Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to use Symantec Scan Engine 5.2 content scanning technologies for direct integration with your applications or devices

Created: 01 Oct 2009 • Updated: 05 Oct 2009 | 124 comments
Language Translations
Guido Sanchidrian's picture
+9 11 Votes
Login to vote

One of the "best hidden secrets" in Symantes's portfolio is likely the Symantec Scan Engine. This product emerged many years ago from our integration work with large Internet carriers to provide a high-scalable, high-performance antivirus scan engine, that was easy to integrate into any kind of third party application and devices. Some people might remember a product called "Carrier Scan Server" which was the first evolution of this product. Now - in version 5.2 - Symantec Scan Engine is one of the most matured products in our portfolio, and foundation for several other products in our portfolio, i.e. Symantec AntiVirus for Caching and Symantec AntiVirus for Network Attached Storage are products based on Scan Engine development.

Symantec Scan Engine itself is also a stand-alone product in our portfolio. First of all, it offers antivirus, spyware/adware blocking and URL filtering technologies, that can be easily integrated into applications from third party independent software vendors, into network attached storage devices from many hardware vendors, proxy/caching and messaging systems, as well as into the infrastructure from Internet Service Providers.
Scan Engine integrates easily into network-enabled devices via the Internet Content Adaptation Protocol (ICAP 1.0) protocol, which is a very common interface for content scanning, i.e. used in BlueCoat, NetCache or Cisco Caching systems, as well as in proxy applications such as SQUID. In addition, Scan Engine includes an SDK for client-side ICAP to allow C++, Java and C# (for .NET integrations) to quickly link Symantec Scan Engine with your own application. This provides a very flexible and scalable implementation - and it runs on Sun Solaris, Red Hat Linux, Microsoft Windows 2000/2003 and SuSE Enterprise Linux platforms.

It includes a Command Line Scanner for on demand scanning of files on Unix/Linux systems, and it is - of course and like all other Symantec antivirus products - backed by Symantec Security Response, including updates via Symantec LiveUpdate technology on all platforms.

In general, Symantec Scan Engine 5.2 is well suited for third-party independent software/hardware vendors requiring content scanning technologies for direct integration with their applications or devices (across proxy/caching, storage and messaging, etc.) that need antivirus, spyware/adware blocking and URL filtering technologies.
It is also attractive for large internet service providers who have proprietary systems (for example, email) and wish to offer antivirus, spyware/adware blocking and/or URL filtering as a value added service to subscribers.
Last but not least, Symantec Scan Engine 5.2 is ideal for OEMs, who wish to offer their customers the option to purchase Antivirus or URL filtering for their applications. We provide a SDK which allows you to code in C++, or JAVA for Windows, LINUX, or Solaris. Microsoft RPC is also a supported protocol on Windows, which is used i.e. for NetApp Filer integration.

Over the years, we have already seen many partners using Symantec Scan Engine for various integrations. One of the most active partners in this arena is PCS AG in Germany, Solingen, which is not just famous for high-quality knife-blades, but also for Connector Development around Symantec Scan Engine. PCS AG is a longstanding Symantec Technology Partner, responsible for high-quality "knife-blade" development of Symantec Scan Engine connectors i.e. for MS ISA Server and MS Sharepoint Portal Server. Their latest connector releases now covers Scan Engine connectors for MS SQL databases and MS Internet Information Server - called UNIQUE SQL Protector and UNIQUE IIS Protector. You can watch the following two videos to see how the MS SQL and MS IIS integration works:
UNIQUE SQL Protector video: http://www.pcs-ag.de/index.php?id=285
UNIQUE IIS Protector video: http://www.pcs-ag.de/index.php?id=279

PCS AG is one of the best examples on how flexible, scalable, and fast Symantec Scan Engine integrates with any third-party application, system or device. On Google you will find many other examples such as integration for Sun StorageTek or Hitachi NAS devices, Open-Source application integrations, etc. Just look for "Symantec Scan Engine" and "ICAP"...

So if you need to scan files for a specific applications, or need to scan files submitted to a web server from outside your company, Symantec Scan Engine could be your product of choice. You can simply give it a try and download a 30 day trialware version from http://www.symantec.com/business/scan-engine.

Please don't hesitate to contact me for any further question.

Comments 124 CommentsJump to latest comment

shp's picture

Great info....... thanks... 

Regards,
Srinivas H.P.
HCL Infosystems Ltd

+1
Login to vote
TSE-JDavis's picture

Scan Engine is a great product to support becuase it is so portable and powerful. It seems the most popular use at this point is NAS scanning but I have seen it used with a Websense proxy server before and even as a Linux file system scanner.

+1
Login to vote
salmdub's picture

You're right that the SDK provides a C# code example to make the Scan Engine work in a Win Server 2003 environment. This code example appears to require the SESA agent to run on the server.

However in a Win server 2008 environment the SESA agent won't install... and I understand from Symantec's technical support team that there's no plan to make the SESA agent Win 2008 compatible...??

Why is there no example in the SDK to make Scan Engine work in a Win 2008 environment?

0
Login to vote
salmdub's picture

After digging a bit deeper it appears that Scan Engine 5.2.4 has added support for Win Server 2008. If it does support Win Server 2008 how come your SDK doesn't provide a working C# example for the 2008 platform?

