How do I configure the scanning of compressed (zip, rar, etc) files in Symantec Endpoint Protection (SEP) for Linux?
By default, SEP for Linux includes compressed files in manual and scheduled scans.
AutoProtect scans do not normally include compressed files. Changes to this behavior are not recommended because of the negative effect on system performance.
Managed SEP for Linux clients
Scanning of compressed files by managed SEP clients is configured in any of these three places:
The scan depth setting determines the number of levels to expand if there are compressed files within compressed files.
Unmanaged SEP for Linux clients
The same settings are reflected locally at the SEP for Linux client in a configuration database. The configuration database is like the Microsoft Windows registry. You configure these settings from the command line on both managed and unmanaged SEP for Linux clients. But be advised that any changes made this way on a managed client will be overwritten by the next policy update from the SEPM.
To configure RealTime (AutoProtect) Compressed File Scanning from the command line
Open a terminal window, navigate to the /opt/Symantec/symantec_antivirus directory, then use the following command:
sudo ./symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ZipFile -d 0 -t REG_DWORD # this disables AutoProtect scanning of compressed files # use -d 1 to enable, but this is not recommended for AutoProtect because of the performance hit
Alternatively, you can reduce the depth that compressed files are scanned by tuning the ZipDepth value:
sudo ./symcfg add –k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' –v ZipDepth –d 1 –t REG_DWORD # (-d [integer] is desired depth—default is 3)
For further information on the symcfg command, see the PDF documentation that is included with SEP for Linux.
How to change zip file scanning options for manual or scheduled scans.
The command lines for manual or scheduled scans are identical to the ones above, but Storages\FileSystem\RealTimeScan is replaced with the following: