Troubleshoot the Error "Unscannable Category = Message Error, Unscannable Reason = Archive Error:Exceeded the total size limit of the unarchived files" in an ESA

Available Languages

Updated:August 5, 2019
Document ID:214937

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot the error "Unscannable Category = Message Error, Unscannable Reason = Archive Error:Exceeded the total size limit of the unarchived files" in an Email Security Appliance (ESA).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • ESA
    • Cisco Advanced Malware Protection (AMP)

    Components Used

    The information in this document is based on these software and hardware versions:

    • ESA AsyncOS 11.1.2-023.
    • ESA AsyncOS 12.0.0-419.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    When a message with an attachment reaches AMP in the pipeline, ESA attempts to parse the attachment from the message and checks the message headers (check for compliance with RFC 2045). Even if the message is not fully compliant, ESA still does best effort to parse the attachment.

    The next step is to check whether an attachment is an archive file and if so, ESA attempts to unpack it, it considers multiple factors in order to determine compressed file size in order to ensure the attachment is legit and not a zip file.

    When a file reputation is not found, and the file meets the criteria for analysis it is quarantined and uploaded to the sandbox.

    Then, ESA opens a connection to AMP servers and upload the file and waits for verdict updates, as shown in the image:

    ESA provides a verdict based on these scenarios:

               

    • If one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file.
    • If the compressed or archive file is malicious and all the extracted files are clean, the file reputation service returns a verdict of Malicious for the compressed or the archive file.
    • If the verdict of any of the extracted files is unknown, the extracted files are optionally (if configured and the file type is supported for file analysis) sent for file analysis.
    • If the verdict of any of the extracted files or attachments is low risk, the file is not sent for file analysis.
    • If the extraction of a file fails when it gets decompressed and then it is compressed or an archive file, the file reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence over Unscannable verdict).

    Highly compressed files like csv, xml, txt can exceed maximum file size hardcoded into ESA, compression algorithms, like Lempel-Ziv, generates a digital map that counts the number and position of characters within the full document and this produces very small file sizes.

    On the other hand, files that contain graphics, text format like pdf, jpg, png, they are not compressed the same way, so they keep almost the original file size.

    Problem

    When the ESA receives an email within an attachment that is compressed and this exceeds the maximum compression ratio and ESA fails to calculate the file size of the attachment then the consequence is this error log:

    "Wed Feb 13 20:03:47 2019 Info:   The attachment could not be scanned. File Name = 'ACTS Chopped ISO 88591 encod_NoSchema.XML.zip', MID = 226, SHA256 =7efa6154b7519872055cff10a69067dcad88562f708b284a390a9abcf5e99b8f, Unscannable Category = Message Error, Unscannable Reason = Archive Error:  Exceeded the total size limit of the unarchived files"

    Solution 1

    Prepend unscannable messages into Subject to alert users that the file was not analyzed by AMP services, as shown in the image.

    Solution 2

    Quarantine unscannable into Policy Virus & Outbreak (PVO) quarantines for further analysis. as shown in the image.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    29-Oct-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Aaron Vega
      Cisco TAC
    • Alan Macorra
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products