One or more of the following occurs:
Sample of the Warning from the SPE log:
Fri Feb 26 20:40:14 EST 2021
A container violation has been found
Event Severity Level = Warning
URL = no_path
File name = <File Path>
File status = BLOCKED
Component disposition = NOT REPAIRED
Container Violation = Container file size limit exceeded
Client IP = <IP Address>
Scan Duration (sec) = 8.699
Connect Duration (sec) = 8.835
Symantec Protection Engine IP address = <IP Address>
Symantec Protection Engine Port number = 1344
Uptime (in seconds) = 1234
Date/time of event(with millisec) = 1614390014121
Symantec Protection Engine Host Name = <SPE Hostname>
Process ID = 1655
A container file exceeded the Maximum Extract Size specified in SPE's scanning policy.
To identify a sane initial number for MaxExtractSize
This number varies from environment to environment.
ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"
Navigate to the default install folder of SPE, then do one of the following:
./xmlmodifer -q //filtering/Container/MaxExtractSize/@value filtering.xml
grep "MaxExtractSize" filtering.xml
find "MaxExtractSize" filtering. xml
To Increase MaxExtractSize Limit through the Centralized Console:
Note: This setting in the Centralized Console will only work on SPE 8.0.1 and SPE 8.2.x. For any other version of SPE, use the xmlmodifier instructions below.
To Increase MaxExtractSize with the xmlmodifier tool:
Note: These steps require the command prompt/terminal to be run with administrative privileges.
/opt/SYMCScan/bin/
C:\Program Files\Symantec\Scan Engine
./xmlmodifier -s /filtering/Container/MaxExtractSize/@value <new value> filtering.xml
xmlmodifier.exe -s /filtering/Container/MaxExtractSize/@value <new value> filtering.xml
Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/
.
>..\..\ssecls scanfilesave-20220516-190132\internal_error\20220516-191850-521.before
Virus scan process began : Fri May 20 16:38:31 2022
Virus scan process completed : Fri May 20 16:38:33 2022
Defs Version = 20220520.019
Commandline Scanner = 8.2.0.6
Total Bytes = 6302449 (Mbytes 6.0105)
Elapsed = 2.0610
Scan Rate = 2.92 (Mbytes/sec)
Files Excluded = 0
Files Scanned = 1
Directories Scanned = 0
Directories Excluded = 0
Files Skipped = 0
Files Scan Error = 0
Files Infected = 1
Data based metering parameters:
Data Scanned in bytes = -1 (NA)
Total files scanned = -1 (NA)
No error was found during the scan
Infected file(s) list:
scanfilesave-20220516-190132\internal_error\20220516-191850-521.before deleted
File Name: 20220516-191850-521.before/xl/revisions/revisionLog273.xml
Virus Name: Container size violation - scan incomplete.
Virus ID: -9
Unscannable: false
Disposition: Infected
>