Endpoint Protection

Vanita,

Good to hear you resolved the issue. You cannot scan a file with Scan Engine without it copying the file locally. It will use the in-memory file system if the file is small enough, but it has to bring the file locally to scan it.

The logs are stored in the directory where you installed Scan Engine. You can read them by running a Detailed report under the Reports tab on the left.

Hello All,

My problem of starting Admin console of scan engin is resolved.

Problem was scan engin and Apache server was running on the same port.

But now can anybody tell me how to scan a file content without storing it on server and  where to find a log report of files which are scanned through scan engin

Regards,

Vanita Jain

Thanks for your kind response.

when i am accessing the url https://127.0.0.1:8004/ it is prompting for password. After inserting correct password it is giving error as invalid password or symentec scan engin is not started.

Under Administrative Tools->Services , I had seen symentec scan engine service is in running state.

So can you please tell me how to start scan engin server.

Regards,

vanita jain

You need to install the license into the Scan Engine control panel. This can be accessed by going to https://127.0.0.1:8004/. Under the Admin tab on the left you can click on License and install it.

Hey hi,

in below o/p filestatus is coming as NO_AV_LICENSE...

so can you please tell me how to install license.

and how will i know that is file is scaned by Symentec scan engin

C:\SymantecScanEngine_5.2.10_MP1_Win32_IN\Scan_Engine_SDK\Java\Example>java Java
APICheck -streambased:1 -streamFileLocal:1 -file:"c:\Counter.txt"
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : c:\Counter.txt
Scan Policy             : DEFAULT
File Status             : NO_AV_LICENSE
Total Infection         : 0
Virus Def Date          : Wed May 12 00:00:00 GMT+05:30 2010
Virus Def Revision No   : 040
Scan Engine IP          : 127.0.0.1
Scan Engine Port        : 1344
Scan Engine Port        : Able to connect

Hi,

Would like to followup on my query above regarding zip files not being scanned by symantec Scan engine 5.2 using SymJavaApi.

Below is the class we are using to scan the stream being passed:

 public class VirusScanFunctions {
    static Vector scanEnginesForScanning = new Vector();

    public static VirusReport ScanStream(OutputStream outputStream) throws ScanException, NumberFormatException {

        if(scanEnginesForScanning.size()==0) {
            int scanengine_port = 0;
            try {
                scanengine_port = Integer.parseInt(AppServerFacade.getAppServer().getScanenginePort());
            }catch(NumberFormatException e){
                throw e;
            }

            ScanEngine.ScanEngineInfo scanEngTobeUsed = new ScanEngine.ScanEngineInfo(AppServerFacade.getAppServer().getScanengineHost(), scanengine_port);
            scanEnginesForScanning.add(scanEngTobeUsed);
        }

        ScanEngine scanEngine=null;
        StreamScanRequest streamScanReq=null;
        Result result=null;

        try {
            scanEngine = ScanEngine.createScanEngine(scanEnginesForScanning);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        try {
            streamScanReq = scanEngine.createStreamScanRequest("", null, outputStream, Policy.SCAN);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        try {      
                streamScanReq.send(((ByteArrayOutputStream)outputStream).toByteArray());
                result = streamScanReq.finish();               
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;
        }

        ThreatInfo[] virusIn = result.getThreatInfo();
        //Only get the first virus info record, no need to extract further details
        if(virusIn.length>0)
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber(), virusIn[0].getViolationName(), virusIn[0].getViolationId(), virusIn[0].getDisposition());
        else
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber());
    }
} 

Please provide input on this.

If ever this cannot be reolved using SymJavaApi, then we'll just prevent uploading of zip files :(

Hoping for your fast response.

Thanks.

Scan Engine is a server level product that accepts scan requests over a network. Since WIndows XP restricts how many network connections you can have at one time Scan Engine is not designed to work on Windows XP. Since Microsoft themselves is on the tail end of supporting XP, you should be migrating away from it.

My best suggestion is to run Scan Engine inside of a virtual machine running something like Server 2003 or RedHat Linux. You can run the operating system with minimal RAM requirements (around 1 Gb) and address them through the network connection to the VM.

is there a Symentec Scan Engin for Win XP?

As My web application wants to scan a file for virus before uploaded it to server through java Programming and My company uses Symantec End Point latest version.

So can you please tell me how to do this?

Thanks.

Using the command line scanner (ssecls.exe) detected the EICAR Virus successfully. But what we are currently using right now is SymJavaApi.jar in our web application which fails detecting viruses on zip files.

Anything we could do to fix this on our side. I don't know if we could use the ssecls.jar in our java web application. We are currently sending ByteArrayOutputStream as representation of the file to be scanned. currently we just replicated the example included in scan engine installer.

Is there anyway we could do to fix this? If we need to resort to the command line scanning, is there any example that would be provided same as the example using SymJavaApi ?

We really would appreciate this.

Thanks.