A response is appreciated...

0
Login to vote
MaureenJMM's picture

Does Scan Engine 5.2.4 provide an SDK for Java?  If yes, plese provide a link to the product information.

0
Login to vote
Guido Sanchidrian's picture

Yes, you can use the Java API plug-in (SymJavaAPI.jar) to integrate with Symantec Scan Engine. The Java API provides client antivirus scanning and repair services using the ICAP protocol. The Java API supports the FILEMOD and RESPMOD scanning modes, and it contains the built-in ability to stream files.
You will find some more information in the folder Scan_Engine_SDK/Java/Docs/SymJavaAPIDocs.jar on the product CD and in the archive of the trial version download.

0
Login to vote
Guido Sanchidrian's picture

SESA is an old, legacy architecture of Symantec to provide Security Information and Event Management. It has been replaced years ago by Symantec Security Information Manager appliance. Usually you should be able to use the coding without the SESA portion to create an ICAP client talking with the Scan Engine ICAP Server directly, and there is no need to use the SESA agents anymore, as this backend architecture has been EOL'ed years ago.

0
Login to vote
junkfood's picture

Is Symantec Scan Engine part of product of Symantec Endpoint Protection  ? My company provide the product of Symantec Endpoint Protection.But I don't know whether it provide Symantec Scan Engine or not ?

I want to use Symantec Endpoint Engine to scan file for my web application. Here is what I am going to do. I am going to start write application program first, and my client-side application program will use SymJavaAPISym to configure an application to pass files to Symantec Antivirus Scan Engine for scanning using the ICAP protocol.

If I don't have Symantec Scan Engine, is any other ways I can do implmentation ?

Thanks

0
Login to vote
TSE-JDavis's picture

Junkfood,

Scan Engine is not part of SEP, it is a different product with different licensing.

You can download a copy of it here and you will be emailed a 30-day license to try it out:

http://www.symantec.com/business/scan-engine

It comes with the implementation guide, SDK and examples, also a java command-line scanner which sound like it would work best for your web environment.

+1
Login to vote
junkfood's picture
 Thank you for your fast and detailed response.  I really appreciate it.
 Now I am going to use the trialware first. My  IT Manager will take care of product license.
 However, I have met some problem after I install Symantec Scan Engine 5.2 on Windows 2K3.
 I followed instruction of Symantec Scan Engine Implementation Guide.   Setting up my admin account, and using the default number 8004 and default SSL 8005. The JRE I used is 1.6.
But now, when I want to start the console I go to http://127.0.0.1:8004/ or http://localhost:8004/ and the result is only 5 squares on the IE Browser.
If I type https://127.0.0.1:8004 or https://localhost:8004/ , the result shows no page can display on the IE Browser.
If I type http://localhost/ , my tomcat apache server console shows up.
Do you have any ideas about this? Is the problem with license? Is the problem with version of IE?
0
Login to vote
TSE-JDavis's picture

The page to access is https://localhost:8004/. You need to make sure you only have one version of Java installed. Multiple versions can cause issues.

Also, make sure the Symantec Scan Engine service is running by looking in services.msc.

Keep in mind that we use a self-signed certificate, so its going to warn you that its not a safe site, even though its fine.

Lastly, I would recommend using Firefox, since it is much more compatible with the Scan Engine interface and doesn't bother you so often about the self-signed certificate.

+1
Login to vote
junkfood's picture

Hi, TSE-JDavis:

                   Thank you for your answer.
   
                   I follow your suggestion:

                   1.Go to the Java Control Panel (Settings - Control Panel - Java) and clean the Java cache.
   
                   2. Install firefox.

                   3.Go to the Administrative Tools --> Services --> It show the status of Symantec Scan Engine started.

                  4.Open the firefox and type https;//localhost:8004/ in URL. Here is error message what I get from firexfox:

                 ou have asked Firefox to connect
securely to localhost:8004, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Technical Details

localhost:8004 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for Symantec Scan Engine 5.2

(Error code: sec_error_ca_cert_invalid)

   
I Understand the Risks

If you understand what's going on, you
can tell Firefox to start trusting this site's identification.
Even if you trust the site, this error could mean that someone is
tampering with your connection.
           

Don't add an exception unless
you know there's a good reason why this site doesn't use trusted identification

0
Login to vote
junkfood's picture

Hi, TSE-JDavis:

   Now I can access the Symantec Scan Engine Console after I  chose add exception .

   Once again, thank you for your help.

0
Login to vote
junkfood's picture
     Thank you for the help. I already solve the problem, and now I can login in Symantec Scan Engine Console.
 
     After I login in Symantec Scan Engine Console, it ask me to provide license file, otherwise, it will not provide any service and scanning feature.
 
     Do you know where I can get 30 days license file or product license to active the all service provided by Symantec Scan Engine ?

     Should I send the request to Symantec Licensing Portal ? 

0
Login to vote
TSE-JDavis's picture

When you followed the link I sent you, as soon as you started the download, we emailed you a 30-day trial license. It would have coem from licensing@symantec.com and included a .zip file which contains the .slf you need to give Scan Engine.

