The vpdebug.log or risk logs show frequent entries of:

"Scan Error - decomposer too deep (525)"

Scheduled or Full Scans take an unexpectedly long time to complete.

System performance is impacted during active scanning.

1. How Compressed File Scanning Works

Symantec Endpoint Protection (SEP) utilizes two components to scan archives:

• ccScanW: Responsible for enumerating (listing) all child files inside a compressed archive (e.g., .zip, .7z).
• avhostplugin: Receives notifications for each child file and decides whether to scan it based on the assigned Antivirus policy.

2. The "Decomposer too deep (525)" Error

This error occurs when a child file within an archive exceeds the "Maximum number of levels to expand compressed files" setting in the AV policy (default is typically 3). When a file is found at level 4 or deeper, avhostplugin instructs ccScanW not to scan it and logs the 525 event. This is expected behavior and indicates that the policy is being enforced, not that the engine has failed.

3. Performance Bottlenecks

Scans may appear to hang or run slowly due to:

• High File Density: Systems with a massive number of files (e.g., SCCM libraries or database servers) require significant overhead.
• Missing Exclusions: Failure to exclude high-traffic, low-risk directories recommended by software vendors (e.g., Microsoft SCCM folders).

Step 1: Address the "Decomposer too deep" Logs

If you see hundreds of these errors for a single archive, it is because the scan component evaluates every child file individually.

• Review Policy: If you require visibility into deeper archives, increase the "Maximum number of levels" in your AV policy.
• Note: Increasing this depth will increase scan duration and CPU usage.

Step 2: Optimize Scan Performance

To reduce the duration of full scans, implement the following:

• Implement Industry-Standard Exclusions: Ensure folders containing high volumes of small files or large database repositories are excluded if they are already being monitored by other security layers.
• Adjust Performance Tuning:

1. In the Symantec Endpoint Protection Manager (SEPM), go to Policies > Virus and Spyware Protection.
2. Edit your policy and navigate to Administrator-Defined Scans.
3. Under the Advanced tab (or Tuning), select "Best Scan Performance"

• Pilot Group Testing: Always test performance changes on a small subset of hosts (child group) before deploying globally.

Reference: Microsoft Recommended Antivirus Exclusions