There is no known defect in Scan Engine that would cause this. What if you test the file with ssecls.exe? Is EICAR detected at that point?

Hi,

Is there any update on my question above.

Thanks.

Hi,

We are currently trying out trial version Scan Engine and integrating it in our java web applications.

We are able to pass file streams and it is scanned ok.

Testing this using EICAR files and virus detection works ok.

But the problem is that it passes zip files that contains EICAR files. It seems that it cannot detect that there are viruses n the content of the zip file.

Is this a bug or is there something that we need to tweak.

Currently we are only using trial version to test, is this just the limitation of the trial version?

Hoping for your fast reply for we are currently considering this product to be a part in our production systems.

Thanks

Hi,  I am getting the following error.        C:\Documents and Settings\portaluser\My Documents\NetBeansProjects\dist>java -jar JavaAPICheck.jar -streambased:1 -streamFileLocal:1 -file:"c:\test\test.doc"
OUTPUT:
Problem encountered! Scanning Failed!! MAX_TRIES_REACHED.                How can i solve this problem.  Thanks

Yes, the option is listed under Monitors -> Logging. The option is labeled "Number of log files to retain (one per day)". If you want to keep logs for only 30 days, you would type 30 into the box. Setting it to the default of 0 keeps everything.

You should also consider lowering your logging level if it is above warning.

Not true. First of all, you are not just paying for virus updates when you purchase the product. You are paying for support and product updates.

Second, Scan Engine/SAV for NAS will not use the new definitions if the license has expired.

In our environment Symantec Anti Virus Corporate Edition is used on the local servers. Additionally we purchased the SAV for NAS solution which incorporates the Scan Engine, which also runs on a local server, but scans the Celerra NAS.

So our environment is already getting its updates via SAVCE, so we don't require an additional definition update license for SAV for NAS, if we use Intelligent Updater, right?

I have had the same issue with Scan Engine 5.2 installed on Windows 2003 R2 Enterprise x64.

Also looking for a purging kind of solution.

We have Scan Engine 5.2 installed on RHEL and have been running scans successfully.  Over the weekend Scan Engine shutdown.

Message was that the system could not access our  /Symcscan/Temp folder.   Checking the 68GB drive, the /Symcscan/Temp folder had 568 log files that used 65GB of space.     Is there a way to have the system purge temp log files by time or date automatically?    After deleting all the log files in this location and rebooted the server Scan Engine was available.

Hi I need to know how to use SSE 5.2 java API with web application created using struts 2.

Should the file scanned before uploading to the server?Struts application takes files and put them in the server as temporary file for further processing.

We are going to take the file from clients machine,at what moment we should scan the file?

1)If we need to scan file before uploading to server,then how i can scan file directly from the client machine?

2)If i should scan the file from the server,then it is already present physically in the server and it might infect the server before scan process is done.

hmmm...i've confirmed it's not a permissions problem, but i believe windows is trying to make me think it's physically located in \\shared_drive\some_dir\some_file , but when i look at the properties of the file, it claims to be 13 bytes, but 4096 on disk, which makes me think it's actually a sym link that samba(?) can fetch for me when in dblclick on it.

long story short: this is more a java & os issue than sse

Are there any permission needs for the shared drive? Try running the Scan Engine service as your user account and see if it succeeds.

hi.

using the boilerplate sample API code, i wrote some code to successfully interrogate local files.  where i run into difficulty is getting files from a mountpoint (shared drive) in windows to pass to SSE.  in debug, i correctly resolve the filename, and i can confirm this by cut/paste into file explorer & retrieve the file.  however, it fails in this part of the code.  assume you're relatively familiar w/ the symjavaapi.jar code, or at least, the "how to use it" sample.

fileScanReq = scanEngine.createFileScanRequest(fileForScan, scPolicy);

Result result = fileScanReq.scanFile()

returns FILE_ACCESS_FAILED.

when i mimick the directory structure locally, all is well. (e.g., swap 'z:' with 'c:')

Sounds like you may be tring to use the Scan Engine for file system protection/scanning. Which is not really the intended use of the Scan Engine. As TSE-Jdavis said you are best off using something like our SEP or SAV solution for file system protection as it was designed exactly for that and has kernel level drivers to hook to files and scan them as they are read/written to the disk.

Scan Engine is typically used for providing virus scanning services/protection to services and systems that one would not be able to use SEP or SAV type products with directly such as Netapp filers, proxy/caching servers, Sharepoint, or file submissions from webforums etc.

We are not going to be able to scan a file that has been locked out by the OS or another process. This is also the case when a file-level antivirus program like Endpoint Protection is on the machine where the file is located. When it detects us accessing the file, it wass scan it before we get a chance to and we typically time out waiting for SEP to scan it. This is why you need to set exclusions for SEP to not scan our temp directory.

I hope you are not trying to use Scan Engine as a file-level antivirus solution. This is not what it is designed for and will not give you adequate protection. You should be using SEP which is a ring 0 device and can scan and lock out files before anything else can access them, including the OS.

