Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6 Source: NortonAntiVirus

Could not scan <number> files inside <path to file> due to extraction errors encountered by the Decomposer Engines.
This problem can appear if you are scanning a compressed file that contains a password protected file, if you are scanning files that have been locked for access by the operating system or if there is corruption in the virus definitions. See Symantec Support Document ID: 2001020808254848 for more information.
A generic message from NAV that is telling you it''s encountered a file which NAV recognizes the extention for, knows it should be able to decompress and examine the contents of but that this decompression has failed. Say there is a new version of the DOC format released, NAV knows it can handle DOC files so it tries to open this file and examine it but finds it in a format it doesn''t know and generates this error. To solve this you need to contact Symantec for a newer build of the product generating the error which will usually include a new decomposer engine (updated as frequently as monthly for some products). Builds between versions are not released on CD and cannot be received via LiveUpdate, you have to contact Symantec tech support to receive them via manual download.
According to Symantec, this can occur if the antivirus encounters a password protected archive.
For files that are compressed, and have extensions of .exe, .zip, or .arj here the solution:
This problem can be caused if the compressed file being scanned contains directories, or if the compressed file is using an old and unsupported compression algorithm.
If the problem is with directories included in the compressed file, this was addressed in Norton AntiVirus Corporate Edition 7.51 build 50c. Please contact Technical Support for additional information on obtaining an updated build.
This can also occur if the file was compressed using the older "implode" or "shrink" algorithms. Symantec is aware of this problem, and there is no solution at this time. We will continue to track this problem, and this document will be updated if new information becomes available or a solution is found.
From Symantec:
"Situation: After running a scan, you notice that the event log lists a large number of error messages, such as "Scan could not open file C:\My Documents\winzip70.exe [00000012]." However, none of these files are in use at the time. This appears to happen for all file types.
Solution: This problem has been traced to password protected files. Norton AntiVirus Corporate Edition (NAVCE) cannot scan password protected files. When you see this error message in the event log, determine whether the file has a password."

As per Symantec, this was an erroneous error and false alarm. Fixed in later versions. See "Norton AntiVirus Corporate Edition 7.6 release notes".
This it also happens when you use a free trial Winzip download.
From Symantec Knowledge Base ID:2002073015235648 the following situations can also have this effect:
- You may be scanning files with LH7 compression, which is not a supported format. These compressed files commonly have a .LZH extension, and will be omitted by the scan.
- Scanning files that are in use by other users, locked by the operating system, or files with the NTFS permission set to "Deny" can also generate this error message.
- Possible virus definition corruption. (See Symantec Knowledge Base Document 2002080708594148 for details on checking for corrupted virus definitions).
The following information was obtained during a service call to Symantec Support.
- It is possible for the decomposer engine to become corrupted during a product upgrade from 7.6 to 8.0 Symantec Antivirus. The official Symantec recommendation on upgrades is to uninstall version 7.6 and then install 8.0 rather than performing an "in-place" upgrade where you simply overwrite the 7.6 software. If the engine becomes corrupted after an in-place upgrade Symantec recommends uninstalling and reinstalling the Symantec Antivirus 8.0 software.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.