How can I set container limits in Symantec Scan Engine 5.x?

WARNING: If you allow access to a file that has not been fully scanned, you can expose your network to risks. If you allow access and Symantec Scan Engine detects a risk, Symantec Scan Engine will not repair the file, even if under normal circumstances it could be repaired. In this case, the file is handled as though the file is unrepairable.


To set container limits to block denial-of-service attacks

1. In the console on the primary navigation bar, click Policies.
2. In the sidebar under Views, click Filtering.
3. In the content area on the Container Handling tab, under Container File Processing Limits, in the “Time to extract file meets or exceeds” box, type the maximum time that Symantec Scan Engine can spend extracting a single container file. The default setting is 180 seconds (3 minutes). To disable this setting (so that no limit is imposed), type 0.
4. In the “Maximum extract size of file meets or exceeds” box, type the maximum file size, in bytes, for individual files in a container file. The default setting is 100 MB. To disable this setting (so that no limit is imposed), type 0.
5. In the “Maximum extract depth of file meets or exceeds” box, type the maximum number of nested levels of files that are decomposed within a container file. The default setting is 10 levels. The maximum value for this setting is 50.
6. Under “When processor limit is met (or exceeded)”, select whether to allow or deny access to container files for which one or more limits are exceeded. Access is denied by default.
7. Under NonMIME threshold, in the “No determination after reading” box, type the maximum number of bytes that Symantec Scan Engine should scan to determine whether a file is MIME-encoded. The default setting is 200000 bytes. If Symantec Scan Engine reads the maximum number of bytes without being able to determine whether the file is MIME-encoded, the file is considered to be non-MIME-encoded.
8. On the toolbar, select one of the following:
   
   Save Saves your changes. This option lets you continue making changes in the console until you are ready to apply them.
   Apply Applies your changes. Your changes are not implemented until you apply them.

References
This information was taken from the "Symantec™ Scan Engine Implementation Guide"

This Implementation guide can be found here:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_scan_engine/5.1/manuals/


Technical Information
Why set a container limit in SSE 5.x?

Symantec Scan Engine protects your network from file attachments that can overload the system and cause denial-of-service.
This includes container files that are overly large, that contain large numbers of embedded, compressed files, or that are designed to maliciously use resources and degrade performance.
To reduce your exposure to denial-of-service attacks, you can impose limits to control how Symantec Scan Engine handles container files.

You can specify the following limits for handling container files:

• The maximum amount of time, in seconds, that is spent decomposing a container file and its contents. This setting does not apply to .hqx or .amg files.
• The maximum file size, in bytes, for individual files that are in a container file
• The maximum number of nested levels to be decomposed for scanning
• The maximum number of bytes that are read when determining whether a file is MIME-encoded

Symantec Scan Engine scans a file and its contents until it reaches the maximum depth that you specify.
Symantec Scan Engine stops scanning any file that meets the maximum file size limit or that exceeds the maximum amount of time to decompose.
It then generates a log entry. Symantec Scan Engine resumes scanning any remaining files.
This process continues until Symantec Scan Engine scans all of the files to the maximum depth (that do not meet any of the processing limits).
You can specify whether to allow or deny access to files for which an established limit is met or exceeded and for which processing has stopped.