When scanning files with Symantec Protection Engine (SPE), SPE logs a Decomposer Result ID 49 scan error.
This error is thrown when Protection Engine's compression ratio limit is reached and the uncompressed file is 100MB or larger. The default compression ratio limit for Protection Engine is 25:1.
To raise the compression ratio limit in SPE 8.2 and higher, use the following xmlmodifier command. A value of 0 configures SPE to use the default compression ratio limit of 25:1.
xmlmodifier -s /filtering/Container/MaxCompressionRatio/@value <value> filtering.xml
* 0 to 2147483648
Default value: 0
How do I know what value to adjust the MaxCompressionRatio to?
If the default value does not prevent SPE from recording Decomposer / 49 for a given file, then increase the value and re-scan.
A value higher than 75 (25 for 8.2.x builds) will increase the compression ratio above the default value.
A value less than 75 (25 for 8.2.x builds) would effectively lower compression ratio below the default value and is not recommended. It is likely to increase the number of Decomposer/49 errors in the SPE logs.
To understand the risk of setting a MaxCompressionRatio too high, please see the Additional Information section below.
What is the actual compression ratio for SPE?
As noted above the value of 0 for the MaxCompressionRatio means SPE is configured to use the default compression ratio limit of 25:1.
The compression ratio is not exact. To set ratio to 50:1, then configure MaxCompressionRatio to 55. To set ratio to 70:1, then configure MaxCompressionRatio to 75 and so on.
To identify the value needed to scan a particular file
ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"
Why would SPE make compression ratio a configurable value?
Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/
When did this configuration first become available?
The ability to define this limit was added in SPE 8.2. Prior to SPE 8.2, the default compression ration in SPE 8.1 was originally around 12. This default increased to 25 in an engine update. If you have SPE 8.1 on multiple machines and get Decomposer 49 on some files while on other scanners, the same file scans successfully, ensure that LiveUpdate is working on all scanners so that important engine updates can be applied. The default MaxCompression ratio rose to 75 in the SPE 9.0.0 build.
What happens if the MaxCompressionRatio is set too high?
What other errors may occur?
The logs of SPE may also contain "|4|2|3|3|" or "Container violation". For those, see 242287
For more information on XMLModifier.
Please refer to the Related Documents link and download the zip file. When extracted refer to the Command Line Reference Guide.