To raise the MaxExtractSize in SPE 8.2.1 and higher, use the following xmlmodifier command. A value of 100 configures SPE to use the default extract size of 100MB.

xmlmodifier -s //filtering/Container/MaxExtractSize/@value <value> filtering.xml

Allowed value:
    * 0 to 30719(in Mega Bytes)
Default value: 100

How do I confirm the current setting? 

• Navigate to the default install folder of SPE, then do one of the following:
  
  1. Use xmlmodifier to query the value:
      ./xmlmodifer -q //filtering/Container/MaxExtractSize/@value filtering.xml
  
  2. Use bash grep to search for MaxExtractSize in filtering.xml:
      grep "MaxExtractSize" filtering.xml
  
  3. Use cmd find to search for MaxExtractSize in filtering.xml:
      find "MaxExtractSize" filtering. xml

How do I know what value to adjust the MaxExtractSize to?

If the default value is insufficient to prevent SPE from recording a container violation for the sample file, then increase the value and re-scan. 

A value higher than 100 will increase the extract size above the default value.

A value less than 100 would effectively lower the maximum permitted size of the extracted contents of a container file below the default value and is not recommended. It is likely to significantly increase the number of container policy errors in the SPE logs.

To understand the risk of setting a MaxExtractSize too high, please see the Additional Information section below.

To identify the value needed to scan a particular file

1. To use the ssecls test scan tool to scan the file
   ssecls.exe -mode scan -onerror leave -details -verbose "filename.ext"
   
   
2. If an error occurs, check today's <SPE Install folder>/log/SSEYYYYMMDD.log file for the most recent log entry for the filename. If the log entry is "Container violation" (or "|4|2|3|3|" in the raw logs) , then double the MaxExtractSize and scan again. Return to step 1.
3. If ssecls reports the file scanned without errors, or a different error occurs in the .log file, then the new value should be halfway between the value you tested and the previous value. Return to step 1.
4. If you get to a point where the difference between your current test value and your previous test value is "1", you identified the borderline where container violation occurs for the sample file. The larger of these two values is the one which will permit the file without SPE logging container violation. You may still encounter other configurable limits.
5. If the file is a .xlsx file.  You can rename it to .zip.   Unzip the file and get the file size.

    Compression ratio is one way to avoid Denial of Service attacks involving files which are deliberately crafted with pointers which are broken or are set in a circular structure. This type of attempted attack against antimalware software appeared as the Zip Of Death in 2001. Ref: https://www.theregister.com/2001/07/23/dos_risk_from_zip/

What happens if the MaxExtractSize is set too high?

• The risk of a disk full condition is increased.
  • Also, you may hit other configurable limits within SPE from scanning a particular file.
• Setting the value too high may result in slower scanning for files with a higher degree of compression.
• If the value is higher it could increase the risk of DOS attacks being successful.  If the value is low then the risk is low as implied under Why would SPE make MaxExtractSize a configurable value? at the beginning of this section of the article.