How to use Symantec Scan Engine 5.2 content scanning technologies for direct integration with your applications or devices
One of the "best hidden secrets" in Symantes's portfolio is likely the Symantec Scan Engine. This product emerged many years ago from our integration work with large Internet carriers to provide a high-scalable, high-performance antivirus scan engine, that was easy to integrate into any kind of third party application and devices. Some people might remember a product called "Carrier Scan Server" which was the first evolution of this product. Now - in version 5.2 - Symantec Scan Engine is one of the most matured products in our portfolio, and foundation for several other products in our portfolio, i.e. Symantec AntiVirus for Caching and Symantec AntiVirus for Network Attached Storage are products based on Scan Engine development.
Symantec Scan Engine itself is also a stand-alone product in our portfolio. First of all, it offers antivirus, spyware/adware blocking and URL filtering technologies, that can be easily integrated into applications from third party independent software vendors, into network attached storage devices from many hardware vendors, proxy/caching and messaging systems, as well as into the infrastructure from Internet Service Providers.
Scan Engine integrates easily into network-enabled devices via the Internet Content Adaptation Protocol (ICAP 1.0) protocol, which is a very common interface for content scanning, i.e. used in BlueCoat, NetCache or Cisco Caching systems, as well as in proxy applications such as SQUID. In addition, Scan Engine includes an SDK for client-side ICAP to allow C++, Java and C# (for .NET integrations) to quickly link Symantec Scan Engine with your own application. This provides a very flexible and scalable implementation - and it runs on Sun Solaris, Red Hat Linux, Microsoft Windows 2000/2003 and SuSE Enterprise Linux platforms.
It includes a Command Line Scanner for on demand scanning of files on Unix/Linux systems, and it is - of course and like all other Symantec antivirus products - backed by Symantec Security Response, including updates via Symantec LiveUpdate technology on all platforms.
In general, Symantec Scan Engine 5.2 is well suited for third-party independent software/hardware vendors requiring content scanning technologies for direct integration with their applications or devices (across proxy/caching, storage and messaging, etc.) that need antivirus, spyware/adware blocking and URL filtering technologies.
It is also attractive for large internet service providers who have proprietary systems (for example, email) and wish to offer antivirus, spyware/adware blocking and/or URL filtering as a value added service to subscribers.
Last but not least, Symantec Scan Engine 5.2 is ideal for OEMs, who wish to offer their customers the option to purchase Antivirus or URL filtering for their applications. We provide a SDK which allows you to code in C++, or JAVA for Windows, LINUX, or Solaris. Microsoft RPC is also a supported protocol on Windows, which is used i.e. for NetApp Filer integration.
Over the years, we have already seen many partners using Symantec Scan Engine for various integrations. One of the most active partners in this arena is PCS AG in Germany, Solingen, which is not just famous for high-quality knife-blades, but also for Connector Development around Symantec Scan Engine. PCS AG is a longstanding Symantec Technology Partner, responsible for high-quality "knife-blade" development of Symantec Scan Engine connectors i.e. for MS ISA Server and MS Sharepoint Portal Server. Their latest connector releases now covers Scan Engine connectors for MS SQL databases and MS Internet Information Server - called UNIQUE SQL Protector and UNIQUE IIS Protector. You can watch the following two videos to see how the MS SQL and MS IIS integration works:
UNIQUE SQL Protector video: http://www.pcs-ag.de/index.php?id=285
UNIQUE IIS Protector video: http://www.pcs-ag.de/index.php?id=279
PCS AG is one of the best examples on how flexible, scalable, and fast Symantec Scan Engine integrates with any third-party application, system or device. On Google you will find many other examples such as integration for Sun StorageTek or Hitachi NAS devices, Open-Source application integrations, etc. Just look for "Symantec Scan Engine" and "ICAP"...
So if you need to scan files for a specific applications, or need to scan files submitted to a web server from outside your company, Symantec Scan Engine could be your product of choice. You can simply give it a try and download a 30 day trialware version from http://www.symantec.com/business/scan-engine.
Please don't hesitate to contact me for any further question.
Great info....... thanks...
Great info....... thanks...
Regards,
Srinivas H.P.
HCL Infosystems Ltd
Scan Engine is a great
Scan Engine is a great product to support becuase it is so portable and powerful. It seems the most popular use at this point is NAS scanning but I have seen it used with a Websense proxy server before and even as a Linux file system scanner.
Win server 2008
You're right that the SDK provides a C# code example to make the Scan Engine work in a Win Server 2003 environment. This code example appears to require the SESA agent to run on the server.
However in a Win server 2008 environment the SESA agent won't install... and I understand from Symantec's technical support team that there's no plan to make the SESA agent Win 2008 compatible...??
Why is there no example in the SDK to make Scan Engine work in a Win 2008 environment?
Win Server 2008
After digging a bit deeper it appears that Scan Engine 5.2.4 has added support for Win Server 2008. If it does support Win Server 2008 how come your SDK doesn't provide a working C# example for the 2008 platform?
A response is appreciated...
