Video Screencast Help

Can SEP scan Password protected files and compress files (in .rar and .cab format)?

Created: 24 Sep 2013 | 8 comments
mhine_'s picture

Hi,

I need your expertise on this.

Can SEP scan Password protected files (e.g. pdf,xls or doc) and compress files (in .rar and .cab format)?

Thank you in advance!

Operating Systems:

Comments 8 CommentsJump to latest comment

Brɨan's picture

It cannot if they're password protected. If not password protected, it should be able to scan them as normal.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mhine_'s picture

Thanks for that. Do you know any KB article I can refer to so I can include in my document as reference?

Brɨan's picture

This one explains the scenario's:

http://www.symantec.com/docs/TECH99755

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Yes, it can scan the files .rar .cab .pdf .xls and .doc format files. However, password protected files would not be scanned.

Once the password is inserted and the file gets executed, the files would be scanned by Symantec.

The Decomposer engines built into SEP are able to interact with the great majority of compression fromats that are in use today, but ther is no way they would be able to interact with them all.  Almost every SEP client has entries like yours in its logs.

Also: even if there is a threat inside a zip/container that SEP could not scan, SEP's Auto-Protect would catch it as soon as the malicious file was unzipped.

Final recommendation: it would be a good idea to perform a "disk cleanup" to flush out that recycle bin and other temp locations. 

Security Response's official Best Practices:

http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

Secondly, check this Article:

"Could not scan [#] files inside [path][filename] due to extraction errors encountered by the Decomposer Engines" during a scan

http://www.symantec.com/docs/TECH99755

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

mhine_'s picture

One more.

Can SEP handle malformed container files?

On ICAP, we get the following error which, if I'm not wrong, is considered a malformed container file.

The Symantec Protection Engine has encountered a scan error
Date/time of event = 2013-09-25 09:23:57
Event Severity Level = Error
Scanner = Decomposer
Result ID = 17
URL = no_path
File name = ~$$QR Code (Visio Diagram).~vsd
Client IP = 172.20.58.5
Scan Duration (sec) = 0.001
Connect Duration (sec) = 0.003
Symantec Protection Engine IP address = 172.20.58.212
Symantec Protection Engine Port number = 1344
Uptime (in seconds) = 2246856

Brɨan's picture

I believe it means that the decomposer engine does not have a signature to extract the container. It doesn't mean it can't always scan but just in this particular instance for this file.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.