Protection Engine message: "Container file size limit exceeded"
search cancel

Protection Engine message: "Container file size limit exceeded"

book

Article ID: 177574

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

One or more of the following occurs:

  • Symantec Protection Engine (SPE) logs "Container violation" in its detailed logs.
  • An entry in the raw SPE logs contains "|4|2|3|3|" after the epoch timestamp.
  • ssecls displays "Virus Name:     Container size violation - scan incomplete."
  • In a SPE for NAS context, SPE logs show a container file, such as a .zip archive or .xlsx (Microsoft Excel document), as "Container file size limit exceeded" and prevented access to the file. Access to the file is necessary and future occurrences of the related log entries should be avoided.
  • In an environment where Hitachi NAS (HNAS) sends scan requests to SPE, you may see either a clean scan or no log entry in the SPE logs and a log entry on the HNAS:
    7317 Warning     2022-04-12 16:41:20-04:00 1 Virus found in file \[FQDN_REMOVED_BY_AUTHOR]\testAV\[FILENAME_REMOVED_BY_AUTHOR].xlsb (Infected, the virus scan eng          ine reported "Virus found : File: [FILENAME_REMOVED_BY_AUTHOR].xlsb/xl/worksheets/sheet7.bin; Infection: Container size violation - scan incomplete.(-9); Infe          cted;") - this event has happened 4 times in the last 10 s.


Sample of the Warning from the SPE log:

Fri Feb 26 20:40:14 EST 2021
A container violation has been found
Event Severity Level = Warning
URL = no_path
File name = <File Path>
File status = BLOCKED
Component disposition = NOT REPAIRED
Container Violation = Container file size limit exceeded
Client IP = <IP Address>
Scan Duration (sec) = 8.699
Connect Duration (sec) = 8.835
Symantec Protection Engine IP address = <IP Address>
Symantec Protection Engine Port number = 1344
Uptime (in seconds) = 1234
Date/time of event(with millisec) = 1614390014121
Symantec Protection Engine Host Name = <SPE Hostname>
Process ID = 1655



Cause

A container file exceeded the Maximum Extract Size specified in SPE's scanning policy.

Resolution

To increase Maximum Extract Size limit

  1. For initial testing before deployment, identify a sane number for MaxExtractSize
  2. If not initial testing, identify the value needed to scan a particular file
  3. Before continuing, confirm the current setting of MaxExtractSize
  4. Do one of the following:
    - Increase MaxExtractSize through the Centralized Console
    - Increase MaxExtractSize with the xmlmodifier tool



To identify a sane initial number for MaxExtractSize

This number varies from environment to environment.

  • When installing SPE initially, to calculate an initial value for MaxExtractSize, use the following initial guideline, then adjust over time based on observations:
    [SIZE_OF_PARTITION_IN_MB] / [NUMBER_OF_SPE_SCANNING_THREADS]
  • If the temporary scanning folder of SPE is on the same partition as the operating system, reduce SIZE_OF_PARTITION_IN_MB by an additional 500MB before calculating MaxExtractSize.
  • If using the URL Filtering feature, reduce the SIZE_OF_PARTITION_IN_MB by an additional 20GB before calculating MaxExtractSize.
  • If MaxExtractSize is set to 0, all container files will be permitted regardless of how many MB they are after they are unzipped.
    NOTE: BROADCOM Support usually recommends setting MaxExtractSize to 0 only as a temporary testing measure during troubleshooting.

  • The default value for MaxExtractSize is 100 MB.

 

To identify the value needed to scan a particular file

  1. To use the ssecls test scan tool to scan the file
    ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"
  2. If an error occurs, check today's <SPE Install folder>/log/SSEYYYYMMDD.log file for the most recent log entry for the filename.
  3. If the log entry is "Container violation" (or "|4|2|3|3|" in the raw logs) , then double the MaxExtractSize and scan again. Return to step 1.
  4. If ssecls reports the file scanned without errors, or a different error occurs in the .log file, then the new value should be halfway between the value you tested and the previous value. Return to step 1.
  5. If you get to a point where the difference between your current test value and your previous test value is "1", you identified the borderline where container violation occurs for the sample file. The larger of these two values is the one which will permit the file without SPE logging container violation. You may still encounter other configurable limits.
  6. If the file is a .xlsx file.  You can rename it to .zip.   Unzip the file and get the file size.

