dlpdecom
Files contained in compressed files can be scanned for digital assets. To determine the files to scan, OfficeScan subjects a compressed file to the following rules:
Maximum size of a decompressed file: __ MB (1-512MB)
Maximum compression layers: __ (1-20)
Maximum number of files to scan: __ (1-2000)
A compressed file – upon decompression – must meet the specified limit.
Example: You set the limit to 20MB.
Scenario 1: If the size of archive.zip upon decompression is 30MB, none of the files contained in archive.zip will be scanned. The other two rules are no longer checked.
Scenario 2: If the size of my_archive.zip upon decompression is 10MB:
If my_archive.zip does not contain compressed files, OfficeScan skips Rule 2 and proceeds to Rule 3.
If my_archive.zip contains compressed files, the size of all decompressed files must be within the limit. For example, if my_archive.zip contains AAA.rar, BBB.zip and EEE.zip, and EEE.zip contains 222.zip:
|
my_archive.zip |
|
|
= 10MB upon decompression |
|
|
\AAA.rar |
|
= 25MB upon decompression |
|
|
\BBB.zip |
|
= 3MB upon decompression |
|
|
\EEE.zip |
|
= 1MB upon decompression |
|
|
|
\222.zip |
= 2MB upon decompression |
my_archive.zip, BBB.zip, EEE.zip, and 222.zip will be checked against Rule 2 because the combined size of these files is within the 20MB limit. AAA.rar is skipped.
Files within the specified number of layers will be flagged for scanning.
For example:
|
my_archive.zip |
|
|
|
|
|
\BBB.zip |
\CCC.xls |
|
|
|
\DDD.txt |
|
|
|
|
\EEE.zip |
\111.pdf |
|
|
|
|
\222.zip |
\333.txt |
If you set the limit to two layers:
OfficeScan will ignore 333.txt because it is located on the third layer.
OfficeScan will flag the following files for scanning and then check Rule 3:
DDD.txt (located on the first layer)
CCC.xls (located on the second layer)
111.pdf (located on the second layer)
OfficeScan scans files up to the specified limit. OfficeScan scans files and folders in numeric and then alphabetic order.
Continuing from the example in Rule 2, OfficeScan has flagged the highlighted files for scanning:
|
my_archive.zip |
|
|
|
|
|
\BBB.zip |
\CCC.xls |
|
|
|
\DDD.txt |
|
|
|
|
\EEE.zip |
\111.pdf |
|
|
|
|
\222.zip |
\333.txt |
In addition, my_archive.zip contains a folder named 7Folder, which was not checked against Rule 2. This folder contains FFF.doc and GGG.ppt. This brings the total number of files to be scanned to 5, as highlighted below:
|
my_archive.zip |
|
|
|
|
|
\7Folder |
\FFF.doc |
|
|
|
\7Folder |
\GGG.ppt |
|
|
|
\BBB.zip |
\CCC.xls |
|
|
|
\DDD.txt |
|
|
|
|
\EEE.zip |
\111.pdf |
|
|
|
|
\222.zip |
\333.txt |
If you set the limit to 4 files, the following files are scanned:
FFF.doc
GGG.ppt
CCC.xls
DDD.txt
For files that contain embedded files, OfficeScan extracts the content of the embedded files.
If the extracted content is text, the host file (such as 123.doc) and embedded files (such as abc.txt and xyz.xls) are counted as one.
If the extracted content is not text, the host file (such as 123.doc) and embedded files (such as abc.exe) are counted separately.
The following events trigger decompression rules:
Event 1:
A compressed file to be transmitted matches a policy and the action on the compressed file is Pass (transmit the file).
For example, to monitor .ZIP files that users are transmitting, you defined a file attribute (.ZIP), added it to a template, used the template in a policy, and then set the action to Pass.
If the action is Block, the entire compressed file is not transmitted and therefore, there is no need to scan the files it contains.
Event 2:
A compressed file to be transmitted does not match a policy.
In this case, OfficeScan will still subject the compressed file to the decompression rules to determine which of the files it contains should be scanned for digital assets and whether to transmit the entire compressed file.
Result:
Events 1 and 2 have the same result. When OfficeScan encounters a compressed file:
If Rule 1 is not satisfied, OfficeScan allows the transmission of the entire compressed file.
If Rule 1 is satisfied, the other two rules are checked. OfficeScan allows the transmission of the entire compressed file if:
All scanned files do not match a policy.
All scanned files match a policy and the action is Pass.
The transmission of the entire compressed file is blocked if at least one scanned file matches a policy and the action is Block.
See also: