Community Insights

One of the "best hidden secrets" in Symantes's portfolio is likely the Symantec Scan Engine. This product emerged many years ago from our integration work with large Internet carriers to provide a high-scalable, high-performance antivirus scan engine, that was easy to integrate into any kind of third party application and devices. Some people might remember a product called "Carrier Scan Server" which was the first evolution of this product. Now - in version 5.2 - Symantec Scan Engine is one of the most matured products in our portfolio, and foundation for several other products in our portfolio, i.e. Symantec AntiVirus for Caching and Symantec AntiVirus for Network Attached Storage are products based on Scan Engine development.

Symantec Scan Engine itself is also a stand-alone product in our portfolio. First of all, it offers antivirus, spyware/adware blocking and URL filtering technologies, that can be easily integrated into applications from third party independent software vendors, into network attached storage devices from many hardware vendors, proxy/caching and messaging systems, as well as into the infrastructure from Internet Service Providers.
Scan Engine integrates easily into network-enabled devices via the Internet Content Adaptation Protocol (ICAP 1.0) protocol, which is a very common interface for content scanning, i.e. used in BlueCoat, NetCache or Cisco Caching systems, as well as in proxy applications such as SQUID. In addition, Scan Engine includes an SDK for client-side ICAP to allow C++, Java and C# (for .NET integrations) to quickly link Symantec Scan Engine with your own application. This provides a very flexible and scalable implementation - and it runs on Sun Solaris, Red Hat Linux, Microsoft Windows 2000/2003 and SuSE Enterprise Linux platforms.

It includes a Command Line Scanner for on demand scanning of files on Unix/Linux systems, and it is - of course and like all other Symantec antivirus products - backed by Symantec Security Response, including updates via Symantec LiveUpdate technology on all platforms.

In general, Symantec Scan Engine 5.2 is well suited for third-party independent software/hardware vendors requiring content scanning technologies for direct integration with their applications or devices (across proxy/caching, storage and messaging, etc.) that need antivirus, spyware/adware blocking and URL filtering technologies.
It is also attractive for large internet service providers who have proprietary systems (for example, email) and wish to offer antivirus, spyware/adware blocking and/or URL filtering as a value added service to subscribers.
Last but not least, Symantec Scan Engine 5.2 is ideal for OEMs, who wish to offer their customers the option to purchase Antivirus or URL filtering for their applications. We provide a SDK which allows you to code in C++, or JAVA for Windows, LINUX, or Solaris. Microsoft RPC is also a supported protocol on Windows, which is used i.e. for NetApp Filer integration.

Over the years, we have already seen many partners using Symantec Scan Engine for various integrations. One of the most active partners in this arena is PCS AG in Germany, Solingen, which is not just famous for high-quality knife-blades, but also for Connector Development around Symantec Scan Engine. PCS AG is a longstanding Symantec Technology Partner, responsible for high-quality "knife-blade" development of Symantec Scan Engine connectors i.e. for MS ISA Server and MS Sharepoint Portal Server. Their latest connector releases now covers Scan Engine connectors for MS SQL databases and MS Internet Information Server - called UNIQUE SQL Protector and UNIQUE IIS Protector. You can watch the following two videos to see how the MS SQL and MS IIS integration works:
UNIQUE SQL Protector video: http://www.pcs-ag.de/index.php?id=285
UNIQUE IIS Protector video: http://www.pcs-ag.de/index.php?id=279

PCS AG is one of the best examples on how flexible, scalable, and fast Symantec Scan Engine integrates with any third-party application, system or device. On Google you will find many other examples such as integration for Sun StorageTek or Hitachi NAS devices, Open-Source application integrations, etc. Just look for "Symantec Scan Engine" and "ICAP"...

So if you need to scan files for a specific applications, or need to scan files submitted to a web server from outside your company, Symantec Scan Engine could be your product of choice. You can simply give it a try and download a 30 day trialware version from http://www.symantec.com/business/scan-engine.

Please don't hesitate to contact me for any further question.

 

Comments
Great info....... thanks... 
Scan Engine is a great product to support becuase it is so portable and powerful. It seems the most popular use at this point is NAS scanning but I have seen it used with a Websense proxy server before and even as a Linux file system scanner.
You're right that the SDK provides a C# code example to make the Scan Engine work in a Win Server 2003 environment. This code example appears to require the SESA agent to run on the server.

However in a Win server 2008 environment the SESA agent won't install... and I understand from Symantec's technical support team that there's no plan to make the SESA agent Win 2008 compatible...??