 

To confirm the current setting? 

Navigate to the default install folder of SPE, then do one of the following:

  • Use xmlmodifier to query the value:
    ./xmlmodifer -q //filtering/Container/MaxExtractSize/@value filtering.xml
  • Use bash grep to search for MaxExtractSize in filtering.xml:
    grep "MaxExtractSize" filtering.xml
  • Use cmd find to search for MaxExtractSize in filtering.xml:
    find "MaxExtractSize" filtering. xml


To Increase MaxExtractSize Limit through the Centralized Console:

Note: This setting in the Centralized Console will only work on SPE 8.0.1 and SPE 8.2.x. For any other version of SPE, use the xmlmodifier instructions below.

  1. In the Centralized Cloud Console, open the policy that you have applied to your scanners.
  2. Ensure you are in Edit mode by selecting "Edit" on the top left.
  3. Go to the Archive Handling tab.
  4. Change the Maximum Extraction Size (MBs) setting to the increased value.
  5. Go back to the to top of the page and click "Save."
  6. Click "Apply."



To Increase MaxExtractSize with the xmlmodifier tool:

Note: These steps require the command prompt/terminal to be run with administrative privileges. 

  1. Change directory to SPE's root directory. They are the following by default:
    • Linux:
      /opt/SYMCScan/bin/​
    • Windows: 
      C:\Program Files\Symantec\Scan Engine​
  2. Run the following command, replacing <new value> with the increased maximum size:
    • Linux: 
      ./xmlmodifier -s /filtering/Container/MaxExtractSize/@value <new value> filtering.xml​
    • Windows: 
      xmlmodifier.exe -s /filtering/Container/MaxExtractSize/@value <new value> filtering.xml​
  3. Restart the Symantec Protection Engine service.

 

 

Additional Information

Why would SPE make the MaxExtractSize a configurable value?


    Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/

 

What impact may occur on increase of the Max Container Size?

  • When you scan more, you use more disk, CPU, and RAM resources. The additional resource usage is in proportion to the additional load.

  • Note that some versions of SPE which are End of Support have known issues that further increase resource usage. One example is 8.0.0, which has a known issue where it fails to release memory resources over time when the UI is enabled with specific versions of Java. See Protection Engine not responsive or high memory usage after upgrading to Java 8u271, 8u281  

  • It is possible to exhaust various types of resources, resulting in severe symptoms.
      CPU: scanning slows, scan errors increase, then eventually symcscan service stops or does not start
      RAM: scanning slows, scan errors increase, then eventually symcscan service stops or does not start
      HD: temp folder: scanning slows, scan errors increase, then eventually symcscan service stops or does not start
          if SPE has its temp scanning folder on a disk other then the one where os is installed, the partition may fill without impacting the os ability to stay up and running.
          If SPE has its temp scanning folder on the same partition as the os, it is possible to slow all os operations (Windows) or stop other daemons running on the os (Linux)

 

 

.

An example of full output from ssecls

>..\..\ssecls scanfilesave-20220516-190132\internal_error\20220516-191850-521.before


    Virus scan process began : Fri May 20 16:38:31 2022
Virus scan process completed : Fri May 20 16:38:33 2022

        Defs Version = 20220520.019
 Commandline Scanner = 8.2.0.6

         Total Bytes = 6302449 (Mbytes 6.0105)
             Elapsed = 2.0610
           Scan Rate =  2.92 (Mbytes/sec)

      Files Excluded = 0
       Files Scanned = 1
 Directories Scanned = 0
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 1


Data based metering parameters:
Data Scanned in bytes = -1 (NA)
Total files scanned = -1 (NA)

No error was found during the scan


Infected file(s) list:
scanfilesave-20220516-190132\internal_error\20220516-191850-521.before  deleted
        File Name:      20220516-191850-521.before/xl/revisions/revisionLog273.xml
        Virus Name:     Container size violation - scan incomplete.
        Virus ID:       -9
        Unscannable: false
        Disposition:    Infected

>
Powered by Wolken Software