After installing Symantec Protection Engine (SPE) to scan files in a share on a NAS device, you notice that SPE reports frequent scan errors with "Scanner = Decomposer Result ID = 17."
The Scan Engine has encountered a scan error Date/time of event = xxxx-xx-xx xx:xx:xx Event Severity Level = Error Scanner = Decomposer Result ID = 17 File name = <path to the file> Client IP = 192.0.2.2 Scan Duration (sec) = 0.016 Connect Duration (sec) = 0.016 Scan Engine IP address = 192.0.2.1 Scan Engine Port number = 1344 Uptime (in seconds) = 12345678","Default","","",""
SSE / SPE fails in opening a file for a variety of reasons. If the file is on a share, by its nature SSE / SPE more often encounters Decomposer 17 errors, as the chances for such a file being used / locked by other processes at the time of scan request are far greater than a standalone deployment.
For example, if the target file is simultaneously editable by more than two users at at time (such as a shared Excel file), or the file being downloaded at the time of scan request, SSE's / SPE's file open request for the share fails due to the file lock, resulting in a Decomposer 17 error.
The following figure shows the sample flow when more than two users edit the same file triggers a Decompser 17 error.
Check the memory usage for the SSE / SPE installed system at the time of the errors. If the Dec 17 errors unanimously occur for almost all of the files being scanned in a specific time frame and the system shows constantly high memory usage, SSE / SPE most likly cannot allocate the necessary memory for processing these files. Restart the system and see if the Dec 17 error persists.
If you do not see any high memory usage at the time of error and / or you see these Dec 17 errors only sporadically, then scan the sample with the handy scan client tool %SYMCscan ROOT%CmdLineScanner/ssecls.exe.
Execute the tool on the command prompt and scan the locally-copied sample which triggered Dec 17 error. If you do not see any Decomposer 17 error but see the scan result returned instead, the error is not triggered by the sample but by the timing of the file's status. Most likely, at the time of scan request, the file was not ready for scan due to the reasons mentioned above (file being locked).
About the Symantec Protection Engine command-line scanner: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/9-1-0/SSECLS-Demonstration-Tool/about-the-symantec-protection-engine-command-line-v128510136-d4995e25348.html