Showing results for 
Search instead for 
Did you mean: 

Community Insights

One of the "best hidden secrets" in Symantes's portfolio is likely the Symantec Scan Engine. This product emerged many years ago from our integration work with large Internet carriers to provide a high-scalable, high-performance antivirus scan engine, that was easy to integrate into any kind of third party application and devices. Some people might remember a product called "Carrier Scan Server" which was the first evolution of this product. Now - in version 5.2 - Symantec Scan Engine is one of the most matured products in our portfolio, and foundation for several other products in our portfolio, i.e. Symantec AntiVirus for Caching and Symantec AntiVirus for Network Attached Storage are products based on Scan Engine development.

Symantec Scan Engine itself is also a stand-alone product in our portfolio. First of all, it offers antivirus, spyware/adware blocking and URL filtering technologies, that can be easily integrated into applications from third party independent software vendors, into network attached storage devices from many hardware vendors, proxy/caching and messaging systems, as well as into the infrastructure from Internet Service Providers.
Scan Engine integrates easily into network-enabled devices via the Internet Content Adaptation Protocol (ICAP 1.0) protocol, which is a very common interface for content scanning, i.e. used in BlueCoat, NetCache or Cisco Caching systems, as well as in proxy applications such as SQUID. In addition, Scan Engine includes an SDK for client-side ICAP to allow C++, Java and C# (for .NET integrations) to quickly link Symantec Scan Engine with your own application. This provides a very flexible and scalable implementation - and it runs on Sun Solaris, Red Hat Linux, Microsoft Windows 2000/2003 and SuSE Enterprise Linux platforms.

It includes a Command Line Scanner for on demand scanning of files on Unix/Linux systems, and it is - of course and like all other Symantec antivirus products - backed by Symantec Security Response, including updates via Symantec LiveUpdate technology on all platforms.

In general, Symantec Scan Engine 5.2 is well suited for third-party independent software/hardware vendors requiring content scanning technologies for direct integration with their applications or devices (across proxy/caching, storage and messaging, etc.) that need antivirus, spyware/adware blocking and URL filtering technologies.
It is also attractive for large internet service providers who have proprietary systems (for example, email) and wish to offer antivirus, spyware/adware blocking and/or URL filtering as a value added service to subscribers.
Last but not least, Symantec Scan Engine 5.2 is ideal for OEMs, who wish to offer their customers the option to purchase Antivirus or URL filtering for their applications. We provide a SDK which allows you to code in C++, or JAVA for Windows, LINUX, or Solaris. Microsoft RPC is also a supported protocol on Windows, which is used i.e. for NetApp Filer integration.

Over the years, we have already seen many partners using Symantec Scan Engine for various integrations. One of the most active partners in this arena is PCS AG in Germany, Solingen, which is not just famous for high-quality knife-blades, but also for Connector Development around Symantec Scan Engine. PCS AG is a longstanding Symantec Technology Partner, responsible for high-quality "knife-blade" development of Symantec Scan Engine connectors i.e. for MS ISA Server and MS Sharepoint Portal Server. Their latest connector releases now covers Scan Engine connectors for MS SQL databases and MS Internet Information Server - called UNIQUE SQL Protector and UNIQUE IIS Protector. You can watch the following two videos to see how the MS SQL and MS IIS integration works:
UNIQUE SQL Protector video:
UNIQUE IIS Protector video:

PCS AG is one of the best examples on how flexible, scalable, and fast Symantec Scan Engine integrates with any third-party application, system or device. On Google you will find many other examples such as integration for Sun StorageTek or Hitachi NAS devices, Open-Source application integrations, etc. Just look for "Symantec Scan Engine" and "ICAP"...

So if you need to scan files for a specific applications, or need to scan files submitted to a web server from outside your company, Symantec Scan Engine could be your product of choice. You can simply give it a try and download a 30 day trialware version from

Please don't hesitate to contact me for any further question.



Dear Guido,

Thanks for your reply.

After integrating the SSE with F5 ASM how can we maintain the high availability (clustering) of SSE?

There is not much you can do on the Scan Engine Server side. It is up to the ICAP client to support the load balancing feature of the ICAP protocol.
If your client uses ICAP, the ICAP threshold client notification feature for Scan Engine is enabled by default. When the number of queued requests for a Symantec Scan Engine exceeds its threshold, Symantec Scan Engine rejects the scan request. It notifies the client that the server has reached the queued request threshold. The client can then adjust the load balancing, which prevents the server from being overloaded with scan requests. This feature lets the client applications that pass files to Symantec Scan Engine benefit from load-balanced scanning without any additional effort.
With other words, ideally, the F5 ASM would have to know the IP address pool of the various scan engine servers in your cluster (not just a single IP address), and secondly the ICAP client within ASM would have to be able to handle "SCAN REJECT" responses to apply load balancing. As far as I can see on F5 website, this is not the case, but you might want to ask the F5 support people.
On the screenshot on DevCentral F5 website, I can see that the ICAP client accepts the server host name instead of IP. In this case, you could be probably able to apply load balancing between your scan engine servers by using DNS Round Robin (single host name --> multiple IP addresses). It is not real load balancing by taking the server load into account, but at least some sort of load distribution.
Please let us know if this helps.

When we use ICAP for scanning file, is it necessary that the entire file be passed. i.e if we  want to intercept

a read of file, can be just  pass the data block read, to the scan engine, to determine, if the data has a virus , or should we scan the entire file ?

similarly in write path, the data should be scanned before writing to disk, right, it can be just a block of data , is this correct ?

You can always use the Trickle function of ICAP in your connector. We support that feature.

We have Symantec Scan engine to scan the files on NAS storage box. We have observed the files are not routed through the Symantec scan engine server hence it is not able to scan any of the files on the storage. could any one help to solve this problem.

You should contact the support department for your NAS and make sure it is set up correctly to send the files to the Scan Engine.


I downloaded your trial version, and installed in a red hat linux machine.

I see that thescan engine is running :

[root@lab11-50 /]# ps -aef | grep sym
root     30841     1  0 09:37 ?        00:00:00 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30842 30841  0 09:37 ?        00:00:12 /opt/SYMCScan/bin/symcscan -config:/opt/SYMCScan/bin -daemon
root     30942 29922  0 10:09 pts/0    00:00:00 grep sym
[root@lab11-50 /]#

My eth0 address is :

eth0      Link encap:Ethernet  HWaddr 00:30:48:5E:69:30
          inet addr:  Bcast: 

I go a windows machine, and using explorer/morzilla I do the following:  and I donot get the console, just get cannot find page error

Can you kindly let me know what I am missing



There are a lot of environmental factors that could cause this such as firewalls or SELinux being installed. This could also be due to a Java conflict on the server.


  While trying to use createStreamScanRequest() in my application, I am getting an exception while calling finish():

StreamScanRequest streamScanReq = scanEngine.createStreamScanRequest(fileName, null, output, Policy.DEFAULT);

Result result = streamScanReq.finish(); Unable to communicate with Symantec Scan Engine.

        at Source)

        at Source)

The SSE is running and port is also good.

The above call is working fine from another application deployed as a war on the same server.

Does anyone has any idea what could be causing this exception within one web app and working in the other?



Hi all,

I have installed symantec antivirus for nas 5.2 in rhel5.4 64bit. and installed jre But i can't open the interface through firefox.

It is showing that "to view symantec scan engine administrator interface,please install java runtime environment (jre) 5.0 update 6 or later.

I did the same also.But no changes. please help me on this..

Are you using Firefox on the same Linux server you installed Scan Engine on? The JRE plugin is not automatically installed into Firefox, you have to install it manually.

Is the trickle approach same as preview, if not can you point us to the to more information on the usage of this

More over, is FILE_MODE approach of scan more efficient than using RAW ICAP to aps file data, if yes, how and why

still a problem here too, but i get "INTERNAL_SERVER_ERROR" on files slightly larger than a few meg

running: eclipse (galileo)

using 5.2.8 jar

and in case this matters: windows server 2003 R2 (64 bit) SP2

is it possible no virus/worm/malware could ever exist on a file so large?

