Symantec™ Protection Engine

8.1 Command Line Reference

Guide
Symantec Protection Engine 8.1 Command Line
Reference Guide
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.

Knowledge Base Articles and Symantec Connect

Before you contact Technical Support, you can find free content in our online Knowledge Base,
which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the
search box of the following URL, type the name of your product:
https://support.symantec.com
Access our blogs and online forums to engage with other customers, partners, and Symantec
employees on a wide range of topics at the following URL:
https://www.symantec.com/connect

Technical Support and Enterprise Customer Support

Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical
Support’s primary role is to respond to specific queries about product features and functionality.
Enterprise Customer Support assists with non-technical questions, such as license activation,
software version upgrades, product access, and renewals.
For Symantec Support terms, conditions, policies, and other support information, see:
https://entced.symantec.com/default/ent/supportref
To contact Symantec Support, see:
https://support.symantec.com/en_US/contact-support.html
 Contents

Symantec Support .............................................................................................. 4

Chapter 1 Introduction ........................................................................... 6

About this document ....................................................................... 6

About XMLModifier tool ................................................................... 6
XMLModifier options ....................................................................... 7

Chapter 2 Configuration ....................................................................... 11

Protocols .................................................................................... 11
Resources .................................................................................. 17
Logging ...................................................................................... 22
Proxy and Quarantine Server ......................................................... 34
Miscellaneous ............................................................................. 35

Chapter 3 LiveUpdate ............................................................................ 37

LiveUpdate ................................................................................. 37

Chapter 4 Policies .................................................................................. 41

Threat policies ............................................................................. 41

Insight Scanning .......................................................................... 42
APK Reputation .......................................................................... 44
Actions ....................................................................................... 45
Exclusion policies ......................................................................... 46
Notifications ................................................................................ 47

Chapter 5 Filtering ................................................................................. 48

URL Reputation ........................................................................... 48
URL Filtering ............................................................................... 50
Containers .................................................................................. 51
File Attribute ................................................................................ 55
 Chapter 1
Introduction
This chapter includes the following topics:

■ About this document

■ About XMLModifier tool

■ XMLModifier options

About this document

This document is only a quick reference to the command line interface options available with
the XML modifier command-line tool to configure and administrate all tasks in the Symantec
Protection Engine.
For detailed information about the product, refer the Symantec Protection Engine Implementation
Guide .

About XMLModifier tool

The XML files that you can modify are as follows:

configuration.xml Contains the protocol settings, resource settings, logging

setting, quarantine server setting, and proxy server settings.

filtering.xml Contains the settings for URL filtering, container limits and
container handling, and file attribute and email attribute
handling.

liveupdate.xml Contains the LiveUpdate options.

policy.xml Contains an antivirus scan setting, Insight settings, APK

reputation settings, and access-denied and notification
messages.
 Introduction 7
XMLModifier options

Following is the XML modifier command-line tool for Symantec Protection Engine:
■ xmlmodifier
A tool used on Linux platforms to modify the XML files.
Always run the XMLModifier utility from the installation directory. After you change the settings
by using the XMLModifier utility, you must stop and start the Symantec Protection Engine
service for the changes to take effect.

XMLModifier options
Use the XML modifier command-line tool of Symantec Protection Engine to modify the XML
files.

Note: For boolean values, allowed and recommended values are true or false.

Table 1-1 provides the option commands that you can use with the XML modifier command-line
tool of Symantec Protection Engine.

Table 1-1 Option commands

Option name Description

Remove If the XPath specifies an attribute, then that attribute is set to an empty string.

If the XPath specifies a group, then the items within that group are removed. If you want to
populate a list within the XML document with new items, first remove the whole list.

The command is as follows:

For Linux: xmlmodifier -r <XPath> <XMLfile>

where <XPath> is the required XPath and <XMLfile> is the XML file name.

Bulk copy Use the bulk copy command to insert a list of items that are stored at the XPath. Each item is
separated as a new line. The bulk copy command appends the bulk file items to the XPath
location. Only use this command to insert lists. Each entry must be on a separate line.

The command is as follows:

For Linux: xmlmodifier -b <XPath> bulkfile <XMLfile>

where <XPath> is the required XPath and <XMLfile> is the XML file name.
 Introduction 8
XMLModifier options

Table 1-1 Option commands (continued)

Option name Description

Node value This command sets a node value.

The command is as follows:

For Linux: xmlmodifier -s <XPath> newvalue <XMLfile>

where <XPath> is the required XPath and <XMLfile> is the XML file name.

For example,

xmlmodifier -s //filtering/URLFilter/@enabled <value> filtering.xml

Encrypt the password This command encrypts the specified password using the AES 256-bit encryption method and
(using the AES stores it in the specified XPath location. However, only certain parameters support this encryption
256-bit encryption method in Symantec Protection Engine.
method) and store in
Table 1-2 lists the parameters that are encrypted using this method.
specified XPath
location The command is as follows:

For Linux: xmlmodifier -k <XPath> <password> <SPE install directory>

<XMLfile>

where <XPath> is the required XPath, <password> is your password, <SPE install directory>
is the path to the installation directory, and <XMLfile> is the XML file name.
Note: Make sure the path to the Symantec Protection Engine installation directory does not
end with /.

Query This command returns the value of the node in the XML document with no newline.

The command is as follows:

For Linux: xmlmodifier -q <XPath> <XMLfile>

where <XPath> is the required XPath and <XMLfile> is the XML file name.

Query list This command returns the list of values of the node in the XML document with a newline. The
l is lowercase, as in list.

The command is as follows:

For Linux: xmlmodifier -l <Xpath> <XMLfile>

where <XPath> is the required XPath and <XMLfile> is the XML file name.

Add local URL This command adds local URL categories.

categories
The command is as follows:

For Linux: xmlmodifier -a <urlcategory1|urlcategory2|..>

where <urlcategory> is the local URL category.

 Introduction 9
XMLModifier options

Table 1-1 Option commands (continued)

Option name Description

Delete local URL This command deletes local URL categories.

categories
The command is as follows:

For Linux: xmlmodifier -d <urlcategory1|urlcategory2|..>

where <urlcategory> is the local URL category.

Add URL(s) to local This command adds URL(s) to local URL category.
URL category
The command is as follows:

For Linux: xmlmodifier -u <urlcategory|url1|url2|..>

where <url> is the url to be added and <urlcategory> is the local URL category.

Delete URL(s) from This command deletes URL(s) from the local URL category.
local URL category
The command is as follows:

For Linux: xmlmodifier -v <urlcategory|url1|url2|..>

where <url> is the url to be deleted and <urlcategory> is the local URL category.

Add URL(s) to URL This command adds URL(s) to URL Override List
Override List
The command is as follows:

For Linux: xmlmodifier -o <url1|url2|..>

where <url> is the url to be added.

Delete URL(s) from This command deletes the URL(s) from the URL Override List.
URL Override List
The command is as follows:

For Linux: xmlmodifier -i <url1|url2|..>

where <url> is the url to be deleted.

Table 1-2 Parameters that require password encryption using the AES 256-bit method

Parameter name XPath Configuration file

name

Proxy Server /configuration/ProxyServerSettings/Password/@value configuration.xml

Password

LiveUpdate Server /liveupdate/UpdateServer/Password/@value liveupdate.xml

Password
 Introduction 10
XMLModifier options

Note: The XMLModifier utility has a dependency on the libxml2 library. If this library is not
found, the utility may throw an error. The libxml2 library is already present in the installation
directory. However, if the XMLModifier utility is still unable to find the library on UNIX machines,
you can add the path, /opt/SYMCScan/bin, to the LD_LIBRARY_PATH environment variable.
 Chapter 2
Configuration
This chapter includes the following topics:

■ Protocols

■ Resources

■ Logging

■ Proxy and Quarantine Server

■ Miscellaneous

Protocols
Table 2-1 Protocol settings

Settings XPath

Set protocol xmlmodifier -s //configuration/ProtocolSettings/Protocol/@value

<value> configuration.xml
Symantec Protection Engine
uses this protocol to Allowed values
communicate with the client
■ ICAP
applications for which it
provides scanning services. Default value: ICAP

Enable Server busy response xmlmodifier -s

//configuration/ProtocolSettings/EnableServerTooBusy
Parameter to enable/disable
Response/@value <value> configuration.xml
the ICAP threshold client
notification. Allowed values