Why is there no example in the SDK to make Scan Engine work in a Win 2008 environment?
After digging a bit deeper it appears that Scan Engine 5.2.4 has added support for Win Server 2008. If it does support Win Server 2008 how come your SDK doesn't provide a working C# example for the 2008 platform?

A response is appreciated...
Does Scan Engine 5.2.4 provide an SDK for Java?  If yes, plese provide a link to the product information.
Yes, you can use the Java API plug-in (SymJavaAPI.jar) to integrate with Symantec Scan Engine. The Java API provides client antivirus scanning and repair services using the ICAP protocol. The Java API supports the FILEMOD and RESPMOD scanning modes, and it contains the built-in ability to stream files.
You will find some more information in the folder Scan_Engine_SDK/Java/Docs/SymJavaAPIDocs.jar on the product CD and in the archive of the trial version download.
SESA is an old, legacy architecture of Symantec to provide Security Information and Event Management. It has been replaced years ago by Symantec Security Information Manager appliance. Usually you should be able to use the coding without the SESA portion to create an ICAP client talking with the Scan Engine ICAP Server directly, and there is no need to use the SESA agents anymore, as this backend architecture has been EOL'ed years ago.

Is Symantec Scan Engine part of product of Symantec Endpoint Protection  ? My company provide the product of Symantec Endpoint Protection.But I don't know whether it provide Symantec Scan Engine or not ?

I want to use Symantec Endpoint Engine to scan file for my web application. Here is what I am going to do. I am going to start write application program first, and my client-side application program will use SymJavaAPISym to configure an application to pass files to Symantec Antivirus Scan Engine for scanning using the ICAP protocol.

If I don't have Symantec Scan Engine, is any other ways I can do implmentation ?

Thanks
Junkfood,

Scan Engine is not part of SEP, it is a different product with different licensing.

You can download a copy of it here and you will be emailed a 30-day license to try it out:

http://www.symantec.com/business/scan-engine

It comes with the implementation guide, SDK and examples, also a java command-line scanner which sound like it would work best for your web environment.




 Thank you for your fast and detailed response.  I really appreciate it.
 Now I am going to use the trialware first. My  IT Manager will take care of product license.
 However, I have met some problem after I install Symantec Scan Engine 5.2 on Windows 2K3.
 I followed instruction of Symantec Scan Engine Implementation Guide.   Setting up my admin account, and using the default number 8004 and default SSL 8005. The JRE I used is 1.6.
But now, when I want to start the console I go to http://127.0.0.1:8004/ or http://localhost:8004/ and the result is only 5 squares on the IE Browser.
If I type https://127.0.0.1:8004 or https://localhost:8004/ , the result shows no page can display on the IE Browser.
If I type http://localhost/ , my tomcat apache server console shows up.
Do you have any ideas about this? Is the problem with license? Is the problem with version of IE?
The page to access is https://localhost:8004/. You need to make sure you only have one version of Java installed. Multiple versions can cause issues.

Also, make sure the Symantec Scan Engine service is running by looking in services.msc.

Keep in mind that we use a self-signed certificate, so its going to warn you that its not a safe site, even though its fine.

Lastly, I would recommend using Firefox, since it is much more compatible with the Scan Engine interface and doesn't bother you so often about the self-signed certificate.
Hi, TSE-JDavis:

                   Thank you for your answer.
   
                   I follow your suggestion:

                   1.Go to the Java Control Panel (Settings - Control Panel - Java) and clean the Java cache.
   
                   2. Install firefox.

                   3.Go to the Administrative Tools --> Services --> It show the status of Symantec Scan Engine started.

                  4.Open the firefox and type https;//localhost:8004/ in URL. Here is error message what I get from firexfox:

                 ou have asked Firefox to connect
securely to localhost:8004, but we can't confirm that your connection is secure.

         

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.


Technical Details


localhost:8004 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for Symantec Scan Engine 5.2

(Error code: sec_error_ca_cert_invalid)

   
I Understand the Risks


If you understand what's going on, you
can tell Firefox to start trusting this site's identification.
Even if you trust the site, this error could mean that someone is
tampering with your connection.
           

Don't add an exception unless
you know there's a good reason why this site doesn't use trusted identification

Hi, TSE-JDavis:



   Now I can access the Symantec Scan Engine Console after I  chose add exception .


   Once again, thank you for your help.
     Thank you for the help. I already solve the problem, and now I can login in Symantec Scan Engine Console.
 
     After I login in Symantec Scan Engine Console, it ask me to provide license file, otherwise, it will not provide any service and scanning feature.
 
