What is the difference between the Symantec Protection Engine (SPE) policy to "Scan and repair" (AVActionPolicy) and the SPE policy for "Active content" (ActiveContentActionPolicy)?
Release : SPE 8.2.2-9.0.x
At a top level, SPE 8.1 and later have a policy to detect and remove Active Content, such as scripts and macros from files, without assessing whether these pieces of Active Content are malicious. SPE versions prior to 8.1 sought to repair document files containing malware, only when it detected malware was present, with the Repair action part of the AVActionPolicy. In any situation where AVActionPolicy includes a Repair action, but the Repair action is not available or fails to repair a file, SPE deletes the file instead.
Within the SPE policy.xml file for 9.0.1, the default values of these policies are shown as:
<AVActionPolicy value="0"/>
and
<ActiveContentActionPolicy value="2"/>
The behavior of each value of AVActionPolicy and ActiveContentActionPolicy is
In SPE 8.1 and later, ActiveContentActionPolicy only has to find that Active Content is present. SPE replies to the scan request, calling the file a virus of type "Policy Violation". The response to the scan request also includes the revised file without the ActiveContent.
Before SPE added the ActiveContentActionPolicy, SPE admins had to block scripts by filename with a risk of blocking files without active content. The following article shows the context of roughly two years ago, when the feature was added to provide customers with relief from malware writers that re-wrote the code frequently:
https://knowledge.broadcom.com/external/article/196881/
References: