Entries in the Protection Engine logs (SPE) show a lot of decomposer 52 errors
search cancel

Entries in the Protection Engine logs (SPE) show a lot of decomposer 52 errors

book

Article ID: 256417

calendar_today

Updated On:

Products

Protection Engine for NAS

Issue/Introduction

Entries in the Protection Engine logs (SPE) show a lot of decomposer 52  and 21 errors. As a result the dashboard report in the cloud console shows a river of errors where it reports infections and or malware related to the files.

Environment

Release : 8.2.2

Cause

The decomposer errors seemed to stem from the fact that all of the files reported (mostly zip and speadsheet (*.xlsx) contained files that are/were encrypted or password protected. The scan engine could therefore not open them.

 

 

Resolution

Turning off the option in the configuration to scan Encrypted File Archives reduced the number decomposer 52 errors in the SPE logs and malware infections in the cloud console to almost zero.

This configuration change can also be done from a command-line:

Windows ( C:\Program Files\Symantec\Scan Engine\ )


xmlmodifier -s //filtering/Container/EncryptedContainersHandling/@enabled false filtering.xml

Linux ( /opt/SYMCScan/bin )


./xmlmodifier -s //filtering/Container/EncryptedContainersHandling/@enabled false filtering.xml

Additional Information

What if I see a mail flood instead?

Do one of the following: 

  • Within SPE, set SMTP logging level to None
  • Within the mail server, create a mail rule to drop messages with body text including the phrase "Decomposer Result ID = 52"

 

To set SMTP logging to None

  1. At Linux bash or Windows cmp prompt, use cd to navigate to the folder containing the xml configuration files for SPE.
  2. Type: 
    ./xmlmodifier -s //configuration/Logging/LogSMTP/@loglevel <value> configuration.xml

     

 

 

Powered by Wolken Software