+1
Login to vote
jagcycsi's picture

Hi, I have installed Scan Engine and console page working, but i cant not find the 30-day trial license. Could you send mi a trial license?

Thank.

0
Login to vote
TSE-JDavis's picture

You can either download the trialware here and get emailed a 30 day license:

http://www.symantec.com/business/scan-engine

or you can call customer service and get one:

http://www.symantec.com/business/support/assistanc...

+1
Login to vote
junkfood's picture

Hi, TSE-JDavis;

     I alreay got 30-day trial license, and finshed setting up Scan Engine Server.

    Now I am going to implmenet web application by using SymJavaAPIDocs .

    The Scan Engine SDK already provide the jar file and JavaAPICheck example. It is very helpful for me to implement my application by using Java.
 
    However, the jar SymJavaAPIDocs provided by Symantec without any javadoc documentation.

    Do you know where I can find those javadoc documentation or any useful examples , tutorial documents about using this java jar.

   Thanks.

0
Login to vote
arunchp's picture

I tried JavaAPICheck.java given with SymJavaAPI.jar, I got following resultStatus = FILE_ACCESS_FAILED

For security purpose i mention the IP as localhost reference.

D:\dev\test\TestProject>java JavaAPICheck -streamFileLocal:0 file:\\127.0.0.1\test\TestProject\test.doc
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : \\127.0.0.1\test\TestProject\test.doc
Scan Policy             : SCAN
File Status             : FILE_ACCESS_FAILED
Total Infection         : 0
Virus Def Date          : Tue Feb 23 00:00:00 IST 2010
Virus Def Revision No   : 004
Scan Engine IP          : 127.0.0.1
Scan Engine Port        : 1344
Scan Engine Access      : Able to connect

Suggest me what's wrong am doing, and how can i proceed further

0
Login to vote
Guido Sanchidrian's picture

Please let me know what method you are using - createFileScanRequest or createStreamScanRequest. There is a fundamental difference between FileSCanRequest and StreamScanRequest behavior. FileScanRequest operates on absolute file path. If you want to use FileScanRequest, you have to ensure that the file is directly accessible to scan engine at the given path, otherwise you will get the "FILE_ACCESS_FAILED" error return. This method is typically used when the client and the scan engine are on the same box. If this is not the case, then we would recommend using StreamScanRequest.

0
Login to vote
srinivas.guruzu@wellsfargo.com's picture

we are trying to use the Java API for scanning Large file. The idea was to compare the command line invocation with java API for response and performance. we had two implementations, one that take the location of file and the other that takes the inputStream. The file size we choose was 380 MB, which is possible for our application. when scanning with inputstream, we are getting

Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION
com.symantec.scanengine.api.ScanException: Unable to communicate with Symantec Scan Engine.
        at com.symantec.scanengine.api.RequestImpl.readResult1(Unknown Source)
        at com.symantec.scanengine.api.RequestImpl.finish(Unknown Source)
        at com.wellsfargo.virusscan.VirusScanTest2.main(VirusScanTest2.java:64)

and when scanning with the file location in the JAVA API, we are getting
Exception in thread "main" com.symantec.scanengine.api.ScanException: Unable to open a stream to recieve the data from the server.
        at com.symantec.scanengine.api.RequestImpl.read(Unknown Source)
        at com.symantec.scanengine.api.FileScanRequestImpl.scanFile(Unknown Source)
        at com.wellsfargo.virusscan.VirusScanTest.main(VirusScanTest.java:31)

Also the input stream is slow. Are we missing some configuration? I would really appreciate any 
ideas and suggestions. 

0
Login to vote
shibboleth's picture

still a problem here too, but i get "INTERNAL_SERVER_ERROR" on files slightly larger than a few meg

running: eclipse (galileo)

using 5.2.8 jar

and in case this matters: windows server 2003 R2 (64 bit) SP2

is it possible no virus/worm/malware could ever exist on a file so large?

+1
Login to vote
TSE-JDavis's picture

Please see this document as it provides insight into this issue and a couple of solutions.

http://www.symantec.com/docs/TECH88966

+1
Login to vote
shibboleth's picture

thanks -- those sizing tweaks did get me past that point.

next, why won't the engine be allowed to scan certain files, like those found in C:\WINDOWS\system32\config?  could it be that files which already have a handle doled out are off-limits?

btw, this is using the SymJavaAPI.jar

ed: error is FILE_ACCESS_FAILED

0
Login to vote
TSE-JDavis's picture

We are not going to be able to scan a file that has been locked out by the OS or another process. This is also the case when a file-level antivirus program like Endpoint Protection is on the machine where the file is located. When it detects us accessing the file, it wass scan it before we get a chance to and we typically time out waiting for SEP to scan it. This is why you need to set exclusions for SEP to not scan our temp directory.

I hope you are not trying to use Scan Engine as a file-level antivirus solution. This is not what it is designed for and will not give you adequate protection. You should be using SEP which is a ring 0 device and can scan and lock out files before anything else can access them, including the OS.

Scan Engine is designed to scan files on a remote system before they enter the environment Scan Engine is set up to protect.