Virus scanning String in Java
Does Scan Engine 5.2.4 provide an SDK for Java? If yes, plese provide a link to the product information.
Yes, you can use the Java API
Yes, you can use the Java API plug-in (SymJavaAPI.jar) to integrate with Symantec Scan Engine. The Java API provides client antivirus scanning and repair services using the ICAP protocol. The Java API supports the FILEMOD and RESPMOD scanning modes, and it contains the built-in ability to stream files.
You will find some more information in the folder Scan_Engine_SDK/Java/Docs/SymJavaAPIDocs.jar on the product CD and in the archive of the trial version download.
Win Server 2008
SESA is an old, legacy architecture of Symantec to provide Security Information and Event Management. It has been replaced years ago by Symantec Security Information Manager appliance. Usually you should be able to use the coding without the SESA portion to create an ICAP client talking with the Scan Engine ICAP Server directly, and there is no need to use the SESA agents anymore, as this backend architecture has been EOL'ed years ago.
Is Symantec Scan Engine part of product of SEP
Is Symantec Scan Engine part of product of Symantec Endpoint Protection ? My company provide the product of Symantec Endpoint Protection.But I don't know whether it provide Symantec Scan Engine or not ?
If I don't have Symantec Scan Engine, is any other ways I can do implmentation ?
Thanks
Junkfood, Scan Engine is not
Junkfood,
Scan Engine is not part of SEP, it is a different product with different licensing.
You can download a copy of it here and you will be emailed a 30-day license to try it out:
http://www.symantec.com/business/scan-engine
It comes with the implementation guide, SDK and examples, also a java command-line scanner which sound like it would work best for your web environment.
Symantec Scan Engine Console not working
The page to access is
The page to access is https://localhost:8004/. You need to make sure you only have one version of Java installed. Multiple versions can cause issues.
Also, make sure the Symantec Scan Engine service is running by looking in services.msc.
Keep in mind that we use a self-signed certificate, so its going to warn you that its not a safe site, even though its fine.
Lastly, I would recommend using Firefox, since it is much more compatible with the Scan Engine interface and doesn't bother you so often about the self-signed certificate.
Hi, TSE-JDavis:
Hi, TSE-JDavis:
Thank you for your answer.
I follow your suggestion:
1.Go to the Java Control Panel (Settings - Control Panel - Java) and clean the Java cache.
2. Install firefox.
3.Go to the Administrative Tools --> Services --> It show the status of Symantec Scan Engine started.
4.Open the firefox and type https;//localhost:8004/ in URL. Here is error message what I get from firexfox:
ou have asked Firefox to connect
securely to localhost:8004, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
localhost:8004 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for Symantec Scan Engine 5.2
(Error code: sec_error_ca_cert_invalid)
I Understand the Risks
If you understand what's going on, you
can tell Firefox to start trusting this site's identification.
Even if you trust the site, this error could mean that someone is
tampering with your connection.
Don't add an exception unless
you know there's a good reason why this site doesn't use trusted identification
The problem solved
Hi, TSE-JDavis:
Now I can access the Symantec Scan Engine Console after I chose add exception .
Once again, thank you for your help.
The problem with license file
Should I send the request to Symantec Licensing Portal ?
When you followed the link I
When you followed the link I sent you, as soon as you started the download, we emailed you a 30-day trial license. It would have coem from licensing@symantec.com and included a .zip file which contains the .slf you need to give Scan Engine.
Where I get more tutorial douments about using SymJavaAPIDocs
Hi, TSE-JDavis;
I alreay got 30-day trial license, and finshed setting up Scan Engine Server.
Now I am going to implmenet web application by using SymJavaAPIDocs .
The Scan Engine SDK already provide the jar file and JavaAPICheck example. It is very helpful for me to implement my application by using Java.
However, the jar SymJavaAPIDocs provided by Symantec without any javadoc documentation.
Do you know where I can find those javadoc documentation or any useful examples , tutorial documents about using this java jar.
Thanks.
I tried JavaAPICheck.java
I tried JavaAPICheck.java given with SymJavaAPI.jar, I got following resultStatus = FILE_ACCESS_FAILED
For security purpose i mention the IP as localhost reference.
D:\dev\test\TestProject>java JavaAPICheck -streamFileLocal:0 file:\\127.0.0.1\test\TestProject\test.doc
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned : \\127.0.0.1\test\TestProject\test.doc
Scan Policy : SCAN
File Status : FILE_ACCESS_FAILED
Total Infection : 0
Virus Def Date : Tue Feb 23 00:00:00 IST 2010
Virus Def Revision No : 004
Scan Engine IP : 127.0.0.1
Scan Engine Port : 1344
Scan Engine Access : Able to connect
Suggest me what's wrong am doing, and how can i proceed further
@arunchp - RE: I tried JavaAPICheck.java
Please let me know what method you are using - createFileScanRequest or createStreamScanRequest. There is a fundamental difference between FileSCanRequest and StreamScanRequest behavior. FileScanRequest operates on absolute file path. If you want to use FileScanRequest, you have to ensure that the file is directly accessible to scan engine at the given path, otherwise you will get the "FILE_ACCESS_FAILED" error return. This method is typically used when the client and the scan engine are on the same box. If this is not the case, then we would recommend using StreamScanRequest.
