Archive File Handling in NSX-T ATP (Advanced Threat Prevention) - Limitations in Analysis of Compressed Files
Article ID: 345874
Updated On:
Products
VMware NSX Networking
Issue/Introduction
When utilizing NSX-T 3.2 and above versions ATP for malware prevention, users may encounter certain constraints regarding the analysis of compressed files. It's important to note that these constraints are by design—a feature of the file analysis backend, rather than a bug.
Symptoms:
Symptoms:
Customers may observe that when submitting compressed archive files (e.g., .zip, .rar, .7z) to ATP for analysis, in NSX-T 3.2 and above versions, the system:
- Analyzes only the first 25 files extracted from the archive.
- Considers only files that are within a depth of 5 levels from the archive's root for analysis.
Files beyond the initial 25 or deeper than 5 levels are not processed or included in the analysis report, and this exclusion is not actively communicated to the customer. Results provided will only cover the analyzed subset of files.
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
This operational behavior is an intentional feature, strategically implemented to manage the analysis scope and maintain optimal performance. The ATP backend is optimized to prevent exhaustive resource utilization, which can occur when dealing with archives that may contain a large number of nested files.
Resolution
As this behavior is by design and not a defect, there is no resolution to change this functionality. For verification purposes, TSEs can determine if a past analysis was subject to these limitations by referencing an
Workaround:
analyst_api_task_uuid or file hash.Workaround:
To ensure a more comprehensive analysis within the limitations of ATP:
- Divide larger archives into smaller ones, each containing 25 or fewer files.
- Ensure that the file structure does not exceed 5 levels of depth.
By following this method, users can submit multiple archives for analysis, thus avoiding the constraints of the initial 25-file and 5-depth limit.
Additional Information
NSX-T versions affected: All 3.2 and above.
Feedback
Yes
No
Powered by
