The maximum number of files extracted from an archive for analysis is 25. This number can be configured for a specific manager installation (as well as other archive settings like the depth of parsing through the archive) starting from version 9.5.  

This article covers the process to modify this value (as well as other archive specific values) allowing the appliance to extract more files from an archive. 

Steps: 

1. Connect to the CLI of the Manager appliance.  

2. The override parameters are: 

• malscape_service::backend_unpacker::archive_file_limit (the maximum number of files that can be extracted from a submitted archive. Default 25). 

• malscape_service::backend_unpacker::max_child_tasks_per_archive (the maximum number of analysis that can be triggered from unpacking an archive. Default 10). 

• malscape_service::backend_unpacker::archive_max_depth (the maximum depth level inside the archive that files can be extracted from. Default 3). 

For Example:  

• malscape_service::backend_unpacker::archive_file_limit: 50 
• malscape_service::backend_unpacker::max_child_tasks_per_archive: 15 
• malscape_service::backend_unpacker::archive_max_depth: 4 

3. Check if you have an override.yaml file in /etc/appliance-config/ 

•  If the file override.yaml exists under the folder /etc/appliance-config/ then create a backup of it and add the parameters above to the file.  

• If the file does not exist, please create it.  

4. Add all 3 parameters to the override.yaml file with the values you desire (see warning below).

5. Double check the contents of the file to be as expected. 

6. Run lastline_apply_config to save the changes. 

Warning: Increasing the number of files extracted from an archive will increase the load on the manager and engine appliances as they will need to analyze the additional extracted files.