+1
Login to vote
shibboleth's picture

ok, obviously i was a little confused: i inferred from RTFMing the SymJavaAPI.jar is designed to do exactly that -- end point scanning (by file). but just b/c i could does not mean i should. got it.

so i reckon scanengine should sit apart from a file svr/repos then & act as a remote gatekeeper then? if so, i'll factor that in to my design.

thanks for making it all plain

0
Login to vote
BenDC's picture

Sounds like you may be tring to use the Scan Engine for file system protection/scanning. Which is not really the intended use of the Scan Engine. As TSE-Jdavis said you are best off using something like our SEP or SAV solution for file system protection as it was designed exactly for that and has kernel level drivers to hook to files and scan them as they are read/written to the disk.

Scan Engine is typically used for providing virus scanning services/protection to services and systems that one would not be able to use SEP or SAV type products with directly such as Netapp filers, proxy/caching servers, Sharepoint, or file submissions from webforums etc.

+2
Login to vote
FbacchinZF's picture

I have several Scan Engine for NAS running with some IBM Netapp Storage systems I have on different plants.
So, I have several Scan Engine Consoles to monitor everyday.

Is there a way to integrate those consoles ? maybe with SEP11 console ? or SAV reporter ?

Thanks

0
Login to vote
Guido Sanchidrian's picture

@FbacchinZF
SEP 11 Console and Scan Engine Console can run on the same computer regardless what Java version you use. But they don't integrate.

Symantec Scan Engine events can be integrated into a centralized console, but it requires another product from Symantec called "Symantec Security Information Manager". Please take a look to the following document that will also link to another document with some more details about this integration: http://service1.symantec.com/SUPPORT/ent-gate.nsf/....

Symantec Security Information Manager is a soft-appliance, that runs on either a specific Symantec hardware appliance or specific Dell, HP, IBM appliances. We don't have a trialware available online, but you can contact your Symantec representative to request a demo unit for your company. SSIM comes with hundreds of collectors to collect and correlate events from many various sources, incl. firewalls, intrusion detection, AV etc. You can get a list of all collectors in the SSIM forum on Symantec Connect: https://www-secure.symantec.com/connect/security/f....

You also mentioned "Threat Reporter" (formerly known as "SAV Reporter"). This is a famous reporting tool from Symantec Consulting Group based on HTML, PHP, MySQL/MS SQL Server, perl. It is very dedicated to AntiVirus products (from Symantec and other thrid-party vendors), and is different to SSIM and its broader security posture and correlation approach. However, Threat Reporter also support Scan Engine 5.x reporting.

Hope this help. Please dont hesitate to ask further questions.

-Guido

0
Login to vote
rgill's picture

Where can I find documents/white papers detailing the performance/throughput of Symantec Scan Engine?


0
Login to vote
FbacchinZF's picture

@Guido

Thanks for your detailed answer.

Integrating Scan Engine with Threat Reporter will be wonderfull for me :)

How do I do that ? Is there any documentation about it ?

Should I just install the reporting agents as I do for SAV Parent Servers ?

0
Login to vote
Ramprasad_Rajaraman's picture

Hi All,
We have a scenario, where in which we are using Symantec Scan Engine for the Virus Scan of the uploaded files. Unfortunately the system what we are using is in .net 1.1 framework. When we use the dll given by the Symantec Scan Engine, it is not allowing us to add reference, as there is no forward compatability in .net. The scan engine dll is given with .Net version 2.0. Only thing we can do is we can have a web service wrapper on top of the .net 2.0 dll and call the web service method from the .Net 1.1 application. 

Is there any way that can we get the .Net 1.1 runtime version of the Scan Engine dll so that we can refer the same in our application.

Please provide some pointers on the same.

Ramprasad R

0
Login to vote
padam_chhetri@persistent.co.in's picture

Hi All,

We are using java API to scan the local files(Scan engine and files are on the same box win 2003). When we scan the file of size 30MB then it scans the files successfully

C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\30mb.zip"
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : c:\data\30mb.zip
Scan Policy             : DEFAULT
File Status             : CLEAN
Total Infection         : 0
Virus Def Date          : Tue Mar 09 00:00:00 GMT+05:30 2010
Virus Def Revision No   : 009
Scan Engine IP          : 10.77.201.95
Scan Engine Port        : 1344
Scan Engine Port        : Able to connect

but when we scan the file of size 75 MB it shows the error

C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\75mb.zip"
Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION

Please provide some pointer to solve the issue

Thanks

0
Login to vote
oliver.tlliu@gmail.com's picture

Scan Engine is such a powerful product !

I would like to buy a Symantec Antivirus, Protection Suite or something, but also want to use the Scan Engine to integrate with some other ones.

So I was wondering which Symantec product is using Scan Engine. can give some detail info?

+1
Login to vote
TSE-JDavis's picture

The only actual Symantec product that uses Scan Engine is Symantec Protection for Sharepoint Servers. Scan Engine is more commonly used by third-party products such as NetAp Filer, EMC Celerra, Websense, BlueCoat, Squid proxy, etc.

