2011-02-24|||||Updated: 2011-07-15|||||Article URL http://www.symantec.com/docs/TECH154120|
A customer has an issue where they receive Result ID = 6 regarding tmp files. They want to stop these errors.
However there is no adverse effect to these errors, the customer would simply would like to prevent the error messages building in the event viewer.
The error 6 that can also accompanied with an error 24.
The error 6 while also seen with error 24 can be caused by a file not being scanned due to expected conditions.
1. When a file is decomposed
2. when a file is too large to be scanned in memory (the in-memory file system settings)
3. When the file path is not fully supported by scan engine (the file is requested via the 8.3 file path, saved to the temp location and scanned).
However, on this occasion it is simply .tmp files that are triggering the error (without any fallout).
You should exclude .tmp files from being scanned. the tmp files are usually a byproduct of the parent file being scanned and they soon disappear very quickly and can on that basis generate the error 6.
There is no security compromise here as ScanEngine will scan files based on their true type even if these files have been renamed to .tmp
For example. If an executable to renamed to .tmp from .exe, it will be scanned as it's true type is Executable.
At the Symantec Scan Engine, Scan Engine performs true file typing before it applies exclusions by either file extension or MIME type. To do so, it must receive the entirety of the file, before it attempts to determine the file's true type.
All the true types that will be scanned by the latest release of Scan Engine is as follows.
Article URL http://www.symantec.com/docs/TECH154120