■ true
■ false

Default value: true

 Configuration 12
Protocols

Table 2-2 ICAP protocol settings

Settings XPath

Set ICAP Preview xmlmodifier -s

//configuration/ProtocolSettings/ICAP/ICAPPreviewAll/@value
Parameter to send the
<value> configuration.xml
transfer headers based on the
Symantec Protection Engine Allowed values
extension lists.
■ true
■ false

Default value: true

Set ICAP response xmlmodifier -s

//configuration/ProtocolSettings/ICAP/ICAPResponse/@value <value>
Parameter to send access
configuration.xml
denied message or ICAP 403
response. Allowed values

■ true
■ false

Default value: true

Set port number xmlmodifier -s //configuration/ProtocolSettings/ICAP/Port/@value

<value> configuration.xml
You must use this port
number for all of the scanning Allowed values
IP addresses that you want
■ 0 to 65535
to bind to Symantec
Protection Engine. Default value: 1344

Set Bind address xmlmodifier -s

//configuration/ProtocolSettings/ICAP/BindAddress/@value <value>
You can specify whether you
configuration.xml
want Symantec Protection
Engine to bind to all of the IP Allowed values
addresses that it detects, or
■ Scanning IP addresses that you want to bind to Symantec Protection Engine.
you can restrict access to one
or more interfaces. If you do Default value: None
not specify at least one IP
address, Symantec Protection
Engine binds to all of the
scanning IP addresses that it
detects.
 Configuration 13
Protocols

Table 2-2 ICAP protocol settings (continued)

Settings XPath

Response for non-viral xmlmodifier -s

threats //configuration/ProtocolSettings/ICAP/EnableNonViralThreat
CategoryResp/@value <value> configuration.xml
Parameter to set whether
non-viral threat information Allowed values
should be sent or not in ICAP
■ true
response.
■ false

Default value: false

Connection Backlog xmlmodifier -s

//configuration/ProtocolSettings/ICAP/ConnectionBacklog/@value
Parameter to set the
<value> configuration.xml
maximum length of the queue
of pending socket Allowed values
connections while Symantec
■ Any unsigned integer
Protection Engine is listening
for incoming ICAP request. Default value: 128

Enable Threat Category xmlmodifier -s //configuration/ProtocolSettings/ICAP/EnableThreat

Information CategoryInformation/@value <value> configuration.xml
Parameter to set whether Allowed values
threat information should be
■ true
sent or not in ICAP response.
■ false

Default value: true

Enable Reputation Info xmlmodifier -s

//configuration/ProtocolSettings/ICAP/EnableReputationInfo/@value
Parameter to set whether
<value> configuration.xml
insight reputation information
should be sent or not in ICAP Allowed values
response.
■ 0 and 1

Default value: 1

Max Header Length xmlmodifier -s

//configuration/ProtocolSettings/ICAP/MaxHeaderLength/@value
This parameter specifies the
<value> configuration.xml
maximum length of single
ICAP header. Allowed values

■ 1024 to 2147483646

Default value: 65536

 Configuration 14
Protocols

Table 2-2 ICAP protocol settings (continued)

Settings XPath

Enable URL Category Type xmlmodifier -s

In ICAP Response //configuration/ProtocolSettings/ICAP/EnableURLCategory
TypeInICAPResponse/@value <value> configuration.xml
Parameter to set whether
enable URL category type Allowed values
should be sent or not in ICAP
■ true
response .
■ false

Default value: false

Set Opt Body Allowed xmlmodifier -s

//configuration/ProtocolSettings/ICAP/OptBodyAllowed/@value
Parameter to return the list of
<value> configuration.xml
categories.
Allowed values

■ true
■ false

Default value: true

Enable APK reputation info xmlmodifier -s

//configuration/ProtocolSettings/ICAP/EnableAPKReputation
Parameter to set whether
Info/@value <value> configuration.xml
APK reputation info should be
sent or not in ICAP response Allowed values
.
■ true
■ false

Default value: true

Enable internal server error xmlmodifier -s

information. //configuration/ProtocolSettings/ICAP/EnableInternalServerErrorInfo/@value
<value> configuration.xml
Parameter to provide an
additional information that Allowed values
causes internal server error
■ true
during the file scan.
■ false

Default value: false

 Configuration 15
Protocols

Table 2-2 ICAP protocol settings (continued)

Settings XPath

Enable the secure ICAP. xmlmodifier -s

/configuration/ProtocolSettings/ICAP/SecureICAP/@enabled true
configuration.xml
Allowed values:

■ true
■ false

Default value: false

Configure the port. xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

SecureICAPPort/@value <value> configuration.xml
Allowed values:

■ Integer from 0 through 65535

Default value: 11344

Specify Symantec Protection xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

Engine server's private key PrivateKeyFile/@value <value> configuration.xml
file.
Allowed values:

■ Valid file path

Default value: None

Set the encrypted plaintext xmlmodifier -k /configuration/ProtocolSettings/ICAP/SecureICAP/

password. PrivateKeyPassPhrase/@value <plaintext password>
<SPE_install_directory> configuration.xml
Allowed values:

■ Valid passoword
■ Symantec Protection Engine installation directory path

Default value: None

Specify the Symantec xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

Protection Engine server CertificateFile/@value <certificate file> configuration.xml
certificate file name.
Allowed values:
■ Valid file name

Default value: None

 Configuration 16
Protocols

Table 2-2 ICAP protocol settings (continued)

Settings XPath

Configure the cipher list. xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

CipherList/@value <comma separated cipher list in openssl
supported format> configuration.xml
Allowed values:

■ Valid cipher list

Default value:

ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,
ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA384,
AES128-GCM-SHA256,AES256-GCM-SHA384, AES128-SHA256,AES256-SHA256

Enable the client certificate xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

verification. ClientCertificateVerification/@enabled <value> configuration.xml
Allowed values:

■ true
■ false

Default value: false

Set the CA certificate file that xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

will be used to verify the client ClientCertificateVerification/ClientCACertificateFile/@value
certificate. <client CA certificate file> configuration.xml
Allowed values:

■ Valid file name

Default value: None

Specify the directory that xmlmodifier -s /configuration/ProtocolSettings/ICAP/SecureICAP/

contains CA certificate in CACertFilePath/@value <certificate file path> configuration.xml
PEM format.
Allowed values:

■ Valid file path

 Configuration 17
Resources

Resources
Table 2-3 System settings

Settings XPath

Set Temp Dir xmlmodifier -s //configuration/Resources/System/TempDir/@value

<value> configuration.xml
Parameter to set temporary
directory that is used by Allowed values
Symantec Protection Engine
■ Valid directory path. Ensure the directory exists and do not enclose the directory
for scanning purposes.
path with semicolon.

Default values

Linux: /opt/SYMCScan/temp

Set Min Threads xmlmodifier -s //configuration/Resources/System/MinThreads/@value

<value> configuration.xml
Parameter to configure
minimum number of available Allowed values
threads for scanning box.
■ 0 to 512.

Default value: Depends on the number of cores of the processor.

Set MaxThreads xmlmodifier -s //configuration/Resources/System/MaxThreads/@value

<value> configuration.xml
Parameter to configure
maximum number of available Allowed values
threads for scanning box.
■ 1 to 512

Default value: Depends on the number of cores of the processor.

Set Grow Thread Count By xmlmodifier -s //configuration/Resources/System/GrowThreadCount/

@value configuration.xml
By using this parameter,
Symantec Protection Engine Allowed values 0 to 16
thread counts grows by the
Default value: 4
configured value.