Please see this document as it provides insight into this issue and a couple of solutions.

thanks -- those sizing tweaks did get me past that point.


next, why won't the engine be allowed to scan certain files, like those found in C:\WINDOWS\system32\config?  could it be that files which already have a handle doled out are off-limits?


btw, this is using the SymJavaAPI.jar


We are not going to be able to scan a file that has been locked out by the OS or another process. This is also the case when a file-level antivirus program like Endpoint Protection is on the machine where the file is located. When it detects us accessing the file, it wass scan it before we get a chance to and we typically time out waiting for SEP to scan it. This is why you need to set exclusions for SEP to not scan our temp directory.


I hope you are not trying to use Scan Engine as a file-level antivirus solution. This is not what it is designed for and will not give you adequate protection. You should be using SEP which is a ring 0 device and can scan and lock out files before anything else can access them, including the OS.


Scan Engine is designed to scan files on a remote system before they enter the environment Scan Engine is set up to protect.

Sounds like you may be tring to use the Scan Engine for file system protection/scanning. Which is not really the intended use of the Scan Engine. As TSE-Jdavis said you are best off using something like our SEP or SAV solution for file system protection as it was designed exactly for that and has kernel level drivers to hook to files and scan them as they are read/written to the disk.

Scan Engine is typically used for providing virus scanning services/protection to services and systems that one would not be able to use SEP or SAV type products with directly such as Netapp filers, proxy/caching servers, Sharepoint, or file submissions from webforums etc.

ok, obviously i was a little confused: i inferred from RTFMing the SymJavaAPI.jar is designed to do exactly that -- end point scanning (by file). but just b/c i could does not mean i should. got it. so i reckon scanengine should sit apart from a file svr/repos then & act as a remote gatekeeper then? if so, i'll factor that in to my design. thanks for making it all plain


using the boilerplate sample API code, i wrote some code to successfully interrogate local files.  where i run into difficulty is getting files from a mountpoint (shared drive) in windows to pass to SSE.  in debug, i correctly resolve the filename, and i can confirm this by cut/paste into file explorer & retrieve the file.  however, it fails in this part of the code.  assume you're relatively familiar w/ the symjavaapi.jar code, or at least, the "how to use it" sample.


fileScanReq = scanEngine.createFileScanRequest(fileForScan, scPolicy);

Result result = fileScanReq.scanFile()



when i mimick the directory structure locally, all is well. (e.g., swap 'z:' with 'c:')

Are there any permission needs for the shared drive? Try running the Scan Engine service as your user account and see if it succeeds.

hmmm...i've confirmed it's not a permissions problem, but i believe windows is trying to make me think it's physically located in \\shared_drive\some_dir\some_file , but when i look at the properties of the file, it claims to be 13 bytes, but 4096 on disk, which makes me think it's actually a sym link that samba(?) can fetch for me when in dblclick on it.

long story short: this is more a java & os issue than sse

Hi I need to know how to use SSE 5.2 java API with web application created using struts 2.

Should the file scanned before uploading to the server?Struts application takes files and put them in the server as temporary file for further processing.


We are going to take the file from clients machine,at what moment we should scan the file?

1)If we need to scan file before uploading to server,then how i can scan file directly from the client machine?

2)If i should scan the file from the server,then it is already present physically in the server and it might infect the server before scan process is done.

We have Scan Engine 5.2 installed on RHEL and have been running scans successfully.  Over the weekend Scan Engine shutdown.

Message was that the system could not access our  /Symcscan/Temp folder.   Checking the 68GB drive, the /Symcscan/Temp folder had 568 log files that used 65GB of space.     Is there a way to have the system purge temp log files by time or date automatically?    After deleting all the log files in this location and rebooted the server Scan Engine was available.

I have had the same issue with Scan Engine 5.2 installed on Windows 2003 R2 Enterprise x64.

Also looking for a purging kind of solution.

In our environment Symantec Anti Virus Corporate Edition is used on the local servers. Additionally we purchased the SAV for NAS solution which incorporates the Scan Engine, which also runs on a local server, but scans the Celerra NAS.

So our environment is already getting its updates via SAVCE, so we don't require an additional definition update license for SAV for NAS, if we use Intelligent Updater, right?

