Does Symantec CAS forbid Microsoft Office contents with macros? Are the extracted .zip file contents also scanned? How many levels deep can CAS scan?

CAS/CAS-AV/ISG-CAS

In addition to the manual file extensions lists, Content Analysis can apply specific ignore, scan, and block rules to specific types of data. Instead of examining the file extension associated with each file, the appliance examines the apparent data type to determine the correct type of file.

Content Analysis uses the apparent data type to identify data using the actual file signature and information in the HTTP header. For example, Content Analysis can identify graphics (such as JPG and GIF files), documents, archives, executables, encodings, media, macros, and files within an archived or compound Microsoft file. 

Based on the available documentation and common practices for Symantec Content Analysis (CAS), here are some insights and potential answers regarding your questions:

Does Symantec CAS forbid Microsoft Office contents with macros?

Symantec CAS can be configured to scan and block files based on specific criteria, including the presence of macros. If there are security policies in place that classify macros as a threat, CAS can be set to block or flag these files for further inspection. However, by default, CAS does not specifically forbid Microsoft Office contents with macros unless explicitly configured to do so.

Are the extracted .zip file contents also scanned?

Yes, Symantec CAS scans the contents of .zip files and other compressed files. This includes extracting the files and scanning each one individually for threats. This ensures that all files within an archive are checked for malicious content.

How many levels deep can CAS scan?

The scanning depth for compressed files (e.g., nested zip files) in Symantec CAS can be configured. The default maximum archive scan depth is usually set to a certain level, such as 10. This means that CAS will scan files nested up to 10 levels deep. This setting can be adjusted based on the organization's requirements to provide thorough protection without compromising performance.

Maximum archive layers - This option is included in the vendor-specific settings. An archive is a file containing multiple files and a folder structure. An archive cannot contain more than the specified number of layers (directories). The maximum is:

• Symantec: 40
• Kaspersky: 40
• McAfee: 300
• Sophos: 100

If any of the options are exceeded, the object is not scanned. After completing these steps, click Save Changes. Click Default Settings to restore all configurations to a default state.

Ref.: 

Set Policy Based on Known File Types

About File Size/Count Limitations