Set Shrink Thread Count xmlmodifier -s //configuration/Resources/System/ShrinkThreadCount

/@value <value> configuration.xml
By using this parameter,
Symantec Protection Engine Allowed values
thread counts shrinks by the
■ 0 to 16
configured value.
Default value: 2
 Configuration 18
Resources

Table 2-3 System settings (continued)

Settings XPath

Enable Busy Request Count xmlmodifier -s //configuration/Resources/System/BusyRequestCount

/@value configuration.xml
The number of queued
requests to be processed by Allowed values
scanning threads, which
■ Any unsigned integer
triggers the creation of more
scanning threads. Default value: 4

Enable Idle Thread Count xmlmodifier -s //configuration/Resources/System/IdleThreadCount

/@value <value> configuration.xml
The number of idle scanning
threads, which triggers the Allowed values
removal of scanning threads.
■ 0 to 16

Default value: 6

Enable Seconds Between xmlmodifier -s //configuration/Resources/System/SecondsBetween

Checks Checks/@value <value> configuration.xml
The number of seconds Allowed values
between evaluations of the
■ Value in seconds
thread pool activity.
Default value: 5

Specify Install Dir xmlmodifier -s //configuration/Resources/System/InstallDir/@value

<value> configuration.xml
Parameter to configure
Symantec Protection Engine Allowed values
installation directory.
■ Valid and existing installation directory

Default values

Linux: /opt/SYMCScan/bin

Load Maximum Queued xmlmodifier -s //configuration/Resources/System/LoadMaximum

Clients QueuedClients/@value <value> configuration.xml
Parameter to specify the Allowed values
maximum number of queued
■ 0 to 65535
requests.
Default value: 100
 Configuration 19
Resources

Table 2-3 System settings (continued)

Settings XPath

Configure the security notice xmlmodifier -s //configuration/Resources/System/securitynotice

content /@content <value> configuration.xml
Allowed values

■ Any string

Default value: None

Enable Symantec Protection xmlmodifier -s //configuration/Resources/System/securitynotice

Engine to display a custom /@display<value> configuration.xml
security notice to all users
Allowed values
before they log in
■ true
■ false

Default value: false

Configure to display summary xmlmodifier -s

data on UI home page since //configuration/Resources/System/ActivitySummaryData/@DisplaySpan
last restart or installation <value> configuration.xml
Allowed values

■ 0
Displays the summary data since the last restart.
■ 1
Displays the summary data since the installation.
Default value: 0

Set Socket Time Out xmlmodifier -s //configuration/Resources/System/SocketTimeOut

/@value <value> configuration.xml
Parameter to set the time to
send the file and receive the Allowed values
response from Symantec
■ 0 to 4320 in minutes
Protection Engine .
Default value: 5
 Configuration 20
Resources

Table 2-3 System settings (continued)

Settings XPath

Enable Java UI xmlmodifier -s //configuration/Resources/System/EnableJavaUI

/@value <value> configuration.xml
Enables the Core server with
user interface feature Allowed values

■ true
Use this value if you want to use the Core server with user interface mode. This
method requires JRE to be installed.
■ false
Use this value if you want to use the Core server only mode. This method does not
require JRE to be installed.

Default value: true

Table 2-4 Admin settings

Setting XPath

Specify the port number xmlmodifier -s //configuration/Resources/System/admin

/port/@value <value> configuration.xml
The port number on which the
Web-based console listens. Allowed values

■ Valid port number

Default value: 8004

Specify the SSL port number xmlmodifier -s //configuration/Resources/System/admin

/sslport/@value <value> configuration.xml
The Secure Socket Layer (SSL)
port number on which encrypted Allowed values
files are transmitted for
■ Valid port number
increased security.
Default value: 8005

Specify the IP address xmlmodifier -s //configuration/Resources/System/admin/ip/@value

<value> configuration.xml
Allowed values

■ Valid IP address

Default value: None

 Configuration 21
Resources

Table 2-4 Admin settings (continued)

Setting XPath

Specify the console timeout in xmlmodifier -s //configuration/Resources/System/admin

seconds /timeout/@value <value> configuration.xml
Allowed values

■ 60 to 3600

Default value: 300

Specify the email address xmlmodifier -s //configuration/Resources/System/admin

/emailid/@value <value> configuration.xml
Allowed values

■ Valid email address

Default value: None

Configure the authentication xmlmodifier -s //configuration/Resources/System/admin

mode to access Symantec /ADAuthenticationMode/@value <value> configuration.xml
Protection Engine console
Allowed values

■ true
Enables Windows Active Directory-based authentication mode.
■ false
Enables Symantec Protection Engine-based authentication.

Default value: false

Specify the authorized group xmlmodifier -s //configuration/Resources/System/admin

name to access Symantec /ADAuthenticationMode/ActiveDirectoryDetails/@groupname <value>
Protection Engine console configuration.xml
Allowed values

■ Any valid domain and group name in the format domain\groupname.

Default value: None

 Configuration 22
Logging

Logging
Table 2-5 Logging

Settings XPath

Set LogDir xmlmodifier -s //configuration/Logging/LogDir/@value "valid log

directory" configuration.xml
Type the path to the new
location for the log files. The Allowed values
file directory that you specify
■ Valid log directory
must already exist. Symantec
Protection Engine validates For example,
the existence of the directory
Linux: xmlmodifier -s //configuration/Logging/LogDir/@value
when you save or apply your
"/opt/symcscan/log" configuration.xml
changes.
Default values

Linux: /opt/SYMCScan/log

Alert Bind Address xmlmodifier -s //configuration/Logging/AlertBindAddress/@value

<value> configuration.xml
Type an IP address to identify
the computer on which Allowed values
Symantec Protection Engine
■ Valid IP address
is running.
Default value: None

Load Exceeded Alert Interval xmlmodifier -s //configuration/Logging/LoadExceeded

AlertInterval/@value <value> configuration.xml
Frequencies of logging
Symantec Protection Engine Allowed values
under overload condition.
■ 0 to 1000000 in seconds

Default value: 5

Set Log files to keep xmlmodifier -s //configuration/Logging/LogLocal/@logfilestokeep

<value> configuration.xml
Type the number of individual
log files to retain. The default Allowed values
setting is enabled (0) so that
■ 0 to 365
all the log files are retained.
Default value: 0

Enable Log Level xmlmodifier -s //configuration/Logging/LogLocal/@loglevel <value>

configuration.xml
Parameter to set the level of
log messages which will get Allowed values
logged to Symantec
■ 0 to 6
Protection Engine local logs.
Default value: 3
 Configuration 23
Logging

Table 2-5 Logging (continued)

Settings XPath

Configure logging to the Linux xmlmodifier -s //configuration/Logging/Syslog/@loglevel <value>

Syslog configuration.xml
Allowed values

■ 0 to 6

Default value: 0

Log SNMP alerts - xmlmodifier -s //configuration/Logging/LogSNMP/@community <value>

Community configuration.xml
Parameter to specify SNMP Allowed values
community string.
■ Any valid name

Default value: public

Log SNMP alerts - Loglevel xmlmodifier -s //configuration/Logging/LogSNMP/@loglevel <value>

configuration.xml
This parameter will generate
logs according to the defined Allowed values
log level.
■ 0 to 4, and 6

Default value: 0

Log SNMP alerts - Primary xmlmodifier -s //configuration/Logging/LogSNMP/@primary <value>

configuration.xml
In the Primary server
address, type the computer Allowed values
name or IP address of the
■ IP address of the primary server
primary SNMP console to
receive the alert messages. Default value: None

Log SNMP alerts - Primary xmlmodifier -s //configuration/Logging/LogSNMP/@primaryport

Port <value> configuration.xml
In the Primary server port, Allowed values
type the port of the primary
■ 1 to 65535
SNMP console to receive the
alert messages. Default value: 162

Log SNMP alerts - Secondary xmlmodifier -s //configuration/Logging/LogSNMP/@secondary <value>

configuration.xml
n the Secondary server
address, type the computer Allowed values
name or IP address of a
■ IP address of the secondary server
secondary SNMP console to
receive the alert messages, Default value: None
if one is available.
 Configuration 24
Logging

Table 2-5 Logging (continued)

Settings XPath

Log SNMP alerts - Secondary xmlmodifier -s //configuration/Logging/LogSNMP/@secondaryport

Port <value> configuration.xml
In the Secondary server port Allowed values
, type the port of a secondary
■ 1 to 65535
SNMP console to receive the
alert messages, if one is Default value: 162
available.

Enable SMTP alerts -Domain In the SMTP domain parameter, type the local domain for Symantec Protection Engine.

