Configuring Symantec Protection Engine to scan large files

book

Article ID: 157902

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Symantec Protection Engine (SPE) 7.x has the ability to scan plain data files for example, office documents, PDFs, images and other formats as well as executable files. SPE 7.x also has the ability to extract and scan files embedded inside container files such as ZIP, RAR, TAR, 7z and other container formats. SPE scans both the top level container files and the files extracted out of it that is, the files that are embedded inside the container file.

SPE uses a portion of its own process memory to read and scan files. Size of this memory portion is configurable. SPE being capable of handling multiple file scan requests concurrently, needs the memory portion of size that is more than 2 GB to scan one or more large files (files of size between few MBs and 2 GB). This is irrespective of whether the file that is getting scanned is a plain file, a container file, or a file embedded inside a container file. You must configure the size of the memory portion appropriately if you want SPE to scan one or more large files.

You must first determine the size of the process memory portion configured on your SPE setup and whether it is sufficient to scan large files. If this is not configured, Symantec Protection Engine returns an error ICAP RESULT 551 “Resource unavailable” to the client, as shown below.

1496308347|11|2|1|30|Resource unavailable|43|10.219.209.97|44|1344|45|390
Converted to readable format below:
/*
Thu Jun 01 14:42:27 India Standard Time 2017, The Symantec Protection Engine has encountered a critical error, Event Severity Level = Error, Error Message = Resource unavailable, Symantec Protection Engine IP address = 10.219.209.97, Symantec Protection Engine Port number = 1344, Uptime (in seconds) = 390
*/

 

 

Environment

  • SPE 7.8.0 through 8.0.1.
  • For legacy builds 7.0.x-7.5.x, see Additional Information, below.

Resolution

 

NOTE: The maximum top-level container file size that you can specify in Symantec Protection Engine for tar, rar, and zip containers is 30GB (approximately 30719 MB). For other containers, you can specify a maximum top-level container file size of 2 GB (approximately 1907 MB).

 

SPE 7.8.1 to SPE 8.0.1 are configured to use memory portion of 30 GB, by default. This setting is inactive in SPE 8.1+. If the size of the memory portion in your SPE setup is not sufficient (possibly because of defaults from older SPE versions) to handle one or more large files, configure it appropriately. Perform the following steps:

  1. Type the following command, replacing "XX" with a number from 0 to 30, representing the maximum file size of the memory portion in GBs (minimum recommended is 3 GB for large files):
    • At the bash or cmd prompt, type: 
      • ./xmlmodifier -s /filtering/Container/DecFileSize/@value XX filtering.xml
    • Note: A value of "0" disables the function.

  2. Restart SPE service.

 

Not configuring SPE appropriately to scan large files will result in scan errors.

 

Tip: For steps to suppress a scan error for a file that is greater than 2 GB in size, see Additional Information below.

 

 

Additional Information

For steps to suppress a scan error for a file that is greater than 2GB in size, see the article: Suppressing a scan error in Symantec Protection Engine for a file greater than 2 GB in size


Legacy builds?

For SPE 7.5.x, the functionality statements in the Issue/Introduction apply, and the Solution steps above also work.

For SPE 7.0.x, the functionality statements in the Issue/Introduction apply, but substitute the following steps for the Solution:

  1. Ensure that the "java" command is added to the PATH environment variable of the server running SPE (Applicable only for 7.0.x and earlier).
    • Example (from a command prompt):  set PATH=%PATH%;C:\Program Files (x86)\Java\jre7\bin
  2. Type the following command, replacing "XX" with a number from 0 to 30, representing the maximum file size of the memory portion in GBs (minimum recommended is 3 GB for large files):
    • SPE 7.0.x
      • java -jar xmlmodifier.jar -s /filtering/Container/DecFileSize/@value XX filtering.xml
    • Note: A value of "0" disables the function.
  3. Restart SPE service.