How to configure scanning of compressed files in Endpoint Protection for Linux, 14.3 MP1 or older
search cancel

How to configure scanning of compressed files in Endpoint Protection for Linux, 14.3 MP1 or older

book

Article ID: 151341

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How do I configure the scanning of compressed (zip, rar, etc) files in Symantec Endpoint Protection (SEP) for Linux, versions 14.3 MP1 or older? See instructions below. For SEP/SES Linux Agent 14.3 RU1 or newer, see instructions here: Linux agent continues scanning compressed files despite disabled option in policy

Cause

By default, SEP for Linux includes compressed files in manual and scheduled scans.

AutoProtect scans do not normally include compressed files. Changes to this behavior are not recommended because of the negative effect on system performance.

Resolution

NOTE: These instructions apply only to SEP for Linux version 14.3 MP1 (14.3.1148) or older. For SEP/SES Linux Agent 14.3 RU1 or newer, see instructions here: Linux agent continues scanning compressed files despite disabled option in policy

Managed SEP for Linux clients11

Scanning of compressed files by managed SEP clients is configured in any of these three places:
 

  • At the SEP Manager (SEPM) by enabling or disabling the appropriate properties check box ("Scan files inside compressed files").
  • In Virus and Spyware Protection Policy.
  • In Administrator-Defined Scans or Auto-Protect sections.

The scan depth setting determines the number of levels to expand if there are compressed files within compressed files.

Unmanaged SEP for Linux clients

The same settings are reflected locally at the SEP for Linux client in a configuration database. The configuration database is like the Microsoft Windows registry. You configure these settings from the command line on both managed and unmanaged SEP for Linux clients. But be advised that any changes made this way on a managed client will be overwritten by the next policy update from the SEPM.

To configure RealTime (AutoProtect) Compressed File Scanning from the command line

Open a terminal window, navigate to the /opt/Symantec/symantec_antivirus directory, then use the following command:

sudo ./symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ZipFile -d 0 -t REG_DWORD
# this disables AutoProtect scanning of compressed files
# use -d 1 to enable, but this is not recommended for AutoProtect because of the performance hit

Alternatively, you can reduce the depth that compressed files are scanned by tuning the ZipDepth value:

sudo ./symcfg add –k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' –v ZipDepth –d 1 –t REG_DWORD 
# (-d [integer] is desired depth—default is 3)

For further information on the symcfg command, see the PDF documentation that is included with SEP for Linux.

How to change zip file scanning options for manual or scheduled scans.

The command lines for manual or scheduled scans are identical to the ones above, but Storages\FileSystem\RealTimeScan is replaced with the following:

  • LocalScans\ManualScan for all manual scans.
  • Custom Tasks\ (e.g. Custom Tasks\myschedscan) for a specific scheduled scan (NOTE there is a space in "Custom Tasks").