Parameter to enable/disable xmlmodifier -s //configuration/Logging/LogSMTP/@domain <value>

SMTP alerts. configuration.xml
Allowed values

■ The domain name is added to the "From" box for SMTP messages. SMTP alert
messages that Symantec Protection Engine generates originate from
SymantecProtectionEngine@<domainname>, where <domainname> is the domain
name that you specify in the SMTP domain parameter

Default value: None

Loglevel xmlmodifier -s //configuration/Logging/LogSMTP/@loglevel <value>

configuration.xml
This parameter will generate
logs according to the defined Allowed values
log level.
■ 0 to 4, and 6

Default value: 0

Enable SMTP alerts - Primary xmlmodifier -s //configuration/Logging/LogSMTP/@primary <value>

configuration.xml
In the Primary server, type
the IP address or host name Allowed values
of the primary SMTP server
■ Any valid string
that forwards the alert
messages. Default value: None

Table 2-5
Settings
Enable SMTP alerts -
Secondary
In the Secondary server , type Allowed values
the IP address or host name
of a secondary SMTP server
(if one is available) that
forwards the alert messages
if communication with the
primary SMTP server fails.
Enable SMTP alerts -
Recipient List
In the Email recipients
attribute, type the email
addresses of the recipients of
the SMTP alert messages.
Log Resource Info
Enables/disables resource
consumption logging in Allowed values
Symantec Protection Engine.
■ true
Log files to keep
Parameter to configure
number of resource
consumption log files to
maintain
Log Statistics
Enable or disables statistics
reporting in Symantec
Protection Engine.
Configuration 25
Logging
Logging (continued)
XPath
xmlmodifier -s //configuration/Logging/LogSMTP/@secondary <value>
configuration.xml
■ Any valid string
Default value: None
Recipient List:
xmlmodifier -b
//configuration/Logging/LogSMTP/RecipientList/items <Name of
the file containing email recipients list> configuration.xml
Allowed values
■ Valid email addresses. One email address per line in the file.
Default value: None
xmlmodifier -s //configuration/Logging/LogResourceInfo/@enabled
<value> configuration.xml
■ false
Default value: true
xmlmodifier -s //configuration/Logging/LogResourceInfo/@logfiles
tokeep <value> configuration.xml
Allowed values
■ 0 to 365
Default value: 0
xmlmodifier -s //configuration/Logging/LogStatistics/@enabled
<value> configuration.xml
Allowed values
■ true
■ false
Default value: true
 Configuration 26
Logging

Table 2-5 Logging (continued)

Settings XPath

Enable logging for the xmlmodifier -s //configuration/Logging/LogCloud/@enabled <value>

centralized cloud console. configuration.xml
Allowed values

■ true
■ false

Default value: true

Note: This setting is applicable only when the scanner is enrolled with centralized
cloud console.

Specify the number of days xmlmodifier -s //configuration/Logging/LogCloud/@logfilestokeep

the log files to keep. <value> configuration.xml
Allowed values

■ 0 to 365

Default value: 0

Configure the level of the logs xmlmodifier -s //configuration/Logging/LogCloud/@loglevel <value>

that should be sent to configuration.xml
centralized cloud console.
Allowed values

■ 0 to 6

Default value: 3

Specify the cloud log xmlmodifier -s

directory.
Type the location to save the
cloud log files. The file
directory that you specify
must already exist.
//configuration/Logging/LogCloud/LogCloudDir/@value <value>
configuration.xml
Allowed values
■ Valid log directory
Default value:

Linux: /opt/SYMCScan/CloudLog

Configure the interval to send xmlmodifier -s //configuration/Logging/LogCloud/

the events to cloud. CloudEventPollingInterval/@value <value> configuration.xml
Symantec Protection Engine Allowed values
sends the events to the
■ 1 to 600 (seconds)
centralized cloud console in
the specified interval. Default value: 30
 Configuration 27
Logging

Table 2-5 Logging (continued)

Settings XPath

Configure the interval to send xmlmodifier -s //configuration/Logging/LogCloud/

the statistics to cloud.
Symantec Protection Engine
sends the statistics to the
centralized cloud console in
the specified interval.
CloudStatisticsCollectionInterval/@value <value>
configuration.xml
Allowed values
■ 60 to 3600
Default value: 600

Configure the cloud resource xmlmodifier -s //configuration/Logging/LogCloud/

collection interval. CloudResourceCollectionInterval/@value <value> configuration.xml
Symantec Protection Engine Allowed values
sends the resource
■ 60 to 3600
consumption logs to
centralized cloud console in Default value: 600
the specified interval.

Activate or deactivate xmlmodifier -s

outbreak alerts for infections. //configuration/Logging/Outbreak/Infection/@enabled <value>
configuration.xml
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration/Logging/Outbreak/Infection/

outbreak alert should be sent @interval <value> configuration.xml
for the infections.
Allowed values

■ 1 to 1000000 in minutes.

Default value: 1

Specify the threshold for the xmlmodifier -s

infections. If the number of
infections reaches the
threshold, outbreak alert is
sent.
//configuration/Logging/Outbreak/Infection/@threshold <value>
configuration.xml
Allowed values
■ 2 to 1000000

Default value: 2
 Configuration 28
Logging

Table 2-5 Logging (continued)

Settings XPath

Activate or deactivate xmlmodifier -s //configuration/Logging/Outbreak/Virus/@enabled

outbreak alerts for viral <value> configuration.xml
threats.
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration/Logging/Outbreak/Virus/@interval

outbreak alert should be sent <value> configuration.xml
for the viral threats.
Allowed values

■ 1 to 1000000 in minutes.

Default value: 1

Specify the threshold for the xmlmodifier -s //configuration/Logging/Outbreak/Virus/@threshold

viral threats. If the number of
viral threats reaches the
threshold, outbreak alert is
sent
<value> configuration.xml
Allowed values
■ 2 to 1000000

Default value: 2

Activate or deactivate xmlmodifier -s //configuration/

outbreak alerts for container Logging/Outbreak/ContainerLimit/@enabled <value>
limit. configuration.xml
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s

outbreak alert should be sent //configuration/Logging/Outbreak/ContainerLimit/@interval <value>
for the container limit configuration.xml
violations.
Allowed values
■ 1 to 1000000 in minutes.

Default value: 1
 Configuration 29
Logging

Table 2-5 Logging (continued)

Settings XPath

Specify the threshold for the xmlmodifier -s //configuration/Logging/Outbreak/ContainerLimit

container limit. If the number /@threshold <value> configuration.xml
of container limit reaches the
Allowed values
threshold, outbreak alert is
sent. ■ 2 to 1000000

Default value: 2

Activate or deactivate xmlmodifier -s

outbreak alerts for file //configuration/Logging/Outbreak/FileAttribute/@enabled <value>
attribute. configuration.xml
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration/

outbreak alert should be sent Logging/Outbreak/FileAttribute/@interval <value>
for the file attribute violations. configuration.xml

Allowed values

■ 1 to 1000000 in minutes.

Default value: 1

Specify the threshold for the xmlmodifier -s

file attribute violations. If the //configuration/Logging/Outbreak/FileAttribute/@threshold <value>
number of file attribute configuration.xml
violations reaches the
Allowed values
threshold, outbreak alert is
sent. ■ 2 to 1000000

Default value: 2

Activate or deactivate xmlmodifier -s //configuration/Logging/Outbreak/urlblock/@enabled

outbreak alerts for url block. <value> configuration.xml
Allowed values

■ true
■ false

Default value: false

 Configuration 30
Logging

Table 2-5 Logging (continued)

Settings XPath

Specify an interval for which xmlmodifier -s //configuration/Logging

outbreak alert should be sent /Outbreak/urlblock/@interval <value> configuration.xml
for the url block.
Allowed values

■ 1 to 1000000 in minutes.

Default value: 1

Specify the threshold for the xmlmodifier -s

url block. If the number of url //configuration/Logging/Outbreak/urlblock/@threshold <value>
block reaches the threshold, configuration.xml
outbreak alert is sent.
Allowed values:

■ 2 to 100000

Default value: 2

Activate or deactivate xmlmodifier -s //configuration/Logging/Outbreak/Any

outbreak alerts for any non NonViral/@enabled <value> configuration.xml
viral threats.
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration

outbreak alert should be sent /Logging/Outbreak/AnyNonViral/@interval <value> configuration.xml
for any non viral threats.
Allowed values

■ 1 to 10000000 in minutes.

