Using divide and conquer methods with container files that cause scan errors

Article:TECH89221  |  Created: 2008-01-24  |  Updated: 2013-10-25  |  Article URL http://www.symantec.com/docs/TECH89221
Article Type
Technical Solution

Product(s)

Issue



You seek to use divide and conquer methodology to diagnose a scan error for one or more types of container files.

Symptoms

Conditions
You have one of the following types of container files:

  • Classic archive container files: .zip, .rar, .tar, .gz
  • Application container files: .doc, .xls, .docx, .xlsx, .ppt



Solution





For all of the example divide and conquer methodologies below, perform all operations on a COPY of the container file, and not the original.


For classic archive container files
  1. Copy the container archive.
  2. Open the copy of container archive with the type of packager which created the archive.
  3. Delete 50% of the files from the archive.
  4. Re-scan the archive using the same security product and method that yielded the inital scan error.
  5. If the copy of the container archive continues to cause scan errors, return to Step 1 and use the current copy as the new original archive.
  6. If the copy of the container archive no longer causes scan errors, return to Step 1 and use the previous copy as the new original archive, but delete the other 50% of the files when you arrive at step 3.

If you arrive at a point where removing each half of the file results in a successful scan, then the archive itself may be damaged. Try re-creating the archive from scratch using the same individual files with a different archive tool or on a different computer. If the archive is less than 10MB in size at this point, submit it to Symantec via Security Response.


For Powerpoint (.ppt) files
  • Follow the steps above for classic archive containers. Wherever instructions say 'file', substitute the word 'slide'.


For spreadsheets which permit embedded objects, such as Microsoft Excel (.xls)
  • Follow the steps above for classic archive containers. Whenever instructions say 'file', substitute the word 'row'. Once issues are isolated to a row, you may also need to repeat steps, substituting 'column' for file to isolate a problematic cell.


For word processor documents which permit embedded objects, such as Microsoft Word (.doc)
  • Follow the steps above for classic archive containers. Whenever the instructions say 'file', substitute the word 'line'.





Technical Information

Divide and conquer methodologies may not lend themselves to the following types of containers:

  • Relational database container files: .nsf, .fmt, .myd, .myi, .mdf, .ldf
  • Container files which constitute an entire filesystem or virtual filesystem: .vxd, .vmdk, .vhd, .iso




Legacy ID



2008032414394354


Article URL http://www.symantec.com/docs/TECH89221


Terms of use for this information are found in Legal Notices