Protection Engine scan error Decomposer Result ID 49 Compression Ratio Limit is Reached
search cancel

Protection Engine scan error Decomposer Result ID 49 Compression Ratio Limit is Reached

book

Article ID: 204325

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS Protection for SharePoint Servers

Issue/Introduction

When scanning files with Symantec Protection Engine (SPE), SPE logs a Decomposer Result ID 49 scan error.

Environment

SPE 9.x

Also on SPE 8.2.x

Cause

This error is thrown when Protection Engine's compression ratio limit is reached and the uncompressed file is 100MB or larger. The default compression ratio limit for Protection Engine is 70:1.

Resolution

To raise the compression ratio limit in SPE 8.2 and higher, use the following xmlmodifier command. A value of 0 configures SPE to use the default compression ratio limit of 70:1. In 8.2.x builds, the default compression ratio is 25:1

xmlmodifier -s /filtering/Container/MaxCompressionRatio/@value <value> filtering.xml

Allowed value:
    * 0 to 2147483648
Default value: 0

 

How do I know what value to adjust the MaxCompressionRatio to?

If the default value does not prevent SPE from recording Decomposer / 49 for a given file, then increase the value and re-scan. 

A value higher than 75 (25 for 8.2.x builds) will increase the compression ratio above the default value.

A value less than 75 (25 for 8.2.x builds) would effectively lower compression ratio below the default value and is not recommended. It is likely to increase the number of Decomposer/49 errors in the SPE logs.

If you use SPE in a NAS context and do not have a test environment, set MaxCompressionRatio to 145 to permit complex MS Office documents. This will prevent a large number of help desk tickets, but not all.

To understand the risk of setting a MaxCompressionRatio too high, please see the Additional Information section below.

 

 

What is the actual compression ratio for SPE?

As noted above the value of 0 for the MaxCompressionRatio means SPE is configured to use the default compression ratio limit of 25:1. 

The compression ratio is not exact.  To set ratio to 50:1, then configure MaxCompressionRatio to 55.  To set ratio to 70:1, then configure MaxCompressionRatio to 75 and so on. 

 

 

To identify the value needed to scan a particular file

  1. To use the ssecls test scan tool to scan the file 
    ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"
  2. If an error occurs, check today's <SPE Install folder>/log/SSEYYYYMMDD.log file for the most recent log entry for the filename. If the error code pair is Decomposer / 49, then double the MaxCompressionValue and scan again. Return to step 1.
  3. If ssecls reports the file scanned without errors, or a different error occurs in the .log file, then the new value should be halfway between the value you tested and the previous value. Return to step 1.
  4. If you get to a point where the difference between your current test value and your previous test value is "1", you identified the borderline where Decomposer / 49 occurs for the sample file. The larger of these two values is the one which will permit the file without SPE logging Decomposer / 49. You may still encounter other configurable limits.
  5. If the file is a .xlsx file.  You can rename it to .zip.   Unzip the file and get the file size and divide it by the the zipped size.     Unzipped/Zipped = compression ratio

 

Additional Information

Why would SPE make compression ratio a configurable value?

    Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/

 

When did this configuration first become available?

The ability to define this limit was added in SPE 8.2. Prior to SPE 8.2, the default compression ration in SPE 8.1 was originally around 12. This default increased to 25 in an engine update. If you have SPE 8.1 on multiple machines and get Decomposer 49 on some files while on other scanners, the same file scans successfully, ensure that LiveUpdate is working on all scanners so that important engine updates can be applied. The default MaxCompression ratio rose to 75 in the SPE 9.0.0 build.

 

What happens if the MaxCompressionRatio is set too high?

  • The risk of a disk full condition is increased.
    • Also, you may hit other configurable limits within SPE from scanning a particular file. The most common is SPE logging a container violation due to exceeding MaxExtractSize.
  • Setting the value too high may result in slower scanning for files with a higher degree of compression.
  • If the value is higher it could increase the risk of Denial Of Service (DOS) attacks being successful.  If the value is low then the risk is low as implied under Why would SPE make compression ratio a configurable value? above.

 

What other errors may occur?

The logs of SPE may also contain "|4|2|3|3|" or "Container violation". For those, see 242287

 

For more information on XMLModifier.

Please refer to the Related Documents link and download the zip file.  When extracted refer to the Command Line Reference Guide.

Powered by Wolken Software