     Do you know where I can get 30 days license file or product license to active the all service provided by Symantec Scan Engine ?

     Should I send the request to Symantec Licensing Portal ? 
When you followed the link I sent you, as soon as you started the download, we emailed you a 30-day trial license. It would have coem from licensing@symantec.com and included a .zip file which contains the .slf you need to give Scan Engine.
Hi, TSE-JDavis;

     I alreay got 30-day trial license, and finshed setting up Scan Engine Server.

    Now I am going to implmenet web application by using SymJavaAPIDocs .

    The Scan Engine SDK already provide the jar file and JavaAPICheck example. It is very helpful for me to implement my application by using Java.
 
    However, the jar SymJavaAPIDocs provided by Symantec without any javadoc documentation.

    Do you know where I can find those javadoc documentation or any useful examples , tutorial documents about using this java jar.

   Thanks.

I tried JavaAPICheck.java given with SymJavaAPI.jar, I got following resultStatus = FILE_ACCESS_FAILED

For security purpose i mention the IP as localhost reference.

D:\dev\test\TestProject>java JavaAPICheck -streamFileLocal:0 file:\\127.0.0.1\test\TestProject\test.doc
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : \\127.0.0.1\test\TestProject\test.doc
Scan Policy             : SCAN
File Status             : FILE_ACCESS_FAILED
Total Infection         : 0
Virus Def Date          : Tue Feb 23 00:00:00 IST 2010
Virus Def Revision No   : 004
Scan Engine IP          : 127.0.0.1
Scan Engine Port        : 1344
Scan Engine Access      : Able to connect

Suggest me what's wrong am doing, and how can i proceed further
we are trying to use the Java API for scanning Large file. The idea was to compare the command line invocation with java API for response and performance. we had two implementations, one that take the location of file and the other that takes the inputStream. The file size we choose was 380 MB, which is possible for our application. when scanning with inputstream, we are getting

Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION
com.symantec.scanengine.api.ScanException: Unable to communicate with Symantec Scan Engine.
        at com.symantec.scanengine.api.RequestImpl.readResult1(Unknown Source)
        at com.symantec.scanengine.api.RequestImpl.finish(Unknown Source)
        at com.wellsfargo.virusscan.VirusScanTest2.main(VirusScanTest2.java:64)

and when scanning with the file location in the JAVA API, we are getting
Exception in thread "main" com.symantec.scanengine.api.ScanException: Unable to open a stream to recieve the data from the server.
        at com.symantec.scanengine.api.RequestImpl.read(Unknown Source)
        at com.symantec.scanengine.api.FileScanRequestImpl.scanFile(Unknown Source)
        at com.wellsfargo.virusscan.VirusScanTest.main(VirusScanTest.java:31)

Also the input stream is slow. Are we missing some configuration? I would really appreciate any 
ideas and suggestions. 

 

I have several Scan Engine for NAS running with some IBM Netapp Storage systems I have on different plants.
So, I have several Scan Engine Consoles to monitor everyday.

Is there a way to integrate those consoles ? maybe with SEP11 console ? or SAV reporter ?


Thanks
Please let me know what method you are using - createFileScanRequest or createStreamScanRequest. There is a fundamental difference between FileSCanRequest and StreamScanRequest behavior. FileScanRequest operates on absolute file path. If you want to use FileScanRequest, you have to ensure that the file is directly accessible to scan engine at the given path, otherwise you will get the "FILE_ACCESS_FAILED" error return. This method is typically used when the client and the scan engine are on the same box. If this is not the case, then we would recommend using StreamScanRequest.
@FbacchinZF SEP 11 Console and Scan Engine Console can run on the same computer regardless what Java version you use. But they don't integrate. Symantec Scan Engine events can be integrated into a centralized console, but it requires another product from Symantec called "Symantec Security Information Manager". Please take a look to the following document that will also link to another document with some more details about this integration: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009081713191754. Symantec Security Information Manager is a soft-appliance, that runs on either a specific Symantec hardware appliance or specific Dell, HP, IBM appliances. We don't have a trialware available online, but you can contact your Symantec representative to request a demo unit for your company. SSIM comes with hundreds of collectors to collect and correlate events from many various sources, incl. firewalls, intrusion detection, AV etc. You can get a list of all collectors in the SSIM forum on Symantec Connect: https://www-secure.symantec.com/connect/security/forums/security-information-manager. You also mentioned "Threat Reporter" (formerly known as "SAV Reporter"). This is a famous reporting tool from Symantec Consulting Group based on HTML, PHP, MySQL/MS SQL Server, perl. It is very dedicated to AntiVirus products (from Symantec and other thrid-party vendors), and is different to SSIM and its broader security posture and correlation approach. However, Threat Reporter also support Scan Engine 5.x reporting. Hope this help. Please dont hesitate to ask further questions. -Guido
Where can I find documents/white papers detailing the performance/throughput of Symantec Scan Engine?