Default value: 1

Specify the threshold for any xmlmodifier -s //configuration/Logging

non viral threats. If the
number of any non viral threat
reaches the threshold,
outbreak alert is sent.
/Outbreak/AnyNonViral/@threshold <value> configuration.xml
Allowed values
■ 2 to 1000000

Default value: 2
 Configuration 31
Logging

Table 2-5 Logging (continued)

Settings XPath

Activate or deactivate xmlmodifier -s

outbreak alerts for same non //configuration/Logging/Outbreak/SameNonViral/@enabled <value>
viral threats. configuration.xml
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration/Logging/Outbreak

outbreak alert should be sent /SameNonViral/@interval <value> configuration.xml
for the same non viral threats.
Allowed values

■ 1 to 10000000 in minutes.

Default value: 1

Specify the threshold for the xmlmodifier -s //configuration/Logging

same non viral threats. If the /Outbreak/SameNonViral/@threshold <value> configuration.xml
number of same non viral
Allowed values
threat reaches the threshold,
outbreak alert is sent. ■ 2 to 1000000
■ false

Default value: 2

Activate or deactivate xmlmodifier -s //configuration/Logging/Outbreak/HighRisk/@enabled

outbreak alerts for high risk <value> configuration.xml
alerts.
Allowed values

■ true
■ false

Default value: false

Specify an interval for which xmlmodifier -s //configuration/Logging

outbreak alert should be sent /Outbreak/HighRisk/@interval <value> configuration.xml
for the high risks.
Allowed values

■ 1 to 10000000 in minutes.

Default value: 1

Table 2-5
Settings
Specify the threshold for the
high risk threats. If the
number of high risk alerts
reaches the threshold,
outbreak alert is sent.
Activate or deactivate
outbreak alerts for medium
risks.
Specify an interval for which xmlmodifier -s //configuration/Logging/Outbreak
outbreak alert should be sent /MediumRisk/@interval <value> configuration.xml
for the medium risks.
Allowed values
Specify the threshold for the
medium risks. If the number
of medium risks reaches the
threshold, outbreak alert is
sent.
Configure minimum threads
The minimum number of
scanning threads that is
created at start-uptime and
the minimum to keep alive
regardless of the load that is Default value: 1
processed.
Configuration 32
Logging
Logging (continued)
XPath
xmlmodifier -s
//configuration/Logging/Outbreak/HighRisk/@threshold <value>
configuration.xml
Allowed values
■ 2 to 1000000
Default value: 2
xmlmodifier -s
//configuration/Logging/Outbreak/MediumRisk/@enabled <value>
configuration.xml
Allowed values
■ true
■ false
Default value: false
■ 1 to 1000000 in minutes.
Default value: 1
xmlmodifier -s //configuration/Logging
/Outbreak/MediumRisk/@threshold <value> configuration.xml
Allowed values
■ 2 to 1000000
Default value: 2
xmlmodifier -s //configuration/Logging/ThreadPool
/MinThreads/@value <value> configuration.xml
Allowed values
■ 1 to 128
 Configuration 33
Logging

Table 2-5 Logging (continued)

Settings XPath

Configure maximum threads xmlmodifier -s //configuration/Logging/ThreadPool/MaxThreads

/@value <value> configuration.xml
The maximum number of
scanning threads that is Allowed values
created at start-uptime and
■ 1 to 128
the minimum to keep alive
regardless of the load that is Default value: 1
processed.

Configure Grow Thread xmlmodifier -s //configuration/Logging/ThreadPool

Count /GrowThreadCount/@value <value> configuration.xml
The Grow Thread Count is Allowed values
number of scanning threads
■ 0 to 16
to add when the existing
threads cannot handle the Default value: 1
load that is processed.

Configure Shrink Thread xmlmodifier -s //configuration

Count /Logging/ThreadPool/ShrinkThreadCount/@value <value>
configuration.xml
The number of scanning
threads to remove when more Allowed values
threads are running than are
■ 0 to 16
needed for the load that is
processed. Default value: 1

Configure Busy Request xmlmodifier -s //configuration/Logging/ThreadPool/BusyRequest

Count Count/@value <value> configuration.xml
The number of queued Allowed values
requests to be processed by
■ Valid Integer value
scanning threads, which
triggers the creation of more Default value: 1
scanning threads.

Configure Idle Thread Count xmlmodifier -s //configuration/Logging/ThreadPool/IdleThread

Count/@value <value> configuration.xml
The number of idle scanning
threads, which triggers the Allowed values
removal of scanning threads.
■ 0 to 16

Default value: 1
 Configuration 34
Proxy and Quarantine Server

Table 2-5 Logging (continued)

Settings XPath

Configure Seconds Between xmlmodifier -s //configuration/Logging/ThreadPool/Seconds

Checks BetweenChecks/@value <value> configuration.xml
The number of seconds Allowed values
between evaluations of the
■ Valid Integer value
thread-pool activity.
Default value: 1

Proxy and Quarantine Server

Table 2-6 Proxy Server settings

Settings XPath

Set Server Name xmlmodifier -s //configuration/ProxyServer

Settings/ServerName/@value <value> configuration.xml
Parameter to set the proxy
server name or IP address. Allowed values

■ Valid IP address

Default value: None

Set Server Port xmlmodifier -s //configuration/ProxyServer

Settings/ServerPort/@value <value> configuration.xml
Parameter to set the proxy
server port. Allowed values

■ 0 to 65535

Default value: 0

Set User Name xmlmodifier -s //configuration/ProxyServer

Settings/UserName/@value <value> configuration.xml
Parameter to set proxy server
user name. Allowed values

■ Proxy server user name

Default value: None

Set Password xmlmodifier -k //configuration/ProxyServer

Settings/Password/@value <password> <SPE installation directory>
Parameter to set proxy server
configuration.xml
password.
Allowed values

■ Proxy server password

Default value: None

 Configuration 35
Miscellaneous

Table 2-7 Quarantine Server Setting

Settings XPath

Enable Quarantine xmlmodifier -s //configuration/Quarantine

ServerSettings/@enabled <value> configuration.xml
Allowed values

■ True
■ False

Default value: false

Set Server Name xmlmodifier -s //configuration/Quarantine

ServerSettings/ServerName/@value <value> configuration.xml
Parameter to set the Quarantine
server name or IP address. Allowed values

■ Valid IP address

Default value: None

Set Server Port xmlmodifier -s //configuration/Quarantine

ServerSettings/ServerPort/@value <value> configuration.xml
Parameter to set the quarantine server
port. Allowed values

■ 0 to 65535

Default value: 0

Miscellaneous
Table 2-8 Miscellaneous settings

Settings XPath

Enable Protection Use Case xmlmodifier -s

//configuration/Miscellaneous/ProtectionUseCase/@value <value>
Parameter to set the
configuration.xml
deployment scenario for
which Symantec Protection Allowed values
Engine is used.
■ 0: Email Server Protection
■ 1: Proxy / Webcache server protection
■ 2: Network attached storage protection
■ 3: Custom
 Configuration 36
Miscellaneous

Table 2-8 Miscellaneous settings (continued)

Settings XPath

Set App Name xmlmodifier -s //configuration/Miscellaneous/AppName/@value

Parameter to set the name
if deployment scenario is
customed.
<value> configuration.xml
Allowed values
■ Valid application name (up to 40 characters)

Default value: Custom

Enable Self Scan Test xmlmodifier -s //configuration/Miscellaneous/SelfScanTest/@enabled

<value> configuration.xml
Parameter to configure
whether Symantec Allowed values
Protection Engine should
■ true
perform a test every minute
■ false
to check whether it is
responsive and able to scan Default value: true
files.

Enable Request Monitoring xmlmodifier -s

Schedules //configuration/Miscellaneous/RequestMonitoringSchedule
s/EnableRequestMonitoring/@enabled <value> configuration.xml
This parameter enables
monitoring scanning Allowed values
requests in Symantec
■ true
Protection Engine.
■ false

Default value: false

Existing Schedules For information about adding, editing or removing schedules, please refer to Symantec
Protection Engine Implementation Guide.
 Chapter 3
LiveUpdate
This chapter includes the following topics:

■ LiveUpdate

LiveUpdate
Table 3-1 Schedule LiveUpdate

Settings XPath

Schedule a LiveUpdate at a xmlmodifier -s //liveupdate/Schedule/@enabled <value>

specific frequency. liveupdate.xml
Allowed values

■ true
■ false

Default value: true

Note: If you configure LiveUpdate to trigger at a specific frequency and also at a
specific time or range of the day, LiveUpdate at a specific time or range takes the
precedence.