Scan Engine is designed to scan files on a remote system before they enter the environment Scan Engine is set up to protect.

thanks -- those sizing tweaks did get me past that point.

next, why won't the engine be allowed to scan certain files, like those found in C:\WINDOWS\system32\config?  could it be that files which already have a handle doled out are off-limits?

btw, this is using the SymJavaAPI.jar

ed: error is FILE_ACCESS_FAILED

Please see this document as it provides insight into this issue and a couple of solutions.

http://www.symantec.com/docs/TECH88966

still a problem here too, but i get "INTERNAL_SERVER_ERROR" on files slightly larger than a few meg

running: eclipse (galileo)

using 5.2.8 jar

and in case this matters: windows server 2003 R2 (64 bit) SP2

is it possible no virus/worm/malware could ever exist on a file so large?

Is the trickle approach same as preview, if not can you point us to the to more information on the usage of this

More over, is FILE_MODE approach of scan more efficient than using RAW ICAP to aps file data, if yes, how and why

Are you using Firefox on the same Linux server you installed Scan Engine on? The JRE plugin is not automatically installed into Firefox, you have to install it manually.

http://www.symantec.com/docs/TECH85820

Hi all,

I have installed symantec antivirus for nas 5.2 in rhel5.4 64bit. and installed jre 1.5.0.13. But i can't open the interface through firefox.

It is showing that "to view symantec scan engine administrator interface,please install java runtime environment (jre) 5.0 update 6 or later.

I did the same also.But no changes. please help me on this..

Hi-,

  While trying to use createStreamScanRequest() in my application, I am getting an exception while calling finish():

StreamScanRequest streamScanReq = scanEngine.createStreamScanRequest(fileName, null, output, Policy.DEFAULT);

Result result = streamScanReq.finish();

com.symantec.scanengine.api.ScanException: Unable to communicate with Symantec Scan Engine.

        at com.symantec.scanengine.api.RequestImpl.readResult1(Unknown Source)

        at com.symantec.scanengine.api.RequestImpl.finish(Unknown Source)

The SSE is running and port is also good.

The above call is working fine from another application deployed as a war on the same server.

Does anyone has any idea what could be causing this exception within one web app and working in the other?

Thanks.

There are a lot of environmental factors that could cause this such as firewalls or SELinux being installed. This could also be due to a Java conflict on the server.

Hi,

I downloaded your trial version, and installed in a red hat linux machine.

I see that thescan engine is running :

[root@lab11-50 /]# ps -aef | grep sym
root     30841     1  0 09:37 ?        00:00:00 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30842 30841  0 09:37 ?        00:00:12 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30942 29922  0 10:09 pts/0    00:00:00 grep sym
[root@lab11-50 /]#

My eth0 address is :

eth0      Link encap:Ethernet  HWaddr 00:30:48:5E:69:30
          inet addr:15.226.49.168  Bcast:15.226.49.255 

I go a windows machine, and using explorer/morzilla I do the following:

https://15.226.49.168:8004  and I donot get the console, just get cannot find page error

Can you kindly let me know what I am missing

You should contact the support department for your NAS and make sure it is set up correctly to send the files to the Scan Engine.

We have Symantec Scan engine to scan the files on NAS storage box. We have observed the files are not routed through the Symantec scan engine server hence it is not able to scan any of the files on the storage. could any one help to solve this problem.

You can always use the Trickle function of ICAP in your connector. We support that feature.

When we use ICAP for scanning file, is it necessary that the entire file be passed. i.e if we  want to intercept

a read of file, can be just  pass the data block read, to the scan engine, to determine, if the data has a virus , or should we scan the entire file ?

similarly in write path, the data should be scanned before writing to disk, right, it can be just a block of data , is this correct ?

Dear Guido,

Thanks for your reply.

After integrating the SSE with F5 ASM how can we maintain the high availability (clustering) of SSE?

Thanks Guido for your clarifications.

Now I am looking to see if I can integrate SSE with F5 Big IP LTM to scan the uploaded files to my web application before reaching the web servers tier, while in the same time keeping the user informed that the uploaded file contained a Virus.

If you have any experience regarding this please let me know.

Regards.

Hi,
Is there a way to cluster SSE for a high availability?
 

I've downloaded some trail version Antivirus products, and found that some of them are based on Scan engine--- I had to install the scan engine first  and then installed the antivirus product. 
Now the question is: if I bought an antivirus product for system that include the scan engine in installation package, do i need to install the scan engine again when configuring the Symantec Protection for SharePoint Servers? It makes me feel paying twice for one thing.

I have several Scan Engine for NAS running with some IBM Netapp Storage systems I have on different plants.
So, I have several Scan Engine Consoles to monitor everyday.

Is there a way to integrate those consoles ? maybe with SEP11 console ? or SAV reporter ?