Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec Endpoint EventID 6 warnings

Created: 18 Jan 2011 | 3 comments

Is there anyway to prevent Symantec Endpoint version 11.0.6xxxx from creating an event in the application log everytime SEP is unable to scan inside a file?  I reviewed the following article but it isn't helpful; http://www.symantec.com/business/support/index?page=content&id=TECH99755

Specifically I'm receiving the message;

Log Name:      Application
Source:        Symantec AntiVirus
Date:          1/17/2011 10:17:35 PM
Event ID:      6
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxxx
Description:
 

Could not scan 2 files inside c:\temp\Tools\Setup\xxxxxx.cab due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMe...

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Symantec AntiVirus" />
    <EventID Qualifiers="33023">6</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-01-18T03:17:35.000000000Z" />
    <EventRecordID>42251</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Could not scan 2 files inside c:\temp\Tools\Setup\_5_RTL_x86_enu_NewFile_Items.cab due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMe...
</Data>
  </EventData>
</Event>

Comments 3 CommentsJump to latest comment

_Brian's picture

It basically means the engine wasn't able to scan inside a compresses (zipped) file or if a file was locked. You can ignore these. There is nothing to prevent these that I'm aware of.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandeep_sali's picture

You can set the levels to be scanned to avoid this message.

 

Thanks & Regards

Sandeep C Sali

Mick2009's picture

Hi Seed,

 

I agree with the above advice: Event ID 6 messages can safely be ignored.

 

Here is an official article on the subject: "Could not scan [#] files inside [path][filename] due to extraction errors encountered by the Decomposer Engines" during a scan (http://www.symantec.com/docs/TECH99755)

 

I recommend having a look at the logging configuration passed down to clients from the SEPM.  It's possible to set SEP clients so that they do not forward this (and other additional) high-volume, low-importance messages to the SEPM.  That will keep the SEPM's reports from being full of these and will help keep the SEPM database size down.

 

Hope this helps!

 

Thanks and best regards,

 

Mick

With thanks and best regards,

Mick