Set Base Time xmlmodifier -s //liveupdate/Schedule/BaseTime/@value <value>

liveupdate.xml
Parameter to set the base
time value of liveupdate. Allowed values

■ Valid Epoch time

Default value: Installation time in Epoch format.

 LiveUpdate 38
LiveUpdate

Table 3-1 Schedule LiveUpdate (continued)

Settings XPath

Specify time interval after xmlmodifier -s //liveupdate/Schedule/Interval/@value <value>

which liveupdate should liveupdate.xml
trigger.
Allowed values

■ Time in seconds

Default value: 7200

Enable LiveUpdate schedule xmlmodifier -s //liveupdate/TimeRangeSchedule/@enabled

at a specific time range. liveupdate.xml
Allowed values

■ true
■ false

Default value: false

Note: If you configure LiveUpdate to trigger at a specific frequency and also at a
specific time or range of the day, LiveUpdate at a specific time or range takes the
precedence.

Specify start hour of xmlmodifier -s

LiveUpdate schedule. //liveupdate/TimeRangeSchedule/TimeRange/@starthour
liveupdate.xml
Allowed values

■ 0 to 23 (hour)

Default value: 0

Specify start minute of xmlmodifier -s

LiveUpdate schedule. //liveupdate/TimeRangeSchedule/TimeRange/@startminute
liveupdate.xml
Allowed values

■ 0 to 59 (minute)

Default value: 0
 LiveUpdate 39
LiveUpdate

Table 3-1 Schedule LiveUpdate (continued)

Settings XPath

Specify the time window up xmlmodifier -s

to 30 minutes to trigger the //liveupdate/TimeRangeSchedule/TimeRange/@timewindow
LiveUpdate. liveupdate.xml
If you don’t want LiveUpdate Allowed values
to trigger exactly at the start
■ 0 to 29 (minute)
hour and minute, you can use
■ false
time window up to 30
minutes. For example, If you Default value: 0
specify time window of 20
minutes, LiveUpdate will
trigger at any

Table 3-2 Update Server settings

Settings XPath

Set protocol xmlmodifier -s //liveupdate/UpdateServer/Protocol/@value <value>

liveupdate.xml
This parameter will set the
protocol type required for live Allowed values
update.
■ http
■ https

Default value: http

Set Server xmlmodifier -s //liveupdate/UpdateServer/Server/@value <value>

liveupdate.xml
Parameter to set the
liveupdate server name / URL Allowed values
/IP address.
■ Valid server name

Default value: liveupdate.symantec.com

Set Port xmlmodifier -s //liveupdate/UpdateServer/Port/@value <value>

liveupdate.xml
Parameter to set the
liveupdate port number. Allowed values

■ 0 to 65535

Default value:

■ 80 for HTTP
■ 443 for HTTPS
 LiveUpdate 40
LiveUpdate

Table 3-2 Update Server settings (continued)

Settings XPath

Update server Path xmlmodifier -s //liveupdate/UpdateServer/Path/@value <value>

liveupdate.xml
Parameter to set the update
server path. Allowed values

■ Valid URL path

Default value: None

Set User Name xmlmodifier -s //liveupdate/UpdateServer/UserName/@value <value>

liveupdate.xml
Parameter to set the
liveupdate server user name. Allowed values

■ LiveUpdate server user name

Default value: None

Set Password xmlmodifier -k //liveupdate/UpdateServer/Password/@value

<password> <SPE install directory> liveupdate.xml
Parameter to set the
liveupdate server password. Allowed values

■ LiveUpdate server password

Default value: None

 Chapter 4
Policies
This chapter includes the following topics:

■ Threat policies

■ Insight Scanning

■ APK Reputation

■ Actions

■ Exclusion policies

■ Notifications

Threat policies
Virus scanning is enabled by default and you cannot disable it. You can configure the following
parameters for all threat detection technologies.
 Policies 42
Insight Scanning

Table 4-1 Scan policy settings

Settings XPath

Specifies the Scanning xmlmodifier -s //policies/ThreatPolicies/InsightScanning/

aggression level.
The Scanning Aggression
Level defines the detection
aggression level for threat
detection technologies.
InsightPolicy/AggressionLevel/@value <value> policy.xml
Allowed values
■ 0 (Known bad)
Potential threat detection is very low, which detects only the files that are known to
be bad.
■ 1 (Low)
Potential threat detection is low.
■ 2 (Medium)
Potential threat detection is higher than the low aggression level.
■ 3 (High)
Potential threat detection is the highest. However, there could be false positives
detected too.

Default value: 2

Specify the file size to xmlmodifier -s //policies/ThreatPolicies/InsightScanning/

exclude files from scanning InsightPolicy/FileSizeExclusionThreshold/@value <value>
by Symantec threat detection policy.xml
technologies.
Allowed values

■ 1 to 2147000000 (bytes)

Default value: 134217728

Insight Scanning
Table 4-2 Insight scanning settings

Settings XPath

Enable reputation based xmlmodifier -s //policies/ThreatPolicies/InsightScanning/@enabled

Insight protection. <value> policy.xml
Allowed values

■ true
■ false

Default value: true

 Policies 43
Insight Scanning

Table 4-2 Insight scanning settings (continued)

Settings XPath

Specifies the Scanning xmlmodifier -s //policies/ThreatPolicies/InsightScanning/

aggression level.
The Scanning Aggression
Level defines the detection
aggression level for threat
detection technologies.
InsightPolicy/AggressionLevel/@value <value> policy.xml
Allowed values
■ 0 (Known bad)
Potential threat detection is very low, which detects only the files that are known to
be bad.
■ 1 (Low)
Potential threat detection is low.
■ 2 (Medium)
Potential threat detection is higher than the low aggression level.
■ 3 (High)
Potential threat detection is the highest. However, there could be false positives
detected too.

Default value: 2
Note: This parameter is now applicable to all threat detection technologies.

Specify the file size to xmlmodifier -s //policies/ThreatPolicies/InsightScanning/

exclude files from scanning InsightPolicy/FileSizeExclusionThreshold/@value <value>
by Symantec threat detection policy.xml
technologies.
Allowed values

■ 1 to 2147000000 (bytes)

Default value: 134217728

Note: This parameter is now applicable to all threat detection technologies.

Table 4-3 Insight Server settings

Settings Command

Use the default server for xmlmodifier -s //policies/ThreatPolicies/InsightScanning/

Insight scanning. InsightServerDetails/UseDefaultServer/@value true policy.xml
Allowed values

■ true
■ false

Default value: true

 Policies 44
APK Reputation

Table 4-3 Insight Server settings (continued)

Settings Command

Specify the server URL if not xmlmodifier -s //policies/ThreatPolicies/Insight

using the default server for Scanning/InsightServerDetails/ServerURL/@value <value> policy.xml
Insight scanning.
Allowed values

■ Valid URL

Default value: None

Specify the server port if not xmlmodifier -s //policies/ThreatPolicies/

using the default server port InsightScanning/InsightServerDetails/ServerPort/@value <value>
for Insight scanning. policy.xml
Allowed values

■ 0 to 65535

Default value: 0

APK Reputation
Table 4-4 APK Reputation settings

Settings XPath

Enable Android Application xmlmodifier -s //policies/ThreatPolicies/APKReputation/@enabled

(APK) Reputation. true policy.xml
Parameter to enable using Allowed values
Android Application (APK)
■ true
Reputation threshold security
■ false
rating value for file scanning.
Default value: true
 Policies 45
Actions

Actions
Table 4-5 Actions

Settings XPath

AV Action Policy xmlmodifier

-s//policies/ThreatPolicies/Actions/AVActionPolicy/@value <value>
Select the scan policy to
policy.xml
handle infected files.
Allowed values

■ 0 to 3

Default value: 2

Honor Read Only xmlmodifier -s

//policies/ThreatPolicies/Actions/HonorReadOnly/@value <value>
Overwrite the read-only
policy.xml
setting so that Symantec
Protection Engine can repair Allowed values
or delete infected read-only
■ true
files.
■ false

Default value: true

Quarantine the infected files. xmlmodifier -s

//policies/ThreatPolicies/Actions/Quarantine/@value <value>
This parameter will sends the
policy.xml
convicted file to the
configured quarantine server. Allowed values

■ true
■ false

Default value: false

Allow Access On Scan Error xmlmodifier -s //policies/ThreatPolicies/Actions

/AllowAccessOnScanError/@value <value> policy.xml
Allow an access to the files
that are normally blocked by Allowed values
the Internal Server Error
■ true
result.
■ false

Default value: false

 Policies 46
Exclusion policies

Exclusion policies
Table 4-6 Exclusion policies settings

Settings XPath

Enable or disable extension xmlmodifier -s //policies/ThreatPolicies/ExtensionPolicy/@value

policy. <value> policy.xml
Allowed values

■ 0
Disable the extension policy.
■ 2
Enable the extension policy.

