What is the difference between the Symantec Protection Engine (SPE) policy to "Scan and repair" (AVActionPolicy) and the SPE policy for "Active content" (ActiveContentActionPolicy)?

Release : SPE 8.2.2-9.0.x

At a top level, SPE 8.1 and later have a policy to detect and remove Active Content, such as scripts and macros from files, without assessing whether these pieces of Active Content are malicious. SPE versions prior to 8.1 sought to repair document files containing malware, only when it detected malware was present, with the Repair action part of the AVActionPolicy. In any situation where AVActionPolicy includes a Repair action, but the Repair action is not available or fails to repair a file, SPE deletes the file instead.

Within the SPE policy.xml file for 9.0.1, the default values of these policies are shown as:

      <AVActionPolicy value="0"/> 

and

      <ActiveContentActionPolicy value="2"/>

The behavior of each value of AVActionPolicy and ActiveContentActionPolicy is

• AVActionPolicy value of 0 is read only. Many administrators must prove what the impact of deploying avscanning would be to a particular workflow and determine if parts of that workload would be subject to production impacting false positives.
  
  
• AVActionPolicy value of 1 is Scan and Repair. Scan and repair would attempt to repair a document file containing malware, permitting the rest of the file to remain in place. It would not attempt to submit the file to the local Quarantine of SPE. SPE 8.1 and later do not support file repair.
  
  
• AVActionPolicy value of 2 is Scan and Repair or Delete. Scan and repair or delete would attempt to repair a document file containing malware, permitting the rest of the file to remain in place. This value also deletes any infected file it cannot repair. It would submit the file to the local Quarantine of SPE, if one is enabled. SPE 8.1 and later do not support file repair.
  
  
• AVActionPolicy value of 3 is Scan and Delete. Scan and delete repair would delete any infected file. It would not attempt to submit the file to the local Quarantine of SPE.
  
  
• ActiveContentActionPolicy of 0. SPE will not check files for active content, such as scripts and/or embedded URLs.
  
  
• ActiveContentActionPolicy of 1. Without seeking to determine whether active content is malware or not, SPE 8.1 and later will seek to block access to files containing scripts and/or URLs.
  
  
• ActiveContentActionPolicy of 2. Without seeking to determine whether active content is malware or not, SPE 8.1 and later will seek to remove active content from within a file.

Prior to SPE 8.1, AVActionPolicy has to detect a virus is present. This means there has to be a virus signature for an individual threat. SPE replies to the scan request, citing the exact virus found. The response includes the revised file, without the part that is malware.

In SPE 8.1 and later, ActiveContentActionPolicy only has to find that Active Content is present. SPE replies to the scan request, calling the file a virus of type "Policy Violation". The response to the scan request also includes the revised file without the ActiveContent.

Before SPE added the ActiveContentActionPolicy, SPE admins had to block scripts by filename with a risk of blocking files without active content. The following article shows the context of roughly two years ago, when the feature was added to provide customers with relief from malware writers that re-wrote the code frequently: 

https://knowledge.broadcom.com/external/article/196881/ 

References:

• Configuring the antivirus scan policy in the Core server only mode 
• Configuring antivirus scan policy for Symantec Protection Engine