Content Analysis Error: "Content:Sandbox: Failed to Decompress xxx"

book

Article ID: 169087

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

You have Malware analysis deployment with Content analysis system and Content Analysis produces ERROR messages during Sandbox analysis. The error message appears as follows:

2016-06-07T16:17:28.088154+09:00 cas_1_3-6-x86_64 avservice[2755]: ERROR : Content::Sandbox: failed to decompress Pug
2016-06-07T17:57:11.504242+09:00 cas_1_3-6-x86_64 avservice[2755]: ERROR : Content::Sandbox: failed to decompress Pug

Cause

Content Analysis decompress data when forward suspicious data for Malware analysis.
Content Analysis will be indicate "decompress" error if the data is compressed unsupported compression format.

[Note] Content Analysis introduced support for the deflate algorithm in Content Analysis version 1.3.5.1.
Content_Analysis_1.3.6.1_Release_Notes.pdf P6

Resolution

Typically this message is harmless, but in this case, the message means that Sandbox analysis is unable to execute that file. See the workaround below.
 

Workaround

Content Analysis uses the compression format determined by the OCS (Origin content server; where the file came from).  You can modify the compression with a local policy gesture installed on the ProxySG appliance processing your data: 

Log in to the ProxySG Management Console, go to Configuration > Policy > Policy Files > click Install Local File from: Text Editor > Install".

Replace "example.net" in the policy below with the domain serving the compressed file.

;------------- Sandbox compression correction policy start ----------
<proxy> 
url.domain="example.net" http.server.accept_encoding(no) 


; -------------Sandbox compression correction policy end ----------