Scan Engine 5.x detects plain text email attachments as container violations.

book

Article ID: 177384

calendar_today

Updated On:

Products

Scan Engine

Issue/Introduction

After sending a message with a plain text attachment through a Scan Engine 5.x using the ICAP protocol, the Scan Engine logs contain references to container violations. What steps can be taken to troubleshoot this issue?

Symptoms
The logs may display one or more of the following entries:

- The Scan Engine logs show error 10 from module Decomposer when scanning a plain text file.
- The Scan Engine logs show a "container size violation" when scanning a plain text file.
- The Scan Engine logs show a "container depth violation" when scanning a plain text file.

 

Resolution

As an immediate workaround, it may be possible to increase the container limits.


NOTE: Raising the container limits increases the CPU and memory resources that are used for any individual message scanned by Scan Engine.


To set container limits

  1. In the console on the primary navigation bar, click Policies.
  2. In the sidebar under Views, click Filtering.
  3. In the content area on the Container Handling tab, under Container File Processing Limits, in the “Time to extract file meets or exceeds” box, type the maximum time that Symantec Scan Engine can spend extracting a single container file. The default setting is 180 seconds (3 minutes). To disable this setting (so that no limit is imposed), type 0.
  4. In the “Maximum extract size of file meets or exceeds” box, type the maximum file size, in bytes, for individual files in a container file. The default setting is 100 MB. To disable this setting (so that no limit is imposed), type 0.
  5. In the “Maximum extract depth of file meets or exceeds” box, type the maximum number of nested levels of files that are decomposed within a container file. The default setting is 10 levels. The maximum value for this setting is 50.
  6. Under “When processor limit is met (or exceeded)”, select whether to allow or deny access to container files for which one or more limits are exceeded. Access is denied by default.
  7. Under NonMIME threshold, in the “No determination after reading” box, type the maximum number of bytes that Symantec Scan Engine should scan to determine whether a file is MIME-encoded. The default setting is 200000 bytes. If Symantec Scan Engine reads the maximum number of bytes without being able to determine whether the file is MIME-encoded, the file is considered to be non-MIME-encoded.
  8. On the toolbar, select one of the following:

      Save Saves any changes. With this option it is possible to continue making changes in the console until ready to apply them.
      Apply Applies any changes. With this option changes are not implemented until applied.






Technical Information
Error 10 from the Decomposer module interprets as "RESULT_MALFORMED_CONTAINER_DELETED".


 


Attachments