Container Violation = Container depth limit exceeded - Error in scan engine logs.

Article:TECH94102  |  Created: 2009-01-20  |  Updated: 2009-01-05  |  Article URL http://www.symantec.com/docs/TECH94102
Article Type
Technical Solution


Issue



The scan engine log has an entry stating Container Violation = Container depth limit exceeded, you want to know what to do.

Symptoms
A container violation has been logged with the error as stated, files are being blocked or deleted on the basis of the verdict.



Cause



The option under Policies | Filtering | Container Handling | maximum extract depth of file meets or exceeds [ X ] levels, where X is a value greater than 0, is set too low for the environment.

Solution



The value needs to be increased to a value that fits with the day to day activities of the environment in question, a good base value for this is to set it to 10 levels as this will allow a reasonable amount of file nesting within containers.
It is good to know that the reason for the container limit is primarily to stop attacks such as a "zip of death" or "zip bomb" denial of service type attacks.



Technical Information

The log entry which appears should be similar to the following:
A container violation has been found
Date/time of event = 2009-05-20 10:01:03
Event Severity Level = Warning
File name = \\\CHECK$\\*.PPT
File status = NOT REPAIRED
Component name = *.PPT/PowerPoint Document
Component disposition = NOT REPAIRED
Container Violation = Container depth limit exceeded
Client IP = 127.0.0.1
Scan Duration (sec) = 0.578
Connect Duration (sec) = 0.594




Legacy ID



2009052015311854


Article URL http://www.symantec.com/docs/TECH94102


Terms of use for this information are found in Legal Notices