Symantec Protection Engine container policy and Command Line Scanner mode results matrix

book

Article ID: 158121

calendar_today

Updated On:

Products

Protection Engine for Cloud Services

Issue/Introduction

You would like to know the results when using various Symantec Protection Engine container policies with various Command Line Scanner "-mode" options.

Resolution

Protection Engine Background Information

How Symantec Protection Engine Works
You can configure client applications to pass files to Symantec Protection Engine(SPE) through one of the supported communication protocols. You can configure Symantec Protection Engine to scan only the files that it receives from the client application. The client application must decide which files to scan and what to do with the results.
There are several policy configurations that can be made as to what to scan and the action to take based on the results (called a verdict) of the scan. Actions are based on the verdict of a scanned file.

It is important to understand that if the SPE cannot determine positively that a file is "clean" the verdict will always be "infected" and the appropriate action will be taken for security reasons. The default verdict will also be applied to any item sent for scanning that cannot be scanned for any reason.

Symantec Protection Engine provides the following options to handle files that cannot be scanned:
1. Log only…Generates a log entry.
2. Block…Blocks the unscannable files and generates a log entry.
3. Delete…Deletes the unscannable files and generates a log entry.

In addition, you can also choose to quarantine unscannable files with any of the above options.

What is the Command Line Scanner?
You can send files to Symantec Protection Engine by using the command-line scanner. You can run this tool from the computer on which Symantec Protection Engine is running or from a different computer. You can send files from a computer with a different operating system than the computer on which Symantec Protection Engine is installed. To use the command-line scanner, you must select ICAP as the communication protocol for Symantec Protection Engine.

Command Line Scan Parameters
Please refer to the SPE70_For_NAS_ImplementationGuide.pdf (Page 249) for an in-depth list of command line options for scanning.

The matrix below indicates the expected scan verdicts and logging determinations when scanning the various types of containers:

The following contains the results of using each of the CLS "-mode" options with each of the SPE container policy settings.  All testing was done using a password protected .zip file for the encrypted container matrix and a malformed .zip file for the malformed container matrix. The SPE Scan Policy has no effect on the results and the following results are identical regardless of SPE Scan Policy settings.

 

  Encrypted Container Policy
CLS Mode Not Enabled Log Only Block Delete
Scan/Repair/Delete   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Deleted
    CLS: Infected (file deleted) CLS: Deleted (file deleted)
Scan/Repair   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Deleted
    CLS: Infected (file is not deleted) CLS: Deleted (file is not deleted)
Scan   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Deleted
    CLS: Infected (file is not deleted) CLS: Deleted (file is not deleted)

 

  Malformed Container Policy
CLS Mode Not Enabled Log Only Block Delete
Scan/Repair/Delete   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Not Repaired
    CLS: Infected (file deleted) CLS: Infected (file deleted)
Scan/Repair   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Not Repaired
    CLS: Infected (file is not deleted) CLS: Deleted (file is not deleted)
Scan   SPE: Not Repaired/Not Repaired SPE: Blocked/Not Repaired SPE: Blocked/Not Repaired
    CLS: Infected (file is not deleted) CLS: Deleted (file is not deleted)

 


Attachments

SPE_container_policy_CLS_mode_results_matrix.xlsx get_app