Explanation of why scan time-outs occur

Technical Articles ID: KB55869
Last Modified: 10/15/2021

Environment

McAfee Endpoint Security (ENS)
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Mac (ENSM)
McAfee MOVE AntiVirus Agentless (MOVE AV Agentless)
McAfee MOVE AntiVirus Multi-Platform (MOVE AV Multi-Platform)
McAfee Security for Microsoft Exchange (MSME)
McAfee VirusScan Enterprise (VSE)
McAfee VirusScan Enterprise for Linux (VSEL)

Problem

Scan time-outs occur, and the following error displays:

The scan of FILENAME has taken too long to complete and is being cancelled. Scan engine xxxx and DAT version is xxxx

Cause

This error is informational and does not indicate a software malfunction. The scan time-out message is logged when a scan stops before the file has been scanned. The scanning software has no way to determine whether the file is infected. The respective product logs record such incidents. For ENS/VSE, these logs are in C:\ProgramData\McAfee\DesktopProtection or operating system-specific logs such as the Windows Event Log.

Solution

McAfee Enterprise antivirus products have an intentional cutoff time when the scan of a particular file must stop. The scan time-out feature is intended to prevent a denial-of-service.

All McAfee Enterprise antivirus products work in a similar way:

The on-access scanner intercepts a request for a file.
The file is scanned.
The file is passed to the user or application that requested the file. Or, if the file is infected, the scanner takes the appropriate action, and the user is informed of the infection.

NOTE: Any file that is actively being scanned is unavailable until the scan completes.

The amount of time taken to scan the file depends primarily on the following factors:

File complexity
File size
File location
File type - File extensions such as .jar, .chm, .cab, and .zip are all archive files that typically use a high rate of compression. To scan these archives, each file must be extracted from the archive and scanned individually. This process can use a large amount of memory, depending on the type of data in the archive and how well it compresses.
Processing power of the computer scanning the files, and the amount of memory if the file must be uncompressed
Network speed, if the file has to be copied over a network to be scanned

If a time-out mechanism is not used, you are denied access to the file until the scan is complete. This time period might be minutes or even hours, depending on the factors previously mentioned. For example, if the file is still being scanned after 30 seconds, the scanner will time out. The length of time before this time-out occurs varies by product and can usually be configured. For information about configuring scan time-out settings for your product, see the appropriate product guide. For example, the ENS option to configure the timeout is Specify maximum number of seconds for each file scan in the on-access scan policy. This option is described in the Endpoint Security 10.7 Interface Reference Guide.

For product documents, go to the Product Documentation portal.

If the scan of a particular file takes longer than allowed by the time-out value, the scan is stopped. An event is generated in the application event log to note that the scan timed out on the file. This information is also sent to Alert Manager and ePolicy Orchestrator if they are installed. An example of this error message is:

The scan of FILENAME has taken too long to complete and is being cancelled. Scan engine xxx and DAT version is xxxx

NOTE: Scan time-out behavior is present in all McAfee Enterprise antivirus on-access scanners. On-demand scans do not have a time-out and take as long as needed to fully scan any target files, except for the following:

ENS and ENSM have a built-in, non-configurable timeout of 45 seconds.
ENSL has a built-in, configurable timeout with a default of 45 seconds. The option in the on-demand scan policy to configure the timeout is Specify maximum number of seconds for each file scan.

All McAfee Enterprise products scan all files in an archive on extraction. If a large and complex archive causes the scan to time out, there is little risk. When the contents are extracted to the hard disk, the on-access scanner scans each file individually.

Related Information

Key search string assistance: why scan timeouts occur, scan timeouts, scan timeout

Affected Products

Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
MOVE Antivirus Agentless 4.9.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.9.x
MOVE Antivirus Multi-platform 4.8.x
MOVE Antivirus Multi-platform 4.7.x
MOVE Antivirus Multi-platform 4.6.x (EOL)
Security for Microsoft Exchange 8.7
Security for Microsoft Exchange 8.6
Security for Microsoft Exchange 8.5 (EOL)
VirusScan Enterprise 8.8 (EOL)
VirusScan Enterprise for Linux 1.9.x (EOL)
VirusScan Enterprise for Linux 2.0.x (EOL)

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Knowledge Center

Explanation of why scan time-outs occur

Environment

Problem

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Explanation of why scan time-outs occur

Environment

Problem

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title