The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Traditional Anti-Virus blocks files larger than 1GB over FTP with "Archive has exceeded the maximum allowed limits"
Technical Level
Solution ID
sk104224
Technical Level
Product
Anti-Virus
Version
R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
Platform / Model
All
Date Created
13-Jan-2015
Last Modified
10-Jun-2015
Symptoms
User's FTP Client shows the following error when transfer of file larger than 1GB is interrupted:
Content inspection module rejected the requested resource
Transfer was canceled
SmartView Tracker log shows:
Product = Traditional Anti-Virus
Action = Reject
File Direction = By IP
Scan Result = Failure-reject
Reason = Archive has exceeded the maximum allowed limits
Increasing the file size to scan in SmartDashboard does not help (SmartDashboard - go to 'Threat Prevention' tab - open 'Traditional Anti-Virus' - open 'Security Gateway' - click on 'Settings' - set the value in 'Maximum file size to scan:' - install policy).
Debug of FTP Security Server per sk90423 shows in $FWDIR/log/aftpd.elg:
kav_clbk_fn: Maximum unpacked size reached, canceling scan...
[aftpd ...]@HostName[Date Time] kav_clbk_fn: got event XXX. kav_init_called=1
[aftpd ...]@HostName[Date Time] '/opt/CPsuite-R77/fw1/tmp/file...': EVENT_RESULT -
[aftpd ...]@HostName[Date Time] CLEAN
[aftpd ...]@HostName[Date Time] kav_handle_result: result = KAV_S_R_CLEAN
[aftpd ...]@HostName[Date Time] kav_handle_result: the archive max nesting level exceeded
[aftpd ...]@HostName[Date Time] AVIMServant::task_handler: Scan failed or virus found for file 161728760. failure type=Async failure(avimh=0x..., cpkioh=0x...)
Setting large value for the parameter "max_archive_scanned_object_size" in the $FWDIR/conf/malware_config file per sk102974 changes the symptoms - the file transfer is not blocked, but simply times out.
Cause
Traditional Anti-Virus incorrectly ignores the file size to scan configured in SmartDashboard.