The Scan Engine does come with an SDK so you can create your own web-based connector or integrate Scan Engine into your existing products.`

+1
Login to vote
oliver.tlliu@gmail.com's picture

I've downloaded some trail version Antivirus products, and found that some of them are based on Scan engine--- I had to install the scan engine first  and then installed the antivirus product. 
Now the question is: if I bought an antivirus product for system that include the scan engine in installation package, do i need to install the scan engine again when configuring the Symantec Protection for SharePoint Servers? It makes me feel paying twice for one thing.

0
Login to vote
way_ne's picture

Wish I knew about this scan engine months ago, would have saved a lot of time.

0
Login to vote
rasuthar's picture

Hi ,

I have downloaded and installed the trial-ware - Scan Engine 5.2. The URL https://localhost:8004 opens perfectly. But when I enter the Administrator console  Password it throws error saying "password is invalid or Scan Engine Server not running". I have tried uninstall and reinstalled just to make sure that password is correct. The result was same , error. 

ScreenShot : https://www-secure.symantec.com/connect/sites/default/files/sse.JPG

System OS : Windows Server 2003 
Scan engine : Trial Ware 5.2

Please reply as soon as possible as I need to evaluate the product ASAP and take a decision.

0
Login to vote
TSE-JDavis's picture

This error has been caused by a few different things in the past.

The first to check is to make sure you only have one JRE installed and no Java SDKs of any kind. The best thing to do if you have multiple versions is to uninstall all of them and Scan Engine and just install the JRE package that comes in our Tools folder and then Scan Engine.

The second thing I have seen cause this is using localhost instead of the hostname of the computer. Try using either the IP address or the hostname assigned to the computer.

+1
Login to vote
Jonathansh's picture

HI

i'm using SSE 5.2 on Windows 2003Server
by scanning doc\pic files i receive error code 3 and the following log:
1279803675|10|2|1|33|Decomposer|34|17|4|E:\testFile.up.doc|39|127.0.0.1|17|0.000|18|0.000|43|myServerIP|44|1344|45|90184

thanks
Jonathan

0
Login to vote
TSE-JDavis's picture

Check out this document directly addressing the Decomposer 17 error you are seeing:

Title: 'How to troubleshoot Decomposer / 17 scan errors from Scan Engine 5.x'
Document ID: 2009080409140454
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/...

Since I see that the file appears to be on a local drive already, I would look to make sure you don't have a file-level antivirus product scanning the file while we are tryign to scan it or scanning the Scan Engine's temp directory.

+1
Login to vote
srinikandula's picture

Hello,
       I have got the JavaAPICheck example working. Now I want to understand the process and probably tweak a little bit for use it in my web application. Where can I find the java docs for SymJavaAPI.jar?

-Srini

0
Login to vote
TSE-JDavis's picture

Fail in what way? You can create a file that will violate the container limits. You can turn on blocking on encrypted files. You can send it the EICAR test virus file to create a virus incident.

+1
Login to vote
srinikandula's picture

Thank you. Do you have the Java Docs published some where for the classes in SymJavaAPI.jar?

-Srini

0
Login to vote
Guido Sanchidrian's picture

You will find the Java docs in the folder Scan_Engine_SDK/Java/Docs/SymJavaAPIDocs.jar on the product CD and in the archive of the trial version download.

0
Login to vote
TSE-JDavis's picture

No, each Scan Engine installation is its own entity and has no awareness of other Scan Engines.

+1
Login to vote
Guido Sanchidrian's picture

Well, the Symantec Scan Engine APIs provide load balancing across multiple computers that run Symantec Scan Engine. Client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort. If you use multiple scan engines, the API determines which scan engine receives the next file to be scanned based on a scheduling algorithm.
If any Symantec Scan Engine cannot be reached or fails during a scan, another Symantec Scan Engine is called. The faulty Symantec Scan Engine is taken out of rotation for a period of time. If all of the Symantec Scan Engines are out of rotation, the faulty Symantec Scan Engines are called again.
If your client uses ICAP, the ICAP threshold client notification feature is enabled by default. When the number of queued requests for a Symantec Scan Engine exceeds its threshold, Symantec Scan Engine rejects the scan request. It notifies the client that the server has reached the queued request threshold. The client can then adjust the load balancing, which prevents the server from being overloaded with scan requests. This feature lets the client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort.
You will find additional information about load balancing in the Implementation Guide.

+1
Login to vote
Sam79's picture

Thanks Guido for your clarifications.

Now I am looking to see if I can integrate SSE with F5 Big IP LTM to scan the uploaded files to my web application before reaching the web servers tier, while in the same time keeping the user informed that the uploaded file contained a Virus.

If you have any experience regarding this please let me know.

Regards.

0
Login to vote
Guido Sanchidrian's picture

Hello, the Big IP Local Traffic Manager is working as a proxy. To use Scan Engine with it, this proxy would have to talk to Scan Engine via protocol. The most common integration is via ICAP, where the proxy is acting as an ICAP client, and the Scan Engine server or server-pool as the ICAP server.
I did a quick look at F5 website, and it seems that they don't have an ICAP client feature in the Big IP LTM appliance. By saying this, there is not much you can do apart from asking F5 to add an ICAP client module into their proxy OS. I did some other search on their webpage and it appears, that their latest version (v10.2) of F5 BIG-IP Application Security Manager (ASM) includes an ICAP client. You can see more details on http://devcentral.f5.com/weblogs/macvittie/archive.... I guess that this is an additional module to the Big IP appliance, but you will get more info about it from F5 directly. However, as long as it is using ICAP standard, the integration and configuration is pretty easy, as you just have to set the ICAP (Scan Engine) server IP and port.

