Last Modified: 03/24/2014
Rated:
Environment
McAfee SaaS Endpoint Protection
McAfee Security Service for Exchange
McAfee Security for Lotus Domino (Windows)
McAfee Security for Mac
McAfee VirusScan Enterprise
McAfee VirusScan Enterprise for Linux
Problem
Cause
The scan timeout message is logged when a scan stops before the file has been completely scanned, and the virus scanning software has no way to determine if the file is infected.
Solution
McAfee anti-virus products have an intentional cutoff time when the scan of a particular file must stop, and the scan timeout feature is intended to prevent a denial of service.
All McAfee Anti-Virus products work in a similar way:
- A request for a file is intercepted by the On-Access Scanner.
- The file is scanned.
-
The file is passed to the user or application that requested the file or, if the file is infected, the appropriate action is taken by the scanner and the user is informed of the infection.
The amount of time taken to scan the file depends primarily on the following factors:
- File complexity
- File size
- File location
- File type. File extensions such as .jar, .chm, .cab, and .zip are all archive files that typically use a very high compression. To scan these archives, each file must be extracted from the archive. This can use a large amount of memory depending on the type of data in the archive and how well it compresses.
- Processing power of the computer scanning the files (and amount of memory if the file must be uncompressed)
- Network speed (if the file has to be copied over a network to be scanned)
If a timeout mechanism is not used, you are denied access to the file until the scan is complete (this might be minutes or even hours, depending on the factors previously mentioned). For example, if the file is still being scanned after 30 seconds, the scanner will time out. The length of time before this timeout occurs varies by product and can usually be configured. For information on configuring scan timeout settings for your product, see the appropriate product guide.
If the scan of a particular file takes longer than allowed by the timeout value, the scan is stopped. An event is generated in the application event log to note that the scan timed