Configuring Symantec Scan Engine to block unscannable container files
Last Updated January 12, 2008
You seek information on how to configure Symantec Scan Engine 5.x to block unscannable container files.
Configuring Symantec Scan Engine to block unscannable container files You can block container files based on certain criteria that might indicate the presence of a threat or malicious code or that might prevent Symantec Scan Engine from effectively scanning the file.
Type of file
Partial container files
Symantec Scan Engine must receive a MIME-encoded message in its entirety to scan it for threats. Some email software applications break large messages down into a number of smaller, more manageable messages for transmission. These messages are typically transmitted separately and reassembled before delivery to the recipient. Because the message has been broken down into a number of partial messages, the entire message (including all attachments) is not available to Symantec Scan Engine for scanning. Symantec Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for threats.
Malformed container files
Computer viruses and malicious programs sometimes create intentionally malformed files. Symantec Scan Engine recognizes these distortions. If Symantec Scan Engine can identify the container type, in some cases, it can repair the container file. If Symantec Scan Engine cannot determine the container type, Symantec Scan Engine rejects it as a potentially infected file.
Encrypted container files
Infected files can be intentionally encrypted to bypass scanning. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure Symantec Scan Engine to delete encrypted container files to protect your network from threats.
To configure Symantec Scan Engine to block unscannable container files
In the console on the primary navigation bar, click Policies.
In the sidebar under Views, click Filtering.
In the content area on the Container Handling tab, under Partial Container Handling, check "Deny partial containers". Access to partial containers is denied by default.
Under Malformed Container File Processing, check "Block malformed containers". Access to malformed containers is denied by default.
Under Encrypted Container Handling, check "Delete encrypted containers". Encrypted containers are automatically deleted by default.
On the toolbar, select one of the following: Save Saves your changes.This option lets you continue making changes in the console until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them.
About NonMIME threshold Under
NonMIME threshold, in the "No determination after reading" box, type the maximum number of bytes that Symantec Scan Engine should scan to determine whether a file is MIME-encoded.
The default setting is 200000 bytes. If Symantec Scan Engine reads the maximum number of bytes without being able to determine whether the file is MIME-encoded, the file is considered to be non-MIME-encoded.
References This information was taken from the
Symantec™ Scan Engine Implementation Guide