SEP/SES (Symantec Endpoint Protection / Endpoint Security) Linux Agent continues scanning compressed files despite disabled option in policy (unchecked option for "scan compressed files").

SEP Linux Agent, versions 14.3 RU1 and newer

By design. SES for Linux is meant to always scan compressed files and the option to disable AP compressed scanning has been removed in newer versions of SEPM policy. But compressed file scanning can still be disabled via local configuration at the SEP/SES Linux Agent. 

This article applies only to SEP/SES Linux Agent versions 14.3 RU1 or newer. For SEP Linux client 14.3 MP1 or older, see How to configure scanning of compressed files in Endpoint Protection for Linux, 14.3 MP1 or older

Starting with SEP 14.3 RU5 (14.3.3075.5000), SEP Linux agent will no longer scan compressed files with Realtime scanning.  It is recommended to use this version or newer to improve scan performance.

To disable compressed file scanning in SEP/SES Linux Agent versions 14.3 RU1 through 14.3 RU5 (14.3.3069.5000), perform the following actions locally at the client:

• sudo service sisamdagent stop
  
  
• edit /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini and set scanner.max.container.depth=0
  
  
• sudo service sisamdagent start

Note that this will reduce the scan depth to 1 level for all compressed file scanning by AutoProtect, scheduled and on-demand scans.