This document describes how to troubleshoot the error "Unscannable Category = Message Error, Unscannable Reason = Archive Error:Exceeded the total size limit of the unarchived files" in an Email Security Appliance (ESA).
Cisco recommends that you have knowledge of these topics:
Cisco Advanced Malware Protection (AMP)
The information in this document is based on these software and hardware versions:
ESA AsyncOS 11.1.2-023.
ESA AsyncOS 12.0.0-419.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
When a message with an attachment reaches AMP in the pipeline, ESA attempts to parse the attachment from the message and checks the message headers (check for compliance with RFC 2045). Even if the message is not fully compliant, ESA still does best effort to parse the attachment.
The next step is to check whether an attachment is an archive file and if so, ESA attempts to unpack it, it considers multiple factors in order to determine compressed file size in order to ensure the attachment is legit and not a zip file.
When a file reputation is not found, and the file meets the criteria for analysis it is quarantined and uploaded to the sandbox.
Then, ESA opens a connection to AMP servers and upload the file and waits for verdict updates, as shown in the image:
ESA provides a verdict based on these scenarios:
If one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file.
If the compressed or archive file is malicious and all the extracted files are clean, the file reputation service returns a verdict of Malicious for the compressed or the archive file.
If the verdict of any of the extracted files is unknown, the extracted files are optionally (if configured and the file type is supported for file analysis) sent for file analysis.
If the verdict of any of the extracted files or attachments is low risk, the file is not sent for file analysis.
If the extraction of a file fails when it gets decompressed and then it is compressed or an archive file, the file reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence over Unscannable verdict).
Highly compressed files like csv, xml, txt can exceed maximum file size hardcoded into ESA, compression algorithms, like Lempel-Ziv, generates a digital map that counts the number and position of characters within the full document and this produces very small file sizes.
On the other hand, files that contain graphics, text format like pdf, jpg, png, they are not compressed the same way, so they keep almost the original file size.
When the ESA receives an email within an attachment that is compressed and this exceeds the maximum compression ratio and ESA fails to calculate the file size of the attachment then the consequence is this error log:
"Wed Feb 13 20:03:47 2019 Info: The attachment could not be scanned. File Name = 'ACTS Chopped ISO 88591 encod_NoSchema.XML.zip', MID = 226, SHA256 =7efa6154b7519872055cff10a69067dcad88562f708b284a390a9abcf5e99b8f, Unscannable Category = Message Error, Unscannable Reason = Archive Error: Exceeded the total size limit of the unarchived files"
Prepend unscannable messages into Subject to alert users that the file was not analyzed by AMP services, as shown in the image.
Quarantine unscannable into Policy Virus & Outbreak (PVO) quarantines for further analysis. as shown in the image.