Default value: 0
Note: Extension policy must be enabled if you want to configure the exclusion policies.

Exclude List You can add or remove any file extension that you want to exclude form AV scanning
at the below XPath in the policy.xml file.
This parameter excludes the
specified file extensions from xmlmodifier -b //policies/ThreatPolicies/ExcludeList/@item
scanning. <value> policy.xml
Allowed values

■ You can add any file extension to the file extension exclude list (file extensions
must begin with a period).

MIME Exclude List You can add or remove entries in the file type exclude list in the policy.xml at the below
XPath:
This parameter excludes the
specified multimedia file xmlmodifier -b //policies/ThreatPolicies/MIMEExcludeList/@item
extensions from scanning. <value> policy.xml
Allowed values

■ Valid MIME file type

 Policies 47
Notifications

Notifications
Table 4-7 Notifications settings

Setting XPath

Enable notifications in xmlmodifier -s //policies/ThreatPolicies

Symantec Protection Engine. /Notifications/NotificationTextAtTop/@value <value> policy.xml

This parameter enables Allowed values

notifications in Symantec
■ true
Protection Engine.
■ false

Default value: false

Customize the notification for xmlmodifier -s //policies/ThreatPolicies

access denied message. /Notifications/AccessDeniedMessage/@value "notification text"
policy.xml
Parameter to configure
access denied message to Default value: The content you just requested contains ${THREAT_NAME} and was
the user when access to a blocked by the Symantec Protection Engine based on local administrator settings.
Web site is blocked. You can Contact your local administrator for further information.
customize the user
notification message.

File Deleted Notification Text xmlmodifier -s //policies/ThreatPolicies

/Notifications/FileDeletedNotificationText/@value "notification
Customize the notification for
text" policy.xml
file deleted notification.
Default value: ${FILE_NAME} was infected with ${THREAT_NAME} (${THREAT_ID}).
File ${QUARANTINED}. File was deleted.

File Infected Notification Text xmlmodifier -s //policies/ThreatPolicies

/Notifications/FileInfectedNotificationText/@value <notification
Customize the notification for
text> policy.xml
file infected message.
Default value: File: ${FILE_NAME} was infected with ${THREAT_NAME}
(${THREAT_ID}). File ${QUARANTINED}. File is still infected.

Total Virus Found Notification xmlmodifier -s //policies/ThreatPolicies/Notifications

Text
Customize the notification for
the total number of viruses
found message.
/TotalVirusFoundNotificationText/@value <notification text>
policy.xml
Default value: This email message was infected. ${TOTAL_THREATS} number of
threats were found.
 Chapter 5
Filtering
This chapter includes the following topics:

■ URL Reputation

■ URL Filtering

■ Containers

■ File Attribute

URL Reputation
Table 5-1 Threat policies

Settings XPath

Enable DeepSight-based xmlmodifier -s //filtering/URLReputation/@enabled true

URL Reputation. filtering.xml
Allowed values

■ true
■ false

Default value: false

Enable Match Exact URLs XMLModifier -s

Only in DeepSight-based //filtering/URLReputation/MatchExactURLsOnly/@value <value>
URL Reputation. filtering.xml
If this parameter is enabled, Allowed values
only the exact matching URLs
■ true
found in the definitions will be
■ false
blocked instead of the entire
domain. Default value: false
 Filtering 49
URL Reputation

Table 5-1 Threat policies (continued)

Settings XPath

Set the confidence level. xmlmodifier -s //filtering/URLReputation/Threshold/@confidence

<value> filtering.xml
In DeepSight-based URL
reputation, confidence is a Allowed values
measure of how confident
■ 1 to 5
Symantec's DeepSight is of
the validity of the information Default value: 4
and reports behind the
Domain/URL inclusion in the
list of bad. This value is
dynamic in nature and can
vary with definitions update.

Set reputation level. xmlmodifier -s //filtering/URLReputation/Threshold/@reputation

<value> filtering.xml
In DeepSight-based URL
reputation feature, reputation Allowed values
level is the value that
■ 1 to 10
provides information on how
bad the Domain/URL is. This Default value: 8
level is dynamic in nature and
can vary with definitions
update.

Specify the message to be xmlmodifier -s

sent when access is denied //filtering/URLReputation/AccessDeniedMessage/@value "valid
to the URL. notification text" filtering.xml
Allowed values

■ Valid notification text.

Default value: Access to the destination ${URL_REQUESTED} is prohibited.

${REASON}
 Filtering 50
URL Filtering

URL Filtering
Table 5-2 URL Filtering settings

Settings XPath

Enable URL filtering in xmlmodifier -s //filtering/URLFilter/@enabled <value>

Symantec Protection Engine filtering.xml
Allowed values

■ true
■ false

Default value: false

Select the Filtering mode. xmlmodifier -s //filtering/URLFilter/FilteringMode/@value <value>

filtering.xml
Allowed values

■ 0
Audit mode
■ 1
Filtering mode

Default value: 1

URL Trimming Type xmlmodifier -s //filtering/URLFilter/UrlTrimmingType/@value

<value> filtering.xml
This parameter scans the
URL to the level specified. Allowed values

■ 0
■ 1

Default value: 0

Deny Vendor Categories xmlmodifier -b //filtering/URLFilter/DenyVendorCategories/items

Type the URL category for
which you want to deny
access.
<file containing list of vendor categories that needs to be
blocked> filtering.xml
Allowed values

■ Valid vendor categories to be blocked

For example,

xmlmodifier -b //filtering/URLFilter/DenyVendorCategories/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml

Default value: None


Table 5-2
Settings
Deny Local Categories
Access is denied to the URLs
that are associated with the
local categories and are in the Allowed values
Deny Local Categories list.
Access Denied Message
Notification text to display
access denied message.
Containers
Table 5-3
Settings
Set the maximum size of
in-memory file system that
Symantec Protection
Engine uses to store the
files streamed for scanning.
Configure the memory that
Symantec Protection
Engine can use to
decompose and scan the
container file.
Filtering 51
Containers
URL Filtering settings (continued)
XPath
xmlmodifier -b //filtering/URLFilter/DenyLocalCategories/items
<file containing list of local categories that needs to be
blocked> filtering.xml
■ Valid local categories to be blocked
Default value: None
For example,
xmlmodifier -b //filtering/URLFilter/DenyLocalCategories/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml
xmlmodifier -s //filtering/URLFilter/AccessDeniedMessage/@value
"valid notification text" filtering.xml
Allowed values
■ Valid notification text
Default value: Access to the destination ${URL_REQUESTED} is prohibited.
${REASON}
Container settings
XPath
xmlmodifier -s //filtering/Container/InMemoryFilesystemSize/@value
<value> filtering.xml
Allowed values
■ 0 to 131072 MB
Default value: 2048
xmlmodifier -s
//filtering/Container/InMemoryFileScanCacheSize/@value <value>
filtering.xml
Allowed values
■ 1024 to 131072 MB
Default value: 2048
 Filtering 52
Containers

Table 5-3 Container settings (continued)

Settings XPath

Max Extract Depth xmlmodifier -s //filtering/Container/MaxExtractDepth/@value <value>

filtering.xml
Specify the maximum
depth of the container file Allowed values
that Symantec Protection
■ 1 to 50
Engine can extract for
scanning. Default value: 10

Configure the action policy xmlmodifier -s //filtering/Container/MaxExtractDepth/@actionpolicy

for max extract depth <value> filtering.xml
violation
Allowed values

■ 0
Creates a log entry and allows access to the file.
■ 1
Blocks access to the file.

