Endpoint Protection

 View Only
  • 1.  How does SEP client handle scanning compressed and archived file???

    Posted Aug 04, 2011 04:39 AM

    Hi Symantec Team,

    Hope you would consider my inquiry regarding SEP client handling of scanning compressed, archived file and database file.

    Given the fact that Auto protect was unable to scan and detect malwares on compressed or archived files, Do Symantec have it own reason/strategy why it was design like that? Given that other AV software able to do it in contrast.

    In scanning large compressed/archived and database  file, Do SEP client will scan the file until it finish or just a portion? Is there a way to configure the initial scan file size or a duration to be able to skipped the scanning of this large files and proceed scanning the other files. 
     

    Why is it the scanning of compressed file is limited to 10 level of compression?

    Thank you in advance...

    Have a great day.....



  • 2.  RE: How does SEP client handle scanning compressed and archived file???

    Posted Aug 04, 2011 05:01 AM

    Auto protect can scan and detect malwares on compressed or archived files. Only on access.

    Go to the Policies page > Admin defined scans > Advanced scanning options...

    Scanning Compressed files

    enable 'scan inside compressed files' set the desired number of levels. (how many times a file was compressed)

    For database servers, it is 'Best practice' to exclude the database files. Add the database file extension to the exclusions. Or select to scan only selected extensions. And only to scan when modified.

    As for the limit. Scan any deeper and the scanning will take a long time to finish which is not practical.

    SEP scans files including compressed when accessed in Real-Time. As soon as you open a folder or compressed file, it scans the immediate path.



  • 3.  RE: How does SEP client handle scanning compressed and archived file???

    Posted Aug 04, 2011 01:07 PM

    Given the fact that Auto protect was unable to scan and detect malwares on compressed or archived files, Do Symantec have it own reason/strategy why it was design like that? Given that other AV software able to do it in contrast.

    Auto-Protect for file system indeed doesn't check archives (by contrast, Auto-Protect for E-Mail/Outlook/Lotus Notes does it). I assume the main reason is performance. Apart from that, malware in archives will be detected by Auto-Protect when the archive will be decompressed.

    Why is it the scanning of compressed file is limited to 10 level of compression?

    Performance; and perhaps because of zip bombs being able to cause an infinite decompression loop (until the system crashes). And if the malware is in the 11th level, it will be detected when the archive will be decompressed.

    Symantec seems to be satisfied with these settings. Since I know the product (NAVCE 7.5), they never changed them.



  • 4.  RE: How does SEP client handle scanning compressed and archived file???

    Posted Aug 04, 2011 05:24 PM

    Hi,

    archive files are safe... there is not need to scan them in real time, this will impact the performance especially nowadays that zip files can be really big (not 1.44 MB like in the past).

    Only their content can be malicious but you need to unzip them, once you access to any of those unzipped files, the auto-protect scan it. So, if a file is however scanned before it runs, what protection are you missing?

    The same for the number of levels, greg12 gave a good explanation.

    So, any AV could have a different approach, of course the more scans you want, the more resources you need; Symantec tries to provide the best compromise and, as greg12 wrote, Symantec is satisfied with those settings because the most of its customers are satisfied with them.