 
@Guido

Thanks for your detailed answer.

Integrating Scan Engine with Threat Reporter will be wonderfull for me Smiley Happy

How do I do that ? Is there any documentation about it ?

Should I just install the reporting agents as I do for SAV Parent Servers ?
Hi All,
We have a scenario, where in which we are using Symantec Scan Engine for the Virus Scan of the uploaded files. Unfortunately the system what we are using is in .net 1.1 framework. When we use the dll given by the Symantec Scan Engine, it is not allowing us to add reference, as there is no forward compatability in .net. The scan engine dll is given with .Net version 2.0. Only thing we can do is we can have a web service wrapper on top of the .net 2.0 dll and call the web service method from the .Net 1.1 application. 

Is there any way that can we get the .Net 1.1 runtime version of the Scan Engine dll so that we can refer the same in our application.

Please provide some pointers on the same.
Hi All,

We are using java API to scan the local files(Scan engine and files are on the same box win 2003). When we scan the file of size 30MB then it scans the files successfully


C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\30mb.zip"
----------------------------------------------------------------------
Scanning file ........................................................
----------------------------------------------------------------------
Results ..............................................................
----------------------------------------------------------------------
File Scanned            : c:\data\30mb.zip
Scan Policy             : DEFAULT
File Status             : CLEAN
Total Infection         : 0
Virus Def Date          : Tue Mar 09 00:00:00 GMT+05:30 2010
Virus Def Revision No   : 009
Scan Engine IP          : 10.77.201.95
Scan Engine Port        : 1344
Scan Engine Port        : Able to connect


but when we scan the file of size 75 MB it shows the error

C:\project>java -classpath .;C:\project\SymJavaAPI.jar JavaAPICheck -streambased:1 -streamFileLocal:1 -file:"c:\data\75mb.zip"
Problem encountered! Scanning Failed!! ERROR_SOCKET_COMMUNICATION

Please provide some pointer to solve the issue

Thanks
Scan Engine is such a powerful product !

I would like to buy a Symantec Antivirus, Protection Suite or something, but also want to use the Scan Engine to integrate with some other ones.

So I was wondering which Symantec product is using Scan Engine. can give some detail info?

The only actual Symantec product that uses Scan Engine is Symantec Protection for Sharepoint Servers. Scan Engine is more commonly used by third-party products such as NetAp Filer, EMC Celerra, Websense, BlueCoat, Squid proxy, etc.

The Scan Engine does come with an SDK so you can create your own web-based connector or integrate Scan Engine into your existing products.`

I've downloaded some trail version Antivirus products, and found that some of them are based on Scan engine--- I had to install the scan engine first  and then installed the antivirus product. 
Now the question is: if I bought an antivirus product for system that include the scan engine in installation package, do i need to install the scan engine again when configuring the Symantec Protection for SharePoint Servers? It makes me feel paying twice for one thing.

Wish I knew about this scan engine months ago, would have saved a lot of time.

Hi, I have installed Scan Engine and console page working, but i cant not find the 30-day trial license. Could you send mi a trial license?

Thank.

You can either download the trialware here and get emailed a 30 day license:

http://www.symantec.com/business/scan-engine

or you can call customer service and get one:

http://www.symantec.com/business/support/assistance_care.jsp
Hi ,

I have downloaded and installed the trial-ware - Scan Engine 5.2. The URL https://localhost:8004 opens perfectly. But when I enter the Administrator console  Password it throws error saying "password is invalid or Scan Engine Server not running". I have tried uninstall and reinstalled just to make sure that password is correct. The result was same , error. 

ScreenShot : https://www-secure.symantec.com/connect/sites/default/files/sse.JPG

System OS : Windows Server 2003 
Scan engine : Trial Ware 5.2

Please reply as soon as possible as I need to evaluate the product ASAP and take a decision.

This error has been caused by a few different things in the past.

The first to check is to make sure you only have one JRE installed and no Java SDKs of any kind. The best thing to do if you have multiple versions is to uninstall all of them and Scan Engine and just install the JRE package that comes in our Tools folder and then Scan Engine.

