Testing SPE scanning in basic ICAP mode on the same box
search cancel

Testing SPE scanning in basic ICAP mode on the same box

book

Article ID: 243613

calendar_today

Updated On: 08-29-2023

Products

Protection Engine for Cloud Services Protection Engine for NAS Protection for SharePoint Servers

Issue/Introduction

How do I confirm that Symantec Protection Engine (SPE) scans files before I place a SPE instance into production or use it as a test box?

Environment

Release : 8.0.x-9.0.x

Component : Default-Sym

Resolution

To use the C version of the ssecls demonstration tool to confirm basic scanning functionality of SPE

  1. Download eicar.com or eicar.com.txt to the ssecls/C folder ( On Windows, CmdLineScanner/C ). If the file keeps disappearing, create an exclusion for this folder within SEP or other local real-time filesystem protection software.
  2. Turn on VERBOSE logging. for steps, see 159007 
  3. If you previously set protocol to RPC, temporarily set SPE to ICAP protocol and enable 127.0.0.1 as an ICAP client
  4. Stop and start the symcscan (in Windows services.msc, "Symantec Protection Engine") service to make changes effective
  5. Navigate to ssecls/C folder
  6. Make a copy of ssecls
  7. To have ssecls scan a known clean file, use ssecls to scan the copy of ssecls
  8. If ssecls on linux displays "./ssecls: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory", register libcrypto.so.1, then return to step 6
  9. To have ssecls scan a virus, use ssecls to scan eicar.com
  10. If placing the SPE instance into a high use environment, turn off VERBOSE logging
  11. If placing SPE into an RPC environment, change protocol to RPC and add/select RPC clients
  12. Stop and start the symcscan service to make changes effective

 

To set SPE to ICAP protocol

.\xmlmodifier -s /configuration/ProtocolSettings/Protocol/@value "ICAP" configuration.xml

 

To stop and start the Protection Engine service at the CLI

  • Do one of the following

    • On Linux bash prompt, type:
      /etc/init.d/symcscan restart
    • On Windows cmd prompt, type:
      net stop SYMCScan

      When the service is fully stopped, type:
      net start SYCScan

 


To navigate to the ssecls/C folder at the CLI

  • Do one of the following

    • On Linux bash prompt, type:
      cd /opt/SYMCScan/ssecls/C
    • On Windows cmd prompt, type:
      cd "C:\Program Files\Symantec\Scan Engine\CmdLineScanner\C"
      NOTE: These CLI navigation commands reflect the default install folder for SPE.

 


To use ssecls to scan itself

  • Navigate to the ssecls folder, then do one of the following

    • On Linux bash prompt, type:
      ./ssecls ./ssecls-copy
    • On Windows cmd prompt, type:
      ssecls.exe ssecls-copy.exe

 

To register libcrypto.so.1

  • On the Linux bash prompt, type:
    export LD_LIBRARY_PATH=/opt/SYMCScan/ssecls/C

 

 

Additional Information

 

 

What is ssecls?

  • ssecls = Symantec Scan Engine Command Line Scanner. This acronym comes from the previous name, Symantec Scan Engine. The ssecls tool is a lightweight tool for testing that the SPE itself is responding to scan requests. It submits scan requests to SPE and where a file receives an INFECTED verdict, ssecls applies the delete action. While ssecls can be dropped on other server operating systems, scanning from a remote system requires the addition of the -server <IP> command line parameter. This document only discusses the usage case where SPE and ssecls are on the same box and communicating over the loopback address.

 

How will a CLEAN result appear in the Protection Engine logs?

  • Without VERBOSE logs enabled, Protection Engine will not record a clean verdict in the SSEYYYYMMDD.log files

  • With VERBOSE logs enabled and Insight file reputation disabled, SPE will record a log entry that starts with an epoch timestamp followed by '|4|2|3|4|'. The filename appears later in the log entry. When interpreted by the UI or logconverter(.exe), the log entry will include the keyword "CLEAN".

  • With VERBOSE logs enabled and Insight file reputation enabled, SPE will record a log entry that starts with an epoch timestamp followed by '|0|2|5|3|'. The filename appears later in the log entry. When interpreted by the UI or logconverter(.exe), the log entry will include the phrase "A file was scanned".  The start of an example log entry from a SPE on Windows:
    1654549562|0|2|5|3|no_path|4|ssecls.exe|39|10.25.205.208|17|0.176|18|0.192...

    NOTE: ssecls does not include the path when sending a scan request to SPE by default. The path can be specified using the switches at the CLI. 

 

After I confirm my SPE server responds to basic ICAP scan requests, what other unit tests can I perform?