Scan Engine 5.x detects a container file as "Container file size limit exceeded"

Article:TECH92895  |  Created: 2009-01-16  |  Updated: 2012-03-16  |  Article URL http://www.symantec.com/docs/TECH92895
Article Type
Technical Solution


Issue



The Symantec Scan Engine logs show a container file, such as a .ppt (PowerPoint presentation) or .zip archive, as "Container file size limit exceeded" and prevented access to the file. Access to the file is necessary and future occurrences of the related log entries should be avoided.

Sample of the Warning from the SSE log:

A container violation has been found
Event Severity Level = Warning
URL = no_path
File name =<file name>
File status = BLOCKED
Component name = <Component name>
Component disposition = NOT REPAIRED
Container Violation = Container file size limit exceeded
Client IP =<scan client's IP address>
Scan Duration (sec) = <sec>
Connect Duration (sec) = <sec>
Scan Engine IP address =<SSE's host IP address> 
Scan Engine Port number = <SSE's listen port>
Uptime (in seconds) = <SSE's uptime>


Environment



Windows,Linux,Solaris


Solution



  1. Within Scan Engine, set container limit policies to permit access.  Though please note that setting the container limit policy to permit access, will allow clients access to any file that hits one of the three container limit values. 
  2. If appropriate for the environment, raise the number of megabytes in "Maximum extract size of file meets or exceeds" to accommodate the size of the file.

To permit access in the Scan Engine web interface:

  1. Access the Symantec Scan Engine GUI (https://<hostname>:8004), click Policies.
  2. In the sidebar under Views, click Filtering.
  3. In the content area on the Container Handling tab, under Container File Processing Limits, under “When processor limit is met (or exceeded)”, click "Allow access to the file and generate a log entry".
  4. Click the Save icon on the navigation bar at the top of the Scan Engine web interface.

To set the "Maximum extract size of file meets or exceeds" value in the Scan Engine web interface:

  1. In the console on the primary navigation bar, click Policies.
  2. In the sidebar under Views, click Filtering.
  3. In the content area on the Container Handling tab, under Container File Processing Limits, in the “Maximum extract size of file meets or exceeds” box, type the maximum size in MB ( after extraction ) that Symantec Scan Engine will permit for an individual file or subcontainer within a container file. The default setting is 100 MB.
  4. Click the Save icon on the navigation bar at the top of the Scan Engine interface

 

 To permit access in the Scan Engine via CUI:

  1. On the command prompt, change the working directory to the SSE's root

    cd  /opt/SYMCScan/bin (Linux/Solaris)
    cd C:\Program Files\Symantec\Scan Engine (32-bit Windows)
    cd C:\Program Files (x86)\Symantec\Scan Engine (64-bit Windows)
     
  2. Type the following command to permit access to the BLOCKED file

    # java -jar xmlmodifier.jar -s  /filtering/Container/LimitChoiceStop/@value false filtering.xml
     

To set the "Maximum extract size of file meets or exceeds" value in the Scan Engine via CUI

  1. If the current working directory is not SSE's root directory, then repeat the step 1 in To permit access in the Scan Engine via CUIabove. 
  2. To set MaxExtractSize parameter, type the following command

    # java -jar xmlmodifier.jar -s /filtering/Container/MaxExtractSize/@value <size in MB> filtering.xml
    Example:
    # java -jar xmlmodifier.jar -s /filtering/Container/MaxExtractSize/@value 200 filtering.xml 
     

For the details of CUI parameters, refer to the following KB:
XPath location of Symantec Scan Engine 5.2 parameters in the Scan Engine xml configuration files
http://www.symantec.com/business/support/index?page=content&id=TECH161296
 




Legacy ID



2009031611043454


Article URL http://www.symantec.com/docs/TECH92895


Terms of use for this information are found in Legal Notices