The second thing I have seen cause this is using localhost instead of the hostname of the computer. Try using either the IP address or the hostname assigned to the computer.
HI

i'm using SSE 5.2 on Windows 2003Server
by scanning doc\pic files i receive error code 3 and the following log:
1279803675|10|2|1|33|Decomposer|34|17|4|E:\testFile.up.doc|39|127.0.0.1|17|0.000|18|0.000|43|myServerIP|44|1344|45|90184

thanks
Jonathan

Check out this document directly addressing the Decomposer 17 error you are seeing:


Title: 'How to troubleshoot Decomposer / 17 scan errors from Scan Engine 5.x'
Document ID: 2009080409140454
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009080409140454?Open&seg=ent

Since I see that the file appears to be on a local drive already, I would look to make sure you don't have a file-level antivirus product scanning the file while we are tryign to scan it or scanning the Scan Engine's temp directory.

Hello,
       I have got the JavaAPICheck example working. Now I want to understand the process and probably tweak a little bit for use it in my web application. Where can I find the java docs for SymJavaAPI.jar?

-Srini

How can I create a file which will fail the virus scan?

-Srini

Fail in what way? You can create a file that will violate the container limits. You can turn on blocking on encrypted files. You can send it the EICAR test virus file to create a virus incident.

Hi,
Is there a way to cluster SSE for a high availability?
 


No, each Scan Engine installation is its own entity and has no awareness of other Scan Engines.
Thank you. Do you have the Java Docs published some where for the classes in SymJavaAPI.jar?

-Srini

You will find the Java docs in the folder Scan_Engine_SDK/Java/Docs/SymJavaAPIDocs.jar on the product CD and in the archive of the trial version download.

Well, the Symantec Scan Engine APIs provide load balancing across multiple computers that run Symantec Scan Engine. Client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort. If you use multiple scan engines, the API determines which scan engine receives the next file to be scanned based on a scheduling algorithm.
If any Symantec Scan Engine cannot be reached or fails during a scan, another Symantec Scan Engine is called. The faulty Symantec Scan Engine is taken out of rotation for a period of time. If all of the Symantec Scan Engines are out of rotation, the faulty Symantec Scan Engines are called again.
If your client uses ICAP, the ICAP threshold client notification feature is enabled by default. When the number of queued requests for a Symantec Scan Engine exceeds its threshold, Symantec Scan Engine rejects the scan request. It notifies the client that the server has reached the queued request threshold. The client can then adjust the load balancing, which prevents the server from being overloaded with scan requests. This feature lets the client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort.
You will find additional information about load balancing in the Implementation Guide.

Thanks Guido for your clarifications.

Now I am looking to see if I can integrate SSE with F5 Big IP LTM to scan the uploaded files to my web application before reaching the web servers tier, while in the same time keeping the user informed that the uploaded file contained a Virus.

If you have any experience regarding this please let me know.

Regards.


Do you have any plan for supporting Solaris x86 Platform?

Sorry, no. Here is our support matrix:

Title: 'Symantec Scan Engine 5.2.x Platform Support Matrix'
Document ID: 2010021811473054
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2010021811473054?Open&seg=ent
Thanks for the answer, but according to:

http://service1.symantec.com/support/ent-gate.nsf/854fa02b4f5013678825731a007d06af/d808b230a713fe8...


you are planing to do that:

"Also note that Symantec is planning to release a Solaris x86 platform-compatible Scan Engine release within the next few months." and this was written 27.01.2009


Hello, the Big IP Local Traffic Manager is working as a proxy. To use Scan Engine with it, this proxy would have to talk to Scan Engine via protocol. The most common integration is via ICAP, where the proxy is acting as an ICAP client, and the Scan Engine server or server-pool as the ICAP server.
I did a quick look at F5 website, and it seems that they don't have an ICAP client feature in the Big IP LTM appliance. By saying this, there is not much you can do apart from asking F5 to add an ICAP client module into their proxy OS. I did some other search on their webpage and it appears, that their latest version (v10.2) of F5 BIG-IP Application Security Manager (ASM) includes an ICAP client. You can see more details on http://devcentral.f5.com/weblogs/macvittie/archive/2010/08/27/f5-friday-it-is-now-safe-to-enable-file-upload.aspx. I guess that this is an additional module to the Big IP appliance, but you will get more info about it from F5 directly. However, as long as it is using ICAP standard, the integration and configuration is pretty easy, as you just have to set the ICAP (Scan Engine) server IP and port.
I have put an inquiry in to our backline level support reps and they are currently discussing this. There is indeed conflicting information out there. I should be able to post an update soon.