When performing a scan with the C compiled ssecls, Java compiled ssecls.jar, the REST API or a custom script based on the Java API, Symantec Protection Engine (SPE) appears to always return the bytes scanned and files scanned values are as -1.
{"Symantec Protection Engine IP" : "127.0.0.1","Symantec Protection Engine Port" : "1344","Symantec Protection Engine Connection Status" : "Able to connect","File Scanned" : "sample.txt","Scan Policy" : "SCAN","Virus Def Date" : "Thu May xx","Virus Def Revision No" : "0xx","Total Infection" : "0","Bytes Scanned": "-1","Total Files Scanned": "-1","File True Type" : "NA","Status" :"CLEAN"}
Enabling these features requires an additional category3.xml with the following tags:
<EnableDataScannedInICAPResponse value="true"/>
<EnableTotalFilesScannedInICAPResponse value="true"/>
cd "C:\Program Files\Symantec\Scan Engine"At the Linux bash prompt, type:
cd /opt/SYMCScan/bin
findstr /R "version=\"0.0.0.\"" *.xmlAt the Linux bash prompt, type:
grep -e -o "version=\"0.0.0.\"" *.xml
find "ScannedInICAPResponse" category3.xmlAt the Linux bash prompt, type:
grep "ScannedInICAPResponse" category3.xml
<EnableDataScannedInICAPResponse value="true"/>
<EnableTotalFilesScannedInICAPResponse value="true"/>
-api 1 -api 2
{"Symantec Protection Engine IP" : "127.0.0.1","Symantec Protection Engine Port" : "1344","Symantec Protection Engine Connection Status" : "Able to connect","File Scanned" : "testfile.text","Scan Policy" : "SCAN","Virus Def Date" : "Thu May xx","Virus Def Revision No" : "0xx","Total Infection" : "1","Bytes Scanned" : "69","Total Files Scanned" : "1","File True Type" : "NA","Violation Detail-0" : {"File Name" : "testfile.text","Violation Name" : "EICAR Test String","Threat Category" : "NA","Violation Id" : "11101","Disposition" : "0","File Unscannable" : "false","Uber Category" : "NA","SubCategory ID" : "0","Cumulative Risk Rating" : "High","Performance Impact" : "High","Privacy Impact" : "High","Ease of Removal" : "High","Stealth" : "High","SubCategory Description" : "NA"},"Status" :"INFECTED_UNREPAIRED"}
For getting the "File True Type" information on ICAP response/SPE SDKs, we need to add a category3 parameter so that SPE makes the information available. Attached is the required category3.xml for 8.2.2. Please change the version field in it if the SPE version is other than 8.2.2.
Category3.xml
edit the existing category3.xml file and put XML tag <EnableFileTrueTypeInICAPResponse value="true"/> as a last tag just before the </ICAP> tag. so it will look something like
<?xml version="1.0" encoding="UTF-8"?><!--Sample XML file generated by XMLSpy v2005 U (http://www.xmlspy.com)--><custom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="080202" xsi:noNamespaceSchemaLocation="category3.xsd">
<configuration>
<ProtocolSettings>
<ICAP>
<EnableDataScannedInICAPResponse value="true"/>
<EnableTotalFilesScannedInICAPResponse value="true"/>
<EnableFileTrueTypeInICAPResponse value="true"/>
</ICAP>
</ProtocolSettings>
</configuration>
</custom>
Post these changes save the category3.xml, and restart the SPE service. Now, you should get the required type of information.
Note: Before performing an upgrade of Protection Engine to a newer version with category3.xml, please manually remove the file, or the upgrade will fail. You will need to manually change the version string before replacing the file.