Overview of scan error messages reported by Symantec Mail Security products
|Article:TECH82877|||||Created: 2004-01-08|||||Updated: 2011-02-08|||||Article URL http://www.symantec.com/docs/TECH82877|
During message or database scan activities, a Symantec Mail Security product may report certain 'scan errors', resulting in log events or quarantined items.
This article describes the most common scan errors that can be observed in a Mail Security product.
“Scan Error” messages usually contain additional details, which can be useful to determine the proper action to take. The following sections are the common scan error messages. Each section provides a brief description of the cause and corrections. Begin with the next section.
Unable to Extract Content
This scan error message can occur when an email message containing a malformed or corrupted attachment is received and scanned by Symantec Mail Security.
If you receive a large number of these error messages, please contact your local Symantec Technical Support.
Content Too Deep
A common source for this problem is an archive (zip) inside an archive, inside an archive, and so on
When nesting exceeds the configured limit for your product, an error is generated. Archives with many nested levels can be used to perform attacks such as Denial of Service (DoS).
All Symantec Messaging Security products contain settings to avoid this type of attack and ensure scan performance is not impacted by messages’ structure. The settings aforementioned specify the number of levels (nested containers, nested levels or archive scan depth) to scan. When the maximum scan depth is exceeded, Mail Security will generate a scan error, and take the appropriate action as configured.
The Symantec antivirus engine handles MIME (such as HTML messages) and plain text containing links, as a series of nested level objects. If the message exceeds the specified number of levels, a scan error will be generated.
This error occurs when Mail Security encounters an error and is unable to categorize it among the other categories; therefore the error is classified as Unknown error.
Some common reasons for this error are as follows:
-Mail Security engine not initializing properly
-A problem faced during the re-composition of file or message.
-Real time scan exclusions not properly configured. For example, when a local antivirus product is installed on the same computer as Mail Security, it must be configured to not scan the working directories used by Mail Security or the email server. For more information please refer to the documents in the "Related Articles" section below.
Scan Error on message body
The antivirus product generates an error message scanning a MIME message. It can be either a corrupted message or a malformed one. Nonstandard MIME messages often generate this error.
This error can also be due to a message with an unusually long thread. An example is an email with multiple replies. To resolve this cause for the scan errors increase the number for nested containers. For steps on changing the nested container limit read the Implementation Guide for the installed Symantec product.
Unable to split content
This error message indicates that the attachment is corrupted or fragmented and cannot be parsed into two or more parts. The archive types may be RAR, Zip, or others. Since the file is not complete, the antivirus engine cannot process the file. Do not open the fragmented file without scanning, even if it comes from a known or trusted source.
Unable to open container
This error message indicates that the container (file attachment, archive) may be damaged, split (see ‘unable to split content’ error), or causing I/O related issues when the file is processed by Mail Security.
This error occurs when Mail Security encounters a MIME partial message. These messages arrive in multiple parts (not compliant with email specifications) and will generate scan errors when processed by Mail Security.
Unable to decrypt content
This error occurs when Mail Security encounters a container that is encrypted (generally) using a password. Since it is password protected and encrypted, Mail Security cannot extract the contents of such containers. Mail Security administrators can configure a disposition to handle containers that are encrypted.
Examples of encrypted containers are: Password-protected ZIP files; Password-protected Office documents;
Unknown container algorithm
This message indicates that the attachment’s type of compression is not recognized by Mail Security.
For more information please refer to the documents in the "Related Articles" section below.
Exceeded the size limit for any one extracted file
This error message indicates that the uncompressed size of an extracted file exceeds the limit of maximum number of bytes configured in Mail Security. To avoid similar errors in the future, you may need to review your container limit settings in Mail Security. For more information please refer to the documents in the "Related Articles" section below.
Exceeded the limit for cumulative size of all extracted files
This error message indicates that the uncompressed size of all extracted files exceeds the limit of maximum number of bytes configured in Mail Security. To avoid similar errors in the future, you may need to review your container limit settings in Mail Security. For more information please refer to the documents in the "Related Articles" section below.
Exceeded the limit for number of files extracted
This error message indicates that the total number of extracted files from a top-level container exceeds the limit of maximum number of bytes configured in Mail Security. To avoid similar errors in the future, you may need to review your container limit settings in Mail Security. For more information please refer to the documents in the "Related Articles" section below.
Malformed container – missed identification / extension mismatch
This error message indicates that Mail Security is processing a container which can't be processed correctly or if its malformed content prevents some of the objects from being identified.
- This document contains only information for your better understanding of Gateway products, and scan error messages.
- Any time a Scan Error happens, it requires your attention as Network Administrator. In case of need, please contact your local Technical Support.
- Treat all scan errors carefully. Quarantine or delete any email generating a scan error, especially when the problem is labeled Unknown Error, or Unable to Extract Content. You can submit these items to Symantec Security Response for detailed analysis.
- Administrators should check quarantined items on a regular basis and ensure quarantine database size is always within acceptable values for the Operating Systems. As a general rule, it’s recommended the Quarantine databases should never grow any larger than 32GB.
- Symantec antivirus products can have other parameters that you configure to protect your server. These parameters include Scan Time Limit, Extract Time Limit, ant others. All these parameters are configurable to help protect your network by allowing the proper delivery of messages that do not contain malicious content.
Article URL http://www.symantec.com/docs/TECH82877