How does SPE handle scanning files of type octet-stream?
search cancel

How does SPE handle scanning files of type octet-stream?


Article ID: 276204


Updated On:


Protection Engine for Cloud Services Protection Engine for NAS


You seek to understand how the Symantec Protection Engine (SPE) handles the scanning of files with the type "octet-stream".


The files of type "octet-stream" are scanned using a method called "Byte Stream." The "Byte Stream" process involves passing the bytes through a scanner that checks for viruses and policy violations based on the enabled engines and configured policies.

During the initial scan, the scanner identifies the file type using various file structures such as file signatures and extension. If the file is a "flat file," like a text file, only the "Byte Stream" scan is performed. However, if the file is a "container file" like .rar, .zip, .tar, .docx, .pdf, etc., then the scanner invokes the "decomposer" engine.

If a policy violation is found during the "Byte Stream" scan, the corresponding action will be queued but not executed yet.  If the decomposer is invoked and the container file type is identified, then SPE will use the extraction method for that particular container type to extract all child objects from the container.  Based on the configured policies, scanning will then occur for all child objects.