cancel
Showing results for 
Search instead for 
Did you mean: 
shrkac
Level 7
Report Inappropriate Content
Message 1 of 8

Count number of files in archive file

Jump to solution

Hello,

does anybody knows is there way to set rule which can be helpfull by (antimalware) scanning of big archive files by setting limit for number of files in archive, and if limit is reached, then skip (Stop ruleset) action is set ? Although mwg has rule to skip files bigger then 50 MB, with archives it is not useable. MWG does not threat arhcive file as one big file , it threats it as many small files - so scannig takes very long time, and my users have complaints.

Regards, Stjepan

1 Solution

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Count number of files in archive file

Jump to solution

Hi,

Hope you are doing well.

The Body.NumberofChildren property should contain number of children in given archive (or document). It will be filled if archive supports analysis without complete unpacking, like for .rar, .zip, and some other archives.

 You can control when data extraction should be performed  until Nth level of archive (via Body.NestedArchiveLevel property).

 

Regards

Alok Sarda

 

 

 

 

View solution in original post

7 Replies

Re: Count number of files in archive file

Jump to solution

Hi Stjepan,

You can define an amount of nested objects in the composite opener.
In the rule set "Enable Opener"  you should have an event like "Enable Composite Opener <Default>".
If you click on the Default settings you can modify the nested objects. This number defines the amount of "levels" an archive should be opened.

Best

Steffen

shrkac
Level 7
Report Inappropriate Content
Message 3 of 8

Re: Count number of files in archive file

Jump to solution

Hi Steffen,

 

I tried to set "Maximum level of nested objects" in "Enable Composite Opener <Default>" setting to very low value - 2 but it did not helped me - download was "neverending" . Only thing that helped me was whitelist URL.Host in Antimalware whitelist.

I am not sure how "Enable Composite Opener <Default>" and "Maximum level of nested objects" setting has influence on some Linux rpm archive files, so for now I have URL.host whitelist option.
I have some usefull McAfee maintained Linux whitelists, but for some less known distributions it does not help.

Regards, Stjepan

Highlighted

Re: Count number of files in archive file

Jump to solution

Hi Stjepan,

Might be that the first or second level in the archive already contains thousands of objects that are being scanned.
I haven't tried something like that but maybe the property "Body.NumberOfChildren" does the trick for you.
You can try to skip either the Opener or the AV Scanning if Body.NumberOfChildren is greater than XY.

As I haven't tried it and I don't know your environment I am not sure what would be a good amount.
Maybe you can just give it a shot and try around a bit with that property..

Hope this helps!

Best
Steffen

shrkac
Level 7
Report Inappropriate Content
Message 5 of 8

Re: Count number of files in archive file

Jump to solution

Hi Steffen,

I tried ti skip Opener by setting "if Body.NumberOfChildren is greater than 1" before Opener, but I got this in Rule trace :

Capture.JPG

It is rpm arhcive that contains 2125 files, I checked with rpm -qpl command.

Regards, Stjepan

shrkac
Level 7
Report Inappropriate Content
Message 6 of 8

Re: Count number of files in archive file

Jump to solution

Hi Steffen again,

now I have new example where I found 7217 folder in second archive level : https://mirrors.ustc.edu.cn/manjaro/stable/community/x86_64/community.db . When you download community.db and unpack ti with 7-zip twice, you will get 7217 folders with one file in every folder.

This had big impact on my cpu.

So, for now it seems that ony solution is whitelist this url from antimalware scanning. Or if anyone knows some other way ?

Regards, Stjepan

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Count number of files in archive file

Jump to solution

Hi,

Hope you are doing well.

The Body.NumberofChildren property should contain number of children in given archive (or document). It will be filled if archive supports analysis without complete unpacking, like for .rar, .zip, and some other archives.

 You can control when data extraction should be performed  until Nth level of archive (via Body.NestedArchiveLevel property).

 

Regards

Alok Sarda

 

 

 

 

View solution in original post

shrkac
Level 7
Report Inappropriate Content
Message 8 of 8

Re: Count number of files in archive file

Jump to solution

Hi Alok,

this property Body.NumberofChildren showed me number of zipped files when I created simple zip file and tried to download it. So it works for zip and probably some other arhcives.

Now it is challenge for me to define number of files in archive that will be limit for antimalware scanning.

Thank you !

Regards, Stjepan

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community