+1
Login to vote
Sam79's picture

Dear Guido,

Thanks for your reply.

After integrating the SSE with F5 ASM how can we maintain the high availability (clustering) of SSE?

0
Login to vote
Guido Sanchidrian's picture

There is not much you can do on the Scan Engine Server side. It is up to the ICAP client to support the load balancing feature of the ICAP protocol.
If your client uses ICAP, the ICAP threshold client notification feature for Scan Engine is enabled by default. When the number of queued requests for a Symantec Scan Engine exceeds its threshold, Symantec Scan Engine rejects the scan request. It notifies the client that the server has reached the queued request threshold. The client can then adjust the load balancing, which prevents the server from being overloaded with scan requests. This feature lets the client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort.
With other words, ideally, the F5 ASM would have to know the IP address pool of the various scan engine servers in your cluster (not just a single IP address), and secondly the ICAP client within ASM would have to be able to handle "SCAN REJECT" responses to apply load balancing. As far as I can see on F5 website, this is not the case, but you might want to ask the F5 support people.
On the screenshot on DevCentral F5 website, I can see that the ICAP client accepts the server host name instead of IP. In this case, you could be probably able to apply load balancing between your scan engine servers by using DNS Round Robin (single host name --> multiple IP addresses). It is not real load balancing by taking the server load into account, but at least some sort of load distribution.
Please let us know if this helps.

0
Login to vote
TSE-JDavis's picture

Sorry, no. Here is our support matrix:

Title: 'Symantec Scan Engine 5.2.x Platform Support Matrix'
Document ID: 2010021811473054
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/...

+1
Login to vote
asallaup's picture

Thanks for the answer, but according to:

http://service1.symantec.com/support/ent-gate.nsf/854fa02b4f5013678825731a007d06af/d808b230a713fe838025754b0036ce10?OpenDocument

you are planing to do that:

"Also note that Symantec is planning to release a Solaris x86 platform-compatible Scan Engine release within the next few months." and this was written 27.01.2009

0
Login to vote
TSE-JDavis's picture

I have put an inquiry in to our backline level support reps and they are currently discussing this. There is indeed conflicting information out there. I should be able to post an update soon.

+1
Login to vote
sabiha_a@yahoo.com's picture

When we use ICAP for scanning file, is it necessary that the entire file be passed. i.e if we  want to intercept

a read of file, can be just  pass the data block read, to the scan engine, to determine, if the data has a virus , or should we scan the entire file ?

similarly in write path, the data should be scanned before writing to disk, right, it can be just a block of data , is this correct ?

0
Login to vote
TSE-JDavis's picture

You can always use the Trickle function of ICAP in your connector. We support that feature.

+1
Login to vote
nava kv's picture

We have Symantec Scan engine to scan the files on NAS storage box. We have observed the files are not routed through the Symantec scan engine server hence it is not able to scan any of the files on the storage. could any one help to solve this problem.

0
Login to vote
TSE-JDavis's picture

You should contact the support department for your NAS and make sure it is set up correctly to send the files to the Scan Engine.

+1
Login to vote
nebulesys's picture

Hi,

I downloaded your trial version, and installed in a red hat linux machine.

I see that thescan engine is running :

[root@lab11-50 /]# ps -aef | grep sym
root     30841     1  0 09:37 ?        00:00:00 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30842 30841  0 09:37 ?        00:00:12 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30942 29922  0 10:09 pts/0    00:00:00 grep sym
[root@lab11-50 /]#

My eth0 address is :

eth0      Link encap:Ethernet  HWaddr 00:30:48:5E:69:30
          inet addr:15.226.49.168  Bcast:15.226.49.255 

I go a windows machine, and using explorer/morzilla I do the following:

https://15.226.49.168:8004  and I donot get the console, just get cannot find page error

Can you kindly let me know what I am missing

0
Login to vote
TSE-JDavis's picture

There are a lot of environmental factors that could cause this such as firewalls or SELinux being installed. This could also be due to a Java conflict on the server.

+1
Login to vote
NJain's picture

Hi-,

  While trying to use createStreamScanRequest() in my application, I am getting an exception while calling finish():

StreamScanRequest streamScanReq = scanEngine.createStreamScanRequest(fileName, null, output, Policy.DEFAULT);

Result result = streamScanReq.finish();

com.symantec.scanengine.api.ScanException: Unable to communicate with Symantec Scan Engine.

        at com.symantec.scanengine.api.RequestImpl.readResult1(Unknown Source)

        at com.symantec.scanengine.api.RequestImpl.finish(Unknown Source)

The SSE is running and port is also good.

The above call is working fine from another application deployed as a war on the same server.

Does anyone has any idea what could be causing this exception within one web app and working in the other?

Thanks.

0
Login to vote
amjathsha's picture

Hi all,

I have installed symantec antivirus for nas 5.2 in rhel5.4 64bit. and installed jre 1.5.0.13. But i can't open the interface through firefox.

