Archive File Handling in NSX-T ATP (Advanced Threat Prevention) - Limitations in Analysis of Compressed Files
search cancel

Archive File Handling in NSX-T ATP (Advanced Threat Prevention) - Limitations in Analysis of Compressed Files


Article ID: 345874


Updated On:


VMware NSX Networking


When utilizing NSX-T 3.2  and above versions ATP for malware prevention, users may encounter certain constraints regarding the analysis of compressed files. It's important to note that these constraints are by design—a feature of the file analysis backend, rather than a bug.


Customers may observe that when submitting compressed archive files (e.g., .zip, .rar, .7z) to ATP for analysis, in NSX-T 3.2 and above versions, the system:

  • Analyzes only the first 25 files extracted from the archive.
  • Considers only files that are within a depth of 5 levels from the archive's root for analysis.

Files beyond the initial 25 or deeper than 5 levels are not processed or included in the analysis report, and this exclusion is not actively communicated to the customer. Results provided will only cover the analyzed subset of files.


VMware NSX-T Data Center 3.x
VMware NSX-T Data Center


This operational behavior is an intentional feature, strategically implemented to manage the analysis scope and maintain optimal performance. The ATP backend is optimized to prevent exhaustive resource utilization, which can occur when dealing with archives that may contain a large number of nested files.


As this behavior is by design and not a defect, there is no resolution to change this functionality. For verification purposes, TSEs can determine if a past analysis was subject to these limitations by referencing an analyst_api_task_uuid or file hash.


To ensure a more comprehensive analysis within the limitations of ATP:

  • Divide larger archives into smaller ones, each containing 25 or fewer files.
  • Ensure that the file structure does not exceed 5 levels of depth.

By following this method, users can submit multiple archives for analysis, thus avoiding the constraints of the initial 25-file and 5-depth limit.

Additional Information

NSX-T versions affected: All 3.2 and above.