Configuring Symantec Scan Engine to block unscannable container files
Article ID: 177292
Updated On:
Products
Scan Engine
Issue/Introduction
You seek information on how to configure Symantec Scan Engine 5.x to block unscannable container files.
Resolution
Configuring Symantec Scan Engine to block unscannable container files
You can block container files based on certain criteria that might indicate the presence of a threat or malicious code or that might prevent Symantec Scan Engine from effectively scanning the file.
To configure Symantec Scan Engine to block unscannable container files
About NonMIME threshold
Under NonMIME threshold, in the "No determination after reading" box, type the maximum number of bytes that Symantec Scan Engine should scan to determine whether a file is MIME-encoded.
The default setting is 200000 bytes. If Symantec Scan Engine reads the maximum number of bytes without being able to determine whether the file is MIME-encoded, the file is considered to be non-MIME-encoded.
References
This information was taken from the Symantec™ Scan Engine Implementation Guide
You can block container files based on certain criteria that might indicate the presence of a threat or malicious code or that might prevent Symantec Scan Engine from effectively scanning the file.
| Type of file | Description |
| Partial container files | Symantec Scan Engine must receive a MIME-encoded message in its entirety to scan it for threats. Some email software applications break large messages down into a number of smaller, more manageable messages for transmission. These messages are typically transmitted separately and reassembled before delivery to the recipient. Because the message has been broken down into a number of partial messages, the entire message (including all attachments) is not available to Symantec Scan Engine for scanning. Symantec Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for threats. |
| Malformed container files | Computer viruses and malicious programs sometimes create intentionally malformed files. Symantec Scan Engine recognizes these distortions. If Symantec Scan Engine can identify the container type, in some cases, it can repair the container file. If Symantec Scan Engine cannot determine the container type, Symantec Scan Engine rejects it as a potentially infected file. |
| Encrypted container files | Infected files can be intentionally encrypted to bypass scanning. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure Symantec Scan Engine to delete encrypted container files to protect your network from threats. |
To configure Symantec Scan Engine to block unscannable container files
- In the console on the primary navigation bar, click Policies.
- In the sidebar under Views, click Filtering.
- In the content area on the Container Handling tab, under Partial Container Handling, check "Deny partial containers". Access to partial containers is denied by default.
- Under Malformed Container File Processing, check "Block malformed containers". Access to malformed containers is denied by default.
- Under Encrypted Container Handling, check "Delete encrypted containers". Encrypted containers are automatically deleted by default.
- On the toolbar, select one of the following:
Save Saves your changes.This option lets you continue making changes in the console until you are ready to apply them.
Apply Applies your changes. Your changes are not implemented until you apply them.
About NonMIME threshold
Under NonMIME threshold, in the "No determination after reading" box, type the maximum number of bytes that Symantec Scan Engine should scan to determine whether a file is MIME-encoded.
The default setting is 200000 bytes. If Symantec Scan Engine reads the maximum number of bytes without being able to determine whether the file is MIME-encoded, the file is considered to be non-MIME-encoded.
References
This information was taken from the Symantec™ Scan Engine Implementation Guide
Feedback
Yes
No
Powered by