It is showing that "to view symantec scan engine administrator interface,please install java runtime environment (jre) 5.0 update 6 or later.

I did the same also.But no changes. please help me on this..

0
Login to vote
TSE-JDavis's picture

Are you using Firefox on the same Linux server you installed Scan Engine on? The JRE plugin is not automatically installed into Firefox, you have to install it manually.

http://www.symantec.com/docs/TECH85820

+1
Login to vote
sabiha_a's picture

Is the trickle approach same as preview, if not can you point us to the to more information on the usage of this

More over, is FILE_MODE approach of scan more efficient than using RAW ICAP to aps file data, if yes, how and why

0
Login to vote
shibboleth's picture

hi.

using the boilerplate sample API code, i wrote some code to successfully interrogate local files.  where i run into difficulty is getting files from a mountpoint (shared drive) in windows to pass to SSE.  in debug, i correctly resolve the filename, and i can confirm this by cut/paste into file explorer & retrieve the file.  however, it fails in this part of the code.  assume you're relatively familiar w/ the symjavaapi.jar code, or at least, the "how to use it" sample.

fileScanReq = scanEngine.createFileScanRequest(fileForScan, scPolicy);

Result result = fileScanReq.scanFile()

returns FILE_ACCESS_FAILED.

when i mimick the directory structure locally, all is well. (e.g., swap 'z:' with 'c:')

0
Login to vote
TSE-JDavis's picture

Are there any permission needs for the shared drive? Try running the Scan Engine service as your user account and see if it succeeds.

+1
Login to vote
shibboleth's picture

hmmm...i've confirmed it's not a permissions problem, but i believe windows is trying to make me think it's physically located in \\shared_drive\some_dir\some_file , but when i look at the properties of the file, it claims to be 13 bytes, but 4096 on disk, which makes me think it's actually a sym link that samba(?) can fetch for me when in dblclick on it.

long story short: this is more a java & os issue than sse

0
Login to vote
satya sheel's picture

Hi I need to know how to use SSE 5.2 java API with web application created using struts 2.

Should the file scanned before uploading to the server?Struts application takes files and put them in the server as temporary file for further processing.

We are going to take the file from clients machine,at what moment we should scan the file?

1)If we need to scan file before uploading to server,then how i can scan file directly from the client machine?

2)If i should scan the file from the server,then it is already present physically in the server and it might infect the server before scan process is done.

0
Login to vote
mtpo_bne's picture

We have Scan Engine 5.2 installed on RHEL and have been running scans successfully.  Over the weekend Scan Engine shutdown.

Message was that the system could not access our  /Symcscan/Temp folder.   Checking the 68GB drive, the /Symcscan/Temp folder had 568 log files that used 65GB of space.     Is there a way to have the system purge temp log files by time or date automatically?    After deleting all the log files in this location and rebooted the server Scan Engine was available.

0
Login to vote
beads's picture

I have had the same issue with Scan Engine 5.2 installed on Windows 2003 R2 Enterprise x64.

Also looking for a purging kind of solution.

0
Login to vote
TSE-JDavis's picture

Yes, the option is listed under Monitors -> Logging. The option is labeled "Number of log files to retain (one per day)". If you want to keep logs for only 30 days, you would type 30 into the box. Setting it to the default of 0 keeps everything.

You should also consider lowering your logging level if it is above warning.

+1
Login to vote
beads's picture

In our environment Symantec Anti Virus Corporate Edition is used on the local servers. Additionally we purchased the SAV for NAS solution which incorporates the Scan Engine, which also runs on a local server, but scans the Celerra NAS.

So our environment is already getting its updates via SAVCE, so we don't require an additional definition update license for SAV for NAS, if we use Intelligent Updater, right?

0
Login to vote
TSE-JDavis's picture

Not true. First of all, you are not just paying for virus updates when you purchase the product. You are paying for support and product updates.

Second, Scan Engine/SAV for NAS will not use the new definitions if the license has expired.

+1
Login to vote
muzamandmuzam's picture

Hi,  I am getting the following error.        C:\Documents and Settings\portaluser\My Documents\NetBeansProjects\dist>java -jar JavaAPICheck.jar -streambased:1 -streamFileLocal:1 -file:"c:\test\test.doc"
OUTPUT:
Problem encountered! Scanning Failed!! MAX_TRIES_REACHED.                How can i solve this problem.  Thanks

0
Login to vote
JohnGotangco's picture

Hi,

We are currently trying out trial version Scan Engine and integrating it in our java web applications.

We are able to pass file streams and it is scanned ok.

Testing this using EICAR files and virus detection works ok.

But the problem is that it passes zip files that contains EICAR files. It seems that it cannot detect that there are viruses n the content of the zip file.

Is this a bug or is there something that we need to tweak.

Currently we are only using trial version to test, is this just the limitation of the trial version?

Hoping for your fast reply for we are currently considering this product to be a part in our production systems.

Thanks

0
Login to vote
TSE-JDavis's picture

There is no known defect in Scan Engine that would cause this. What if you test the file with ssecls.exe? Is EICAR detected at that point?

