Container violation in SPE logs
search cancel

Container violation in SPE logs

book

Article ID: 242287

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS Protection for SharePoint Servers

Issue/Introduction

One or more of the following occurs:

  • Symantec Protection Engine (SPE) logs "Container violation" in its detailed logs.
  • An entry in the raw SPE logs contains "|4|2|3|3|" after the epoch timestamp.
  • ssecls displays "Virus Name:     Container size violation - scan incomplete."

 

 

Cause

The container file, when extracted, is larger than the configured MaxExtractSize value.

Resolution

To raise the MaxExtractSize in SPE 8.2.1 and higher, use the following xmlmodifier command. A value of 100 configures SPE to use the default extract size of 100MB.

xmlmodifier -s //filtering/Container/MaxExtractSize/@value <value> filtering.xml

Allowed value:
* 0 to 30719(in Mega Bytes)
Default value: 100

 

How do I confirm the current setting? 

  • Navigate to the default install folder of SPE, then do one of the following:

    1. Use xmlmodifier to query the value:
        ./xmlmodifer -q //filtering/Container/MaxExtractSize/@value filtering.xml

    2. Use bash grep to search for MaxExtractSize in filtering.xml:
        grep "MaxExtractSize" filtering.xml

    3. Use cmd find to search for MaxExtractSize in filtering.xml:
        find "MaxExtractSize" filtering. xml

 

 

How do I know what value to adjust the MaxExtractSize to?

If the default value is insufficient to prevent SPE from recording a container violation for the sample file, then increase the value and re-scan. 

A value higher than 100 will increase the extract size above the default value.

A value less than 100 would effectively lower the maximum permitted size of the extracted contents of a container file below the default value and is not recommended. It is likely to significantly increase the number of container policy errors in the SPE logs.

To understand the risk of setting a MaxExtractSize too high, please see the Additional Information section below.

 

 

To identify the value needed to scan a particular file

  1. To use the ssecls test scan tool to scan the file
    ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"

  2. If an error occurs, check today's <SPE Install folder>/log/SSEYYYYMMDD.log file for the most recent log entry for the filename. If the log entry is "Container violation" (or "|4|2|3|3|" in the raw logs) , then double the MaxExtractSize and scan again. Return to step 1.
  3. If ssecls reports the file scanned without errors, or a different error occurs in the .log file, then the new value should be halfway between the value you tested and the previous value. Return to step 1.
  4. If you get to a point where the difference between your current test value and your previous test value is "1", you identified the borderline where container violation occurs for the sample file. The larger of these two values is the one which will permit the file without SPE logging container violation. You may still encounter other configurable limits.
  5. If the file is a .xlsx file.  You can rename it to .zip.   Unzip the file and get the file size.

 

 

 

Additional Information

Why would SPE make the MaxExtractSize a configurable value?

    Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/

 

What happens if the MaxExtractSize is set too high?

  • The risk of a disk full condition is increased.
    • Also, you may hit other configurable limits within SPE from scanning a particular file.
  • Setting the value too high may result in slower scanning for files with a higher degree of compression.
  • If the value is higher it could increase the risk of DOS attacks being successful.  If the value is low then the risk is low as implied under Why would SPE make MaxExtractSize a configurable value? at the beginning of this section of the article.

 

An example of full output from ssecls:

>..\..\ssecls scanfilesave-20220516-190132\internal_error\20220516-191850-521.before


    Virus scan process began : Fri May 20 16:38:31 2022
Virus scan process completed : Fri May 20 16:38:33 2022

        Defs Version = 20220520.019
 Commandline Scanner = 8.2.0.6

         Total Bytes = 6302449 (Mbytes 6.0105)
             Elapsed = 2.0610
           Scan Rate =  2.92 (Mbytes/sec)

      Files Excluded = 0
       Files Scanned = 1
 Directories Scanned = 0
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 1


Data based metering parameters:
Data Scanned in bytes = -1 (NA)
Total files scanned = -1 (NA)

No error was found during the scan


Infected file(s) list:
scanfilesave-20220516-190132\internal_error\20220516-191850-521.before  deleted
        File Name:      20220516-191850-521.before/xl/revisions/revisionLog273.xml
        Virus Name:     Container size violation - scan incomplete.
        Virus ID:       -9
        Unscannable: false
        Disposition:    Infected

>