Default value: 1

Max Extract Size xmlmodifier -s //filtering/Container/MaxExtractSize/@value <value>

filtering.xml
Type the maximum file size
(in MB) for individual files Allowed values
in a container file.
■ 0 to 30719 MB

Default value: 100

Configure the action policy xmlmodifier -s //filtering/Container/MaxExtractSize/@actionpolicy

for max extract size <value> filtering.xml
violation
Allowed values

■ 0
Creates a log entry and allows access to the file.
■ 1
Blocks access to the file.

Default value: 1

Max Extract File Count xmlmodifier -s //filtering/Container/MaxExtractFileCount/@value

<value> filtering.xml
Set the maximum number
of files that will be extracted Allowed values
for scanning.
■ 0 to 32212254720

Default value: 0
 Filtering 53
Containers

Table 5-3 Container settings (continued)

Settings XPath

Configure the action policy xmlmodifier -s //filtering/Container/MaxExtractFile

for max extract file count Count/@actionpolicy <value> filtering.xml
violation
Allowed values

■ 0
Creates a log entry and allows access to the file.
■ 1
Blocks access to the file.

Default value: 1

Max Cumulative Extract xmlmodifier -s //filtering/Container/MaxCumulative

Size ExtractSize/@value <value> filtering.xml
Specify the max cumulative Allowed values
extract file size for
■ 0 to 137438953471
extracted files.
■ 0: Disables the setting

Default value: 0

Configure the action policy xmlmodifier -s //filtering/Container/MaxCumulative

for max cumulative extract ExtractSize/@actionpolicy <value> filtering.xml
size violation
Allowed values

■ 0
Creates a log entry and allows access to the file.
■ 1
Blocks access to the file.

Default value: 1

Update Replacement File xmlmodifier -s //filtering/Container/UpdateReplacementFile/@value

<value> filtering.xml
Enables or disables
updating replacement file. Allowed values

■ true
■ false

Default value: true

 Filtering 54
Containers

Table 5-3 Container settings (continued)

Settings XPath

Replacement File name xmlmodifier -s //filtering/Container/ReplacementFilename/@value

<value> filtering.xml
Specify the name of the
attachment file that is Allowed values
returned when Symantec
■ Name of the replacement file
Protection Engine deletes
a file. Default value: DELETED%.TXT

Outermost Container Is xmlmodifier -s //filtering/Container/OutermostContainer

MIME IsMIME/@value <value> filtering.xml
If enabled, an information Allowed values
is displayed whether the
■ true
top most container is MIME
■ false
or not.
Default value: true

Table 5-4 Encrypted Containers Handling settings

Settings XPath

Encrypted Containers xmlmodifier -s //filtering/Container/Encrypted

Handling ContainersHandling/@enabled <value> filtering.xml
Enable or disable encrypted Allowed values
container file handling.
■ true
■ false

Default value: true

Actions - Encrypted xmlmodifier -s //filtering/Container/Encrypted

Containers Action Policy ContainersHandling/Actions/EncryptedContainersActionPolicy/@value
<value> filtering.xml
Specify how you want
Symantec Protection Engine Allowed values
to handle encrypted container
■ 0 to 2
files.
Default value: 0
 Filtering 55
File Attribute

Table 5-4 Encrypted Containers Handling settings (continued)

Settings XPath

Actions - Continue scanning xmlmodifier -s //filtering/Container/Encrypted

of the blocked encrypted ContainersHandling/Actions/ContinueProcessin
container file. gInEncryptedBlockPolicy/@value <value> filtering.xml
Allowed values

■ true
■ false

Default value: false

Actions - Quarantine the xmlmodifier -s //filtering/Container/Encrypted

convicted encrypted container ContainersHandling/Actions/Quarantine/@value <value>
file. filtering.xml
Allowed values

■ true
■ false

Default value: false

Notification text xmlmodifier -s //filtering/Container/EncryptedContainersHandling/

NotificationText/@value "valid notification text" filtering.xml
Specify the notification text
that will be displayed when an Allowed values
encrypted container violation
■ true
is detected.
■ false

Default value: The encrypted container attached to this email was removed. File
attachment: ${FILE_NAME}. File ${QUARANTINED}.

File Attribute
Table 5-5 File Attribute settings

Settings XPath

Enable or disable filtering by xmlmodifier -s //filtering/FileAttribute/FileNamesEnabled/@value

file name. <value> filtering.xml
Allowed values

■ true
■ false

Default value: true

 Filtering 56
File Attribute

Table 5-5 File Attribute settings (continued)

Settings XPath

Specify an action to block or xmlmodifier -s //filtering/FileAttribute/DeleteFileNames/@value

delete the file <value> filtering.xml
Select one of the options to Allowed values
specify how you want
■ true
Symantec Protection Engine
■ false
to handle the messages that
contain an attachment with Default value: false
that file name.

File Size Scan Threshold xmlmodifier -s //filtering/FileAttribute/FileSize

ScanThreshold/@value <value> filtering.xml
Specify the maximum file size
(in bytes) that Symantec Allowed values
Protection Engine should
■ Value in bytes
accept. The default value is
0. This setting places no limits Default value: 0
on file or message size.

Specify the file names that xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items

you want to filter. <file containing list of the file names that needs to be blocked>
filtering.xml
Allowed values

■ List of file names to be blocked

Default value: None

For example,

xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml

Enable or disable filtering by xmlmodifier -s //filtering/FileAttribute/FileType

file type. FilteringEnabled/@value <value> filtering.xml
Allowed values

■ true
■ false

Default value: false


Table 5-5
Settings
Specify the file types that you xmlmodifier -b //filtering/FileAttribute/DenyFileTypes/items
want to filter. Type one entry <file containing list of the file types that needs to be blocked>
per line.
Deny File Paths
You can select the files to be
excluded from scanning by
specifying the file path.
Symantec Protection Engine
excludes files from scanning
based on the location of the
files.
Customize the notification text xmlmodifier -s //filtering/FileAttribute/DenyFileNames
that is displayed when file
name violation is detected.
Filtering 57
File Attribute
File Attribute settings (continued)
XPath
filtering.xml
Allowed values
■ List of file types to be blocked
For the detailed information about the allowed file types, see the Symantec
Protection Engine Implementation Guide.
Default value: None
For example,
xmlmodifier -b //filtering/FileAttribute/DenyFileTypes/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml
xmlmodifier -b //filtering/FileAttribute/DenyFilePaths/items
<filename> filtering.xml
Allowed values
■ List of file paths to be blocked
Default value: None
For example,
xmlmodifier -b //filtering/FileAttribute/DenyFilePaths/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml
Note: This parameter is now applicable to all threat detection technologies.
NotificationText/@value "notification text" filtering.xml
Allowed values
■ Valid notification text.
Default value: The file attached to this email was removed because the file name is
not allowed. File attachment: ${FILE_NAME}. Matched pattern:
${MATCHING_FILENAME_ENTRY}.
 Filtering 58
File Attribute

Table 5-5 File Attribute settings (continued)

Settings XPath

Enable or disable filtering by xmlmodifier -s //filtering/FileAttribute/FileSizesEnabled/@value

file size. <value> filtering.xml
Allowed values

■ true
■ false

Default value: true

Specify an action to block or xmlmodifier -s //filtering/FileAttribute/DeleteFileSizes/@value

delete the file. <value> filtering.xml
Specify how you want Allowed values
Symantec Protection Engine
■ true
to handle the messages that
■ false
contain an attachment with
that file size. Default value: false

Specify the file sizes that you xmlmodifier -b //filtering/FileAttribute/DenyFileSizes/items

want to filter. <file name> filtering.xml
Allowed values

■ List of file sizes to be blocked

Default value: None

For example,

xmlmodifier -b //filtering/FileAttribute/DenyFileSizes/items
C:\Users\Administrator\Desktop\sample.txt filtering.xml

Customize the notification text xmlmodifier -s //filtering/FileAttribute/DenyFileSizes

that is displayed when file NotificationText/@value "notification text" filtering.xml
size violation is detected.
Allowed values

■ Valid notification text

Default value: The file attached to this email was removed because the file size is not
allowed. File attachment: ${FILE_NAME}. Matched file size: ${FILE_SIZE}.

Specify the maximum size of xmlmodifier -s //filtering/FileAttribute/MaxFileSize/@value

the file that will be scanned. <value> filtering.xml
Allowed values

■ 0 to 4294967296 bytes

Default value: 0