Suppressing a scan error in Symantec Protection Engine for a file greater than 2 GB in size

book

Article ID: 169563

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

By design, there is a file size limit of 2 GB that is submitted for scanning. Therefore, SPE returns scan errors for the files of size greater than 2 GB, irrespective of whether the file is a plain file, a container file, or a file embedded inside a container file.

In such cases ICAP RESULT 500 “Internal Server Error” will be returned by Symantec Protection Engine to its client.

In order to suppress the scan errors in such scenarios, a new value called "BypassAVScanning" is created in the category3.xml file.

1495687071|10|2|1|33|AntiVirus|34|30|3|icheck.symantec.com/prav.tar|4|prav.tar|39|
10.219.212.21|17|3.401|18|432.700|43|10.219.209.97|44|1344|45|1298
Converted readable format below:
/*
Thu May 25 10:07:51 India Standard Time 2017, The Symantec Protection Engine has encountered a scan error, Event Severity Level = Error, Scanner = AntiVirus, Result ID = 30, URL = icheck.symantec.com/prav.tar, File name = prav.tar, Client IP = 10.219.212.21, Scan Duration (sec) = 3.401, Connect Duration (sec) = 432.700, Symantec Protection Engine IP address = 10.219.209.97, Symantec Protection Engine Port number = 1344, Uptime (in seconds) = 1298
*/

Resolution

Perform the following steps to deploy this file:

  1. Download category3.xml from this document.
  2. Stop SPE service.
  3. Copy and paste category3.xml to <Drive>\Program Files <x86>\Symantec\Scan Engine.
  4. Start SPE service.

Note: There is a version number <custom version="070503"> that must match the installed version number. For Protection Engine Version 7.5.3 it needs to be <custom version="070503">.  For Symantec Protection Engine 7.8.0 it would need to be <custom version="070800">. For Symantec Protection Engine 7.9.0 it would need to be <custom version="070900">. This can be updated using a text editor like NotePad.

Tip: For steps on configuring Symantec Protection Engine to scan large files, see Related Articles in the right navigation.

After you make this configuration, if ICAP Scan request contains ALLOW ICAP header, SPE responds with ICAP 204 NO CONTENT NECESSARY. Otherwise, SPE responds with ICAP 200 OK.

Attachments

category3.xml get_app