Symantec Protection Engine (SPE) logs contain one or more scan errors with hex code 0x80800c00 for exe and other file types with potential reputation implications.

Error message : Failed with scan error hex code 0x80800c00 Client IP : #.#.#.#

ICAP SERVER RETURED ERROR CODE 500.

Release: SPE 8.2.x-9.0.x

A network device between the SPE and the BROADCOM global file reputation servers issued a TCP reset to SPE.

In some cases it was found to be a zScaler device configured to do SSL deep inspection.  When SPE sent a request to the Insight Scan servers, on the internet, and the Insight server responded with its own certificate, the zScaler device was substituting/returning its own certificate to the SPE server and not the Insight Server's.  As a result the transaction could not be trusted resulting in a hex code error.

Possible Resolutions:

1. If the environment requires a proxy, set proxy settings in SPE using How to configure Symantec Protection Engine (SPE) 7.8 or later to use a Web Proxy to download Virus Definitions
   
   
   
2. If LiveUpdate also fails, troubleshoot that issue first with LiveUpdate error codes for Protection Engine 7.5 and later
   
   
   
3. If SPE Server is not connected to internet, you may disable Insight scanning from Policy.xml to resolve the issue.
   
   
   
4. Correcting the connectivity to Symantec Reputation server, if such a condition exists, should resolve the issue. See Networking Port Requirements
   
   Test to see if a zScaler or other device like it may be getting in the way by doing the following:
   
   * From a computer (preferably the SPE server) with OpenSSL installed modify the following curl request according to the folder environment (Windows or Linux)
   
     openssl s_client -connect 34.102.128.190:443 > C:\Temp\InsightCert.txt
   
   * Open the file "InsightCert.txt" to which the output was recorded and copy everything from  "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" and paste it into a text file then save the file with a *.crt extension.
   
   * Open the .crt file with a certificate viewer. It will be evident if the certificate was from a Broadcom server on the internet or something else.
   
   * If the certificate did not originate from "O=Broadcom Inc" with "CN=colossus-rrs.symantec.com" then that helps confirm that something is interfering with SPE handshaking with the Insight servers.
   
   * The next option would be to whitelist the Insight Servers by name and or address per the SPE Networking Port Requirements document.
   
   
   
5. Disable the Insight Scanning feature of SPE.

    To Disable Symantec Insight™ in Symantec Protection Engine using xmlmodifier tool

• Open cmd
• Go to the Symantec Protection Engine installation directory.
• Type the following Command and enter:
  .\xmlmodifier -s //policies/ThreatPolicies/InsightScanning/@enabled false policy.xml
  
  
• Restart SPE service

If errors appear for any other type of file (non PE File) or does not get resolved by the resolution provided above, enable SPE, CSAPI and Stargate logs and provide it to Technical Support Engineer on a case.

What sorts of files are impacted?

Within SPE, Insight is only applicable to Portable Executable (PE) files. Examples of PE files include: .exe, .msi, .dll, .so

What about .apk files?

If you see this error for executable files, you may also see it for .apk files. If so, you may also need to disable reputation lookups for .apk, like so:

1. Open cmd
2. Go to the Symantec Protection Engine installation directory.
3. Type the following Command and enter:
   .\xmlmodifier -s //policies/ThreatPolicies/APKReputation/@enabled false policy.xml
4. Restart SPE service