+1
Login to vote
JohnGotangco's picture

Using the command line scanner (ssecls.exe) detected the EICAR Virus successfully. But what we are currently using right now is SymJavaApi.jar in our web application which fails detecting viruses on zip files.

Anything we could do to fix this on our side. I don't know if we could use the ssecls.jar in our java web application. We are currently sending ByteArrayOutputStream as representation of the file to be scanned. currently we just replicated the example included in scan engine installer.

Is there anyway we could do to fix this? If we need to resort to the command line scanning, is there any example that would be provided same as the example using SymJavaApi ?

We really would appreciate this.

Thanks.

0
Login to vote
JohnGotangco's picture

Hi,

Would like to followup on my query above regarding zip files not being scanned by symantec Scan engine 5.2 using SymJavaApi.

Below is the class we are using to scan the stream being passed:

 public class VirusScanFunctions {
    static Vector scanEnginesForScanning = new Vector();

    public static VirusReport ScanStream(OutputStream outputStream) throws ScanException, NumberFormatException {

        if(scanEnginesForScanning.size()==0) {
            int scanengine_port = 0;
            try {
                scanengine_port = Integer.parseInt(AppServerFacade.getAppServer().getScanenginePort());
            }catch(NumberFormatException e){
                throw e;
            }

            ScanEngine.ScanEngineInfo scanEngTobeUsed = new ScanEngine.ScanEngineInfo(AppServerFacade.getAppServer().getScanengineHost(), scanengine_port);
            scanEnginesForScanning.add(scanEngTobeUsed);
        }

        ScanEngine scanEngine=null;
        StreamScanRequest streamScanReq=null;
        Result result=null;

        try {
            scanEngine = ScanEngine.createScanEngine(scanEnginesForScanning);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        try {
            streamScanReq = scanEngine.createStreamScanRequest("", null, outputStream, Policy.SCAN);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        try {      
                streamScanReq.send(((ByteArrayOutputStream)outputStream).toByteArray());
                result = streamScanReq.finish();               
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        ThreatInfo[] virusIn = result.getThreatInfo();
        //Only get the first virus info record, no need to extract further details
        if(virusIn.length>0)
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber(), virusIn[0].getViolationName(), virusIn[0].getViolationId(), virusIn[0].getDisposition());
        else
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber());
    }
} 

Please provide input on this.

If ever this cannot be reolved using SymJavaApi, then we'll just prevent uploading of zip files :(

Hoping for your fast response.

Thanks.

+1
Login to vote
vanita's picture

is there a Symentec Scan Engin for Win XP?

As My web application wants to scan a file for virus before uploaded it to server through java Programming and My company uses Symantec End Point latest version.

So can you please tell me how to do this?

Thanks.

0
Login to vote
TSE-JDavis's picture

Scan Engine is a server level product that accepts scan requests over a network. Since WIndows XP restricts how many network connections you can have at one time Scan Engine is not designed to work on Windows XP. Since Microsoft themselves is on the tail end of supporting XP, you should be migrating away from it.

My best suggestion is to run Scan Engine inside of a virtual machine running something like Server 2003 or RedHat Linux. You can run the operating system with minimal RAM requirements (around 1 Gb) and address them through the network connection to the VM.

+1
Login to vote
vanita's picture

Hey hi,

in below o/p filestatus is coming as NO_AV_LICENSE...

so can you please tell me how to install license.

and how will i know that is file is scaned by Symentec scan engin

C:\SymantecScanEngine_5.2.10_MP1_Win32_IN\Scan_Engine_SDK\Java\Example>java Java
APICheck -streambased:1 -streamFileLocal:1 -file:"c:\Counter.txt"
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : c:\Counter.txt
Scan Policy             : DEFAULT
File Status             : NO_AV_LICENSE
Total Infection         : 0
Virus Def Date          : Wed May 12 00:00:00 GMT+05:30 2010
Virus Def Revision No   : 040
Scan Engine IP          : 127.0.0.1
Scan Engine Port        : 1344
Scan Engine Port        : Able to connect

0
Login to vote
TSE-JDavis's picture

You need to install the license into the Scan Engine control panel. This can be accessed by going to https://127.0.0.1:8004/. Under the Admin tab on the left you can click on License and install it.

+1
Login to vote
vanita's picture

Thanks for your kind response.

when i am accessing the url https://127.0.0.1:8004/ it is prompting for password. After inserting correct password it is giving error as invalid password or symentec scan engin is not started.

Under Administrative Tools->Services , I had seen symentec scan engine service is in running state.

So can you please tell me how to start scan engin server.

Regards,

vanita jain

0
Login to vote
vanita's picture

Hello All,

My problem of starting Admin console of scan engin is resolved.

Problem was scan engin and Apache server was running on the same port.

But now can anybody tell me how to scan a file content without storing it on server and  where to find a log report of files which are scanned through scan engin

Regards,

Vanita Jain

0
Login to vote
TSE-JDavis's picture

Vanita,

Good to hear you resolved the issue. You cannot scan a file with Scan Engine without it copying the file locally. It will use the in-memory file system if the file is small enough, but it has to bring the file locally to scan it.

The logs are stored in the directory where you installed Scan Engine. You can read them by running a Detailed report under the Reports tab on the left.

+1
Login to vote