Not true. First of all, you are not just paying for virus updates when you purchase the product. You are paying for support and product updates.

Second, Scan Engine/SAV for NAS will not use the new definitions if the license has expired.

Yes, the option is listed under Monitors -> Logging. The option is labeled "Number of log files to retain (one per day)". If you want to keep logs for only 30 days, you would type 30 into the box. Setting it to the default of 0 keeps everything.


You should also consider lowering your logging level if it is above warning.

Hi,  I am getting the following error.        C:\Documents and Settings\portaluser\My Documents\NetBeansProjects\dist>java -jar JavaAPICheck.jar -streambased:1 -streamFileLocal:1 -file:"c:\test\test.doc"
Problem encountered! Scanning Failed!! MAX_TRIES_REACHED.                How can i solve this problem.  Thanks


We are currently trying out trial version Scan Engine and integrating it in our java web applications.

We are able to pass file streams and it is scanned ok.

Testing this using EICAR files and virus detection works ok.

But the problem is that it passes zip files that contains EICAR files. It seems that it cannot detect that there are viruses n the content of the zip file.

Is this a bug or is there something that we need to tweak.

Currently we are only using trial version to test, is this just the limitation of the trial version?

Hoping for your fast reply for we are currently considering this product to be a part in our production systems.



Is there any update on my question above.


There is no known defect in Scan Engine that would cause this. What if you test the file with ssecls.exe? Is EICAR detected at that point?

Using the command line scanner (ssecls.exe) detected the EICAR Virus successfully. But what we are currently using right now is SymJavaApi.jar in our web application which fails detecting viruses on zip files.

Anything we could do to fix this on our side. I don't know if we could use the ssecls.jar in our java web application. We are currently sending ByteArrayOutputStream as representation of the file to be scanned. currently we just replicated the example included in scan engine installer.

Is there anyway we could do to fix this? If we need to resort to the command line scanning, is there any example that would be provided same as the example using SymJavaApi ?

We really would appreciate this.


is there a Symentec Scan Engin for Win XP?

As My web application wants to scan a file for virus before uploaded it to server through java Programming and My company uses Symantec End Point latest version.


So can you please tell me how to do this?



Scan Engine is a server level product that accepts scan requests over a network. Since WIndows XP restricts how many network connections you can have at one time Scan Engine is not designed to work on Windows XP. Since Microsoft themselves is on the tail end of supporting XP, you should be migrating away from it.


My best suggestion is to run Scan Engine inside of a virtual machine running something like Server 2003 or RedHat Linux. You can run the operating system with minimal RAM requirements (around 1 Gb) and address them through the network connection to the VM.


Would like to followup on my query above regarding zip files not being scanned by symantec Scan engine 5.2 using SymJavaApi.

Below is the class we are using to scan the stream being passed:

 public class VirusScanFunctions {
    static Vector scanEnginesForScanning = new Vector();

    public static VirusReport ScanStream(OutputStream outputStream) throws ScanException, NumberFormatException {

        if(scanEnginesForScanning.size()==0) {
            int scanengine_port = 0;
            try {
                scanengine_port = Integer.parseInt(AppServerFacade.getAppServer().getScanenginePort());
            }catch(NumberFormatException e){
                throw e;

            ScanEngine.ScanEngineInfo scanEngTobeUsed = new ScanEngine.ScanEngineInfo(AppServerFacade.getAppServer().getScanengineHost(), scanengine_port);

        ScanEngine scanEngine=null;
        StreamScanRequest streamScanReq=null;
        Result result=null;

        try {
            scanEngine = ScanEngine.createScanEngine(scanEnginesForScanning);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;

        try {
            streamScanReq = scanEngine.createStreamScanRequest("", null, outputStream, Policy.SCAN);
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;

        try {      
                result = streamScanReq.finish();               
        } catch (ScanException ex) {
            Logger.getLogger(VirusScanFunctions.class.getName()).log(Level.SEVERE, null, ex);
            throw ex;

        ThreatInfo[] virusIn = result.getThreatInfo();
        //Only get the first virus info record, no need to extract further details
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber(), virusIn[0].getViolationName(), virusIn[0].getViolationId(), virusIn[0].getDisposition());
            return new VirusReport(result.getStatus().toString(), result.getTotalInfection(), result.getDefinitionDate(), result.getDefinitionRevNumber());

Please provide input on this.

