Supressing Decomposer Result ID 41 errors while scanning container files

book

Article ID: 197912

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

Administrator is receiving thousands of emails for "Container violation/Decomposer 41: Unknown Algorithm found" errors for container files.
Given .exe test file contained 650 child files inside it after extraction. There are 650 errors of Decomposer error 41 are found in SPE logs. Same results were seen with latest Symantec Protection Engine (SPE) release 8.1.0

Errors:
SPE logs have the below repeated events:

2020-07-17 11:11:10 Event Severity Level = Error Scanner = Decomposer Result ID = 41 URL = no_path File name = <filename>.exe Client IP = <ip_address> Scan Duration (sec) = 0.594 ConnectDuration (sec) = 1.657 Symantec Protection Engine IP address = <ip_address> Symantec Protection Engine Port number = 1344 Uptime (in seconds) = 1901534 Date/time of event(with millisec) = 2020-07-17 11:11:10:486

Also there are the same number of errors are present in CSAPI log file for the same number of child files. 
Below is the snippet from the csapi log for single child file.

[1597842521,PID:5452,TID:5912,  DEBUG, DEC] CDECSink::OnChildFound - Exit.  [csapi_cdecsink.cpp:332(CDECSink::OnChildFound)]
[1597842521,PID:5452,TID:5912,  DEBUG, DEC] CDECSink::OnChildBad - Enter, child file name: data/OFFLINE/9B2C9F06/69DC923A/About.bmp [csapi_cdecsink.cpp:1139(CDECSink::OnChildBad)]
[1597842521,PID:5452,TID:5912,  NOTICE, DEC] CDECSink::OnChildBad - Container unknown algorithm, name:<filename>.exe , extension: exe ,engine name: SEVEN_Z [csapi_cdecsink.cpp:1353(CDECSink::OnChildBad)]
[1597842521,PID:5452,TID:5912,  DEBUG, DEC] CDECScannerPolicy::StopCurrentFileProcessingOnUnknownAlgorithmError(): 0 [csapi_cdecscannerpolicy.cpp:603(CDECScannerPolicy::StopCurrentFileProcessingOnUnknownAlgorithmError)]
[1597842521,PID:5452,TID:5912,  DEBUG, DEC] CDECSink::OnChildBad(),Exit [csapi_cdecsink.cpp:1377(CDECSink::OnChildBad)]
[1597842521,PID:5452,TID:5912,  DEBUG, DEC] CDECSink::OnBusy(), Enter. [csapi_cdecsink.cpp:2219(CDECSink::OnBusy)]

Cause

The SPE mechanism for processing container file proceeds by extracting one file at a time, so here for every child file the error condition is hit and hence we are seeing these many errors for single .EXE file.

In this case the packaging/compression mechanism used by the .EXE file is LZMA2 supported by 7zip engine. (We can successfuly extract the file using 7zip utility)
LZMA2 is supported algorithm by SPE 7zip engine. So there is slight possibility that the file was compressed using such algorithm or its variant that is not supported by SPE 7zip engine hence we get the UNKNOWN_ALGORITHM error.

Environment

Symantec Protection Engine version 8.0/8.1

Resolution

You can bypass this error and stop processing of the container file after this error is encountered by adding cat3 parameters BypassUnknownAlgorithmError and StopCurrentFileProcessingOnUnknownAlgorithmError respectively created in the category3.xml file.

Perform the following steps to deploy this file:
1. Download category3.xml file from this document. (Rename the file to category3.xml if downloaded as a different name)
2. Stop SPE service.
3. Copy and paste category3.xml to <Drive>\Program Files\Symantec\Scan Engine
4. Start SPE service.

Note: There is a version number <custom version="070503"> that must match the installed version number. 
Below are some value for different version:
SPE 7.5.3 : version="070503"
SPE 7.8.0 : version="070800"
SPE 7.9.0 : version="070900"
SPE 7.5.3 : version="070503"
SPE 8.0.0 : version="080000"
This can be updated using a text editor like NotePad.

Attachments

1598285129967__category3.xml get_app