A server administrator requested to know the 'under the hood workings' of the scanning of individual files by SPE (Symantec Protection Engine).
Symantec Protection Engine 22.214.171.124
High level overview of how SPE file scanning
- Whenever an item is submitted to the SPE scan engine to be scanned, it will first scan the file as a "Byte Stream". This means that all of the bytes that are presented are passed through the scanner --during which time the engine is looking for virus and policy violations according to the enabled engines/policies.
- During the initial scan, the scanner will do file type identification. Using a combination of file structures such as file signature, and file extension. Based on this, it will determine what type of file is currently being scanned.
- If the file is a "flat file", such as a text file, the byte stream scan is the only scan that will take place.
- If the file is a "Container File" such as *.rar, .tar, .zip, .cab, .pdf, etc then the scanner will invoke an engine called the "decomposer"
- If a policy violation is found during the Byte Stream scan, the action configured for that policy will be queued, but will not yet take place.
- However, once the decomposer is invoked, and the container file type is identified, the decomposer will use the extraction method for that particular container type to extract all child objects from the container.
* For simplicity sake: Let's assume the container file is a .zip file and that it contains one single .txt file and a single .cab file.
* The process repeats, the txt file and cab file will be fed through the AV engine as a Byte Stream.
* If a policy violation is found then the configured/required action is queued to run; but the process will continue.
- This is where the MaxExtractSize policy/setting comes into play. If the .txt file is 101 mb, and the MaxExtractSize is set to 100, this would constitute being a policy violation. Scanning on that object would then stop at the defined limit.
- By default, 100mb scanning will continue on the .cab file. If it is less than 100 mb, and when it is identified as a container file, the decomposer is invoked again.
* Let's, again, say-- for simplicity sake that the .cab file has within it two 1 mb files.
* The process then repeats, and those two .txt files will be fed through the AV engine as a Byte Stream until all files contained in the container file have been scanned.
* However, the 101 mb text file which violated the MaxExtractSize limit with "Actionpolicy = 1", the entire container file is blocked, which means SPE returns a "Scan error" verdict to the requesting connector.
* With "Actionpolicy = 0", SPE records a log event-- that a "Container Violation" has taken place according to logging policies. In other words, in its local log file, if configured (on by default), in syslog (if configured, in windows event log) it sends notifications (if configured) but sends a "Clean" verdict back to the connector. Basically it writes about the action taken to the log and syslogs, but tells the connector that the scanned file passed.
All contents of the file have been scanned, EXCEPT any contents in any sub files that exceeded the configured limit.