If ever this cannot be reolved using SymJavaApi, then we'll just prevent uploading of zip files :(

Hoping for your fast response.


Hey hi,

in below o/p filestatus is coming as NO_AV_LICENSE...

so can you please tell me how to install license.

and how will i know that is file is scaned by Symentec scan engin

C:\SymantecScanEngine_5.2.10_MP1_Win32_IN\Scan_Engine_SDK\Java\Example>java Java
APICheck -streambased:1 -streamFileLocal:1 -file:"c:\Counter.txt"
Scanning file ........................................................
Results ..............................................................
File Scanned            : c:\Counter.txt
Scan Policy             : DEFAULT
File Status             : NO_AV_LICENSE
Total Infection         : 0
Virus Def Date          : Wed May 12 00:00:00 GMT+05:30 2010
Virus Def Revision No   : 040
Scan Engine IP          :
Scan Engine Port        : 1344
Scan Engine Port        : Able to connect



You need to install the license into the Scan Engine control panel. This can be accessed by going to Under the Admin tab on the left you can click on License and install it.

Thanks for your kind response.

when i am accessing the url it is prompting for password. After inserting correct password it is giving error as invalid password or symentec scan engin is not started.

Under Administrative Tools->Services , I had seen symentec scan engine service is in running state.

So can you please tell me how to start scan engin server.



vanita jain

Hello All,

My problem of starting Admin console of scan engin is resolved.

Problem was scan engin and Apache server was running on the same port.

But now can anybody tell me how to scan a file content without storing it on server and  where to find a log report of files which are scanned through scan engin




Vanita Jain



Good to hear you resolved the issue. You cannot scan a file with Scan Engine without it copying the file locally. It will use the in-memory file system if the file is small enough, but it has to bring the file locally to scan it.

The logs are stored in the directory where you installed Scan Engine. You can read them by running a Detailed report under the Reports tab on the left.


I want to scan a content of file before uploading it to server.

so can't we pass a byte array of file whic is to be upload to scan engin for scanning and then save a file on server if it's virus free.


Hello All,

Kindly let me know how to open an admin console of Symentec scan engin 5.2 which is installed on Solaris System.

I had tried with http://serverip:8004/

but its not opening.




You need to use https, not http

Thanks for Your Reply,

But sir I used https://serverip:8004 still its not opening admin console of scan engin.





Dear All,


Can you please tell me , where will i get detailed report of scanning of an file (date and timeof scanning, kb scanned , virus found...etc ) through scan engin.






Have anyone used Java api's with scan engine for file scanning. Also anyone has integrated it with any java based application.

My requirement is to use symantec scan engine before uploading files to server.Requirement is to integrate it with a portal based application.

Any sample code/docs would be really helpful. Thanks in advance

You can get these reports by running a Detail report under the Reports tab. If you need more detailed data, you will want to increase your logging level in the Monitors tab.

Hello All,


Can you please tell me  what does the SSE means by returning below ICAP Status as response

"ICAP/1.0 100";

"ICAP/1.0 200"; 

"ICAP/1.0 201";
 "ICAP/1.0 204";
"ICAP/1.0 400";
"ICAP/1.0 403";
"ICAP/1.0 404";
 "ICAP/1.0 405";
"ICAP/1.0 408";
"ICAP/1.0 500";
"ICAP/1.0 503";
 "ICAP/1.0 505";
"ICAP/1.0 533";
"ICAP/1.0 539";
"ICAP/1.0 551";
"ICAP/1.0 558";




If you read the Software developer's guide that comes with Scan Engine in the SDK folder, you will find these defined on page 29 in Table 3-4.

Thanks For your Kind response,

I have seen following status code in SSE pdf guide.

204          No content necessary              Scanning is not required, and the client sent
                                                             an Allow: 204 header, which indicates that
                                                             Symantec Scan Engine does not need to return
                                                             data to the client.


does it means SSE has scanned the whole file and found ok and give respons as Virus free file????