search cancel

Protection Engin reports Zip and spreadsheet files as suspect or Major status although they do not contain any infected files

book

Article ID: 257503

calendar_today

Updated On:

Products

Protection Engine for Cloud Services

Issue/Introduction

Why are some zip, xlsx, docx and other container type files reported as infected or as a "Major" File Detection status even though they do not contain any infected files?

Environment

Symantec Protection Engine

Release : 8.2.2

Cause

The files are usually encrypted and or password protected. As a result the SPE engine cannot open and scan the files. So they must be reported differently than just an informational notation.

Usually they are reported as one of the following (in the SPE logs)

decomposer 52

decomposer 21

Example:

1. A file named "Protected_Spreadsheet.xlsx" It is encrypted with a password. It is submitted to be scanned.

2. It is important to note that the SPE engine configuration is important in this scenario.  In the Cloud Console policy, under "Archive Handling", there is a section for encrypted file handling. In order for any encrypted file to be reported as a problem the "Encrypted File Archives" box must be turned on.

Also the "Action" must be set to either "Block" or "Delete". If set to Log only, it will only log the fact that the file was passed in for scanning. There will be no result.

3. With the above settings in place a person could pass the file "Protected_Speadsheet.xlsx" to the scan engine using the ICAP test program (ssecls.exe)

The scanner will not be able to open the file so the following should be returned ( a similar error would be returned to the external application that submitted the same file for scanning):

4. In the dashboard, under "Alerts and Events" you should see the event recorded.

5. Click on the "More" link in the lower right an it explains the so called "infection" is just a container violation and not an actual infection:

As can be seen the warning/error is explained as a container violation, not as an infection.

 

 

Resolution

If you do not wish to see container violations reported in this way (which until close examination can cause concern), turn off the scanning of encrypted box and save the policy change.

 

Attachments