After installing Symantec Protection Engine (SPE) 7.8.1 or applying hot fixes in INFO3791 OR TECH236643 PDF files that previously were scanned without error are now being detected as malformed.
SPE log contains:
Tue Mar 21 08:12:37 PDT 2017, A container violation has been found Event Severity Level : Warning URL : no_path File name : name.pdf File status : BLOCKED Component name : name.pdf Component disposition : NOT REPAIRED Container Violation : Malformed container (file not scanned) Client IP : 127.0.0.1 Scan Duration (sec) : 0.047 Connect Duration (sec) : 0.109 Symantec Protection Engine IP address : x.x.x.x Symantec Protection Engine Port number : 1344 Uptime (in seconds) : 696300
When the PDF file is opened with Acrobat reader the contents are displayed normally. When closing the document you are prompted to save the changes.
The engine that breaks container files (PDF is a container file type) down to their component parts for scanning, called the decomposer engine, was upgraded with the 7.8.1 release and as part of the Decomposer hot fixes. Previously, the decomposer engine would fix minor malformity in container files prior to breaking them down to their component parts. This behavior has changed, the decomposer will no longer fix minor malformity, and instead will process the file exactly as it was received.
Many PDF files contain invalid xref content, and because the repair code is not being run against these files, the invalid xref content causes these files to be legitimately deemed malformed. For details on PDF xref tables, see PDF Reference page 93, section 3.4.3 Cross-Reference Table
A PDF file with invalid xref content can still be opened by a PDF reader in many cases, it may appear the file has no malformity, but because SPE is security software, it must be able to follow all links in all content in order to be able to verify the content is clean. If one of these xref links cannot be followed, the engine cannot verify the file is clean, and thus it will be deemed malformed, and the action configured for the malformed files will be taken.
Symantec is investigating long term solutions to allow PDF files with invalid content to be scanned without being deemed malformed. Please subscribe to this article for updates.
To allow acess to the files it is necessary to change the configuration to allow malformed files. This can be changed either via the user interface or an xmlmodifier command.
To change the malformed container handling settings via the UI
Open the SPE console
Navigate to Policy > Filtering > Container Handling.
Disable Malformed Container handling.
To change the malformed container handling settings via an xmlmodifier command
Open a command prompt.
Change directories to the SPE installation directory.
Run the following command to disable Malformed container handling, depending on SPE version: