Event ID 5051, Process will be closed (Scanner Thread Timeout)
Technical Articles ID:
KB52441
Last Modified: 7/24/2020
Environment
McAfee VirusScan Enterprise (VSE) 8.8
For details of VSE 8.x supported environments, see KB51111.
Problem
You see the following entry in the Application Event Viewer:
Event ID: 5051
Source: McLogEvent
Type: Error
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 90000 ms to complete a request. The process will be terminated. Thread id : 4884 (0x1314) Thread address : 0x7C8285EC Thread message : Build VSCORE.13.3.2.116 / 5200.2160 Object being scanned = \Device\HarddiskVolume2\Dept\Technical Services\HEAVY CLEANING DOCUMENTS\Y2007(CY5)\Year 5\Year 2007 Cat 4_5 Pipe Spreadsheet.xls by System:Remote 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)
NOTE: The description is an example of the information that is collected. After each checkpoint, there is a zero (0) value in parentheses. This value indicates the elapsed time. It is a true lock where file access is denied.
Cause
Scans are performed based on I/O activity on any file. If the Scanning Engine does not release the file before a second timeout threshold is met, the McShield process closes itself so that a file lock does not take place. This action usually occurs with embedded objects inside archive files. For examples, ZIP, .RAR, or .CAB. It is also based on file size, complexity, use, location, and availability to the scanner at the time the Engine accesses the file.
Sequence of events
- McShield starts scanning.
- If the timer reaches the value specified for ScannerThreadTimeout, McShield requests the Engine to discontinue scanning and another timer begins.
- McShield waits for the Engine to release the file.
- If the scan is successful, McShield releases the file.
- If the second timer reaches the value of ScannerThreadTimeoutEx, McShield closes and the file is released. The value of ScannerThreadTimeoutEx is equivalent to ScannerThreadTimeout.
- If McShield closes, the Task Manager service (if started) sends a new start command to McShield.
- The McShield process restarts.
Solution
NOTE: This error is not for information only, and it is not safe to ignore. But, if you do not want to see this error, use one of the following workarounds:
Consider the following:
- If a timeout occurs, it means that a file has not been fully scanned. Also, VSE does not retry a scan of these files until after a DAT update (or when the scan cache has been reset).
- If a timeout occurs frequently on the same file, determine if the file is safe, If so, exclude it from On-Access scanning.
- If a timeout occurs frequently on different files, there might be an incompatibility issue between VSE and another product that has been installed. It must be investigated further.
- If a timeout occurs frequently for any reason, or when initiating a particular sequence of events, the safest course of action is to investigate the behavior further until the cause is understood.
- If a timeout occurs infrequently, you can consider it as a one-off event due to your computer system being heavily used, leaving little opportunity for VSE to complete the scan. In this case, the safe course of action is to make sure that the on-demand scan task scans the files. On-demand scans do not time out.
Workaround
Add a Low-Risk Process exclusion for any processes that generate file timeouts. Depending on the processes that generate the file timeouts, you might want to skip scanning the read and write disk I/O generated by that process. To do so, add the process to Low-Risk Processes and deselect When Writing to Disk and When Reading from Disk. For more information, see the following articles:
- For High-Risk, Low-Risk, and Default processes configuration and usage, see KB55139.
- To determine if configuring VirusScan Enterprise exclusions or setting Low Risk Processes is effective, see KB67648.
To add a Low-Risk Process exclusion:
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click On-Access Scanner.
- Select Low-Risk Processes (if Low-Risk Processes is not an available option, select All Processes).
- On the Processes tab, click Use different settings for high-risk and low-risk processes.
- Click Add, then Browse and select the process and click OK.
- Click OK and exit the VirusScan Console.
NOTES:
- Each Default, High-Risk, and Low-Risk process policy is independent and you must configure them individually.
- Adding a process to Low-Risk potentially affects your security. Use this solution only when strictly necessary.
Example
Suppose you add a file in the Exclusions tab of the Default Processes policy. But, you do not add it to the Exclusions for the High-Risk policy, the file will still be scanned by the High-Risk processes policy.
Workaround
Create a specific exclusion for the file:
-
Click Start, Programs, McAfee, VirusScan Console.
-
Double-click On-Access Scanner and select All Processes.
-
Click the Detection tab.
-
Select Exclusions and click Add.
-
Type the name of the relevant file to be excluded.
- Click OK three times to exit the On-Access Scanner.
- Exit VirusScan Console.
For more information about using wildcards with exclusions in VirusScan Enterprise 8.x, see KB54812.
Workaround
If this issue occurs only when scanning archive files, disable archive file scanning. It is considered to be a minor security risk because all files inside an archive are scanned when the archive is opened or extracted.
VSE 8.8:
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click On-Access Scanner and select Default Processes.
- Click the Scan Items tab.
- Under Compress Files, deselect Scan inside archives (Example: ZIP).
- Click Apply, OK.
- Exit the VirusScan Console.
Workaround
Disable opportunistic locking in Windows.
For information about configuring opportunistic locking in Windows, see Microsoft Knowledge Base article 296264 at http://support.microsoft.com/kb/296264.
|