Issue with Java API scanning Large Files
we are trying to use the Java API for scanning Large file. The idea was to compare the command line invocation with java API for response and performance. we had two implementations, one that take the location of file and the other that takes the inputStream. The file size we choose was 380 MB, which is possible for our application. when scanning with inputstream, we are getting
Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION
com.symantec.scanengine.api.ScanException: Unable to communicate with Symantec Scan Engine.
at com.symantec.scanengine.api.RequestImpl.readResult1(Unknown Source)
at com.symantec.scanengine.api.RequestImpl.finish(Unknown Source)
at com.wellsfargo.virusscan.VirusScanTest2.main(VirusScanTest2.java:64)
and when scanning with the file location in the JAVA API, we are getting
Exception in thread "main" com.symantec.scanengine.api.ScanException: Unable to open a stream to recieve the data from the server.
at com.symantec.scanengine.api.RequestImpl.read(Unknown Source)
at com.symantec.scanengine.api.FileScanRequestImpl.scanFile(Unknown Source)
at com.wellsfargo.virusscan.VirusScanTest.main(VirusScanTest.java:31)
Also the input stream is slow. Are we missing some configuration? I would really appreciate any
ideas and suggestions.
Is There any way to integrate Scan Engine Consoles ??
I have several Scan Engine for NAS running with some IBM Netapp Storage systems I have on different plants.
So, I have several Scan Engine Consoles to monitor everyday.
Is there a way to integrate those consoles ? maybe with SEP11 console ? or SAV reporter ?
Thanks
RE: Is There any way to integrate Scan Engine Consoles ??
@FbacchinZF
SEP 11 Console and Scan Engine Console can run on the same computer regardless what Java version you use. But they don't integrate.
Symantec Scan Engine events can be integrated into a centralized console, but it requires another product from Symantec called "Symantec Security Information Manager". Please take a look to the following document that will also link to another document with some more details about this integration: http://service1.symantec.com/SUPPORT/ent-gate.nsf/....
Symantec Security Information Manager is a soft-appliance, that runs on either a specific Symantec hardware appliance or specific Dell, HP, IBM appliances. We don't have a trialware available online, but you can contact your Symantec representative to request a demo unit for your company. SSIM comes with hundreds of collectors to collect and correlate events from many various sources, incl. firewalls, intrusion detection, AV etc. You can get a list of all collectors in the SSIM forum on Symantec Connect: https://www-secure.symantec.com/connect/security/f....
You also mentioned "Threat Reporter" (formerly known as "SAV Reporter"). This is a famous reporting tool from Symantec Consulting Group based on HTML, PHP, MySQL/MS SQL Server, perl. It is very dedicated to AntiVirus products (from Symantec and other thrid-party vendors), and is different to SSIM and its broader security posture and correlation approach. However, Threat Reporter also support Scan Engine 5.x reporting.
Hope this help. Please dont hesitate to ask further questions.
-Guido
Performance and Sizing
Where can I find documents/white papers detailing the performance/throughput of Symantec Scan Engine?
How do I integrate Scan Engine reporting with Threat Reporter ?
@Guido
Thanks for your detailed answer.
Integrating Scan Engine with Threat Reporter will be wonderfull for me :)
How do I do that ? Is there any documentation about it ?
Should I just install the reporting agents as I do for SAV Parent Servers ?
Usage of this through a .Net1.1 application
Hi All,
We have a scenario, where in which we are using Symantec Scan Engine for the Virus Scan of the uploaded files. Unfortunately the system what we are using is in .net 1.1 framework. When we use the dll given by the Symantec Scan Engine, it is not allowing us to add reference, as there is no forward compatability in .net. The scan engine dll is given with .Net version 2.0. Only thing we can do is we can have a web service wrapper on top of the .net 2.0 dll and call the web service method from the .Net 1.1 application.
Is there any way that can we get the .Net 1.1 runtime version of the Scan Engine dll so that we can refer the same in our application.
Please provide some pointers on the same.
Ramprasad R
Scan Engine is not able to parse file of size 75 MB
Hi All,
We are using java API to scan the local files(Scan engine and files are on the same box win 2003). When we scan the file of size 30MB then it scans the files successfully
C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\30mb.zip"
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned : c:\data\30mb.zip
Scan Policy : DEFAULT
File Status : CLEAN
Total Infection : 0
Virus Def Date : Tue Mar 09 00:00:00 GMT+05:30 2010
Virus Def Revision No : 009
Scan Engine IP : 10.77.201.95
Scan Engine Port : 1344
Scan Engine Port : Able to connect
but when we scan the file of size 75 MB it shows the error
C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\75mb.zip"
Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION
Please provide some pointer to solve the issue
Thanks
Would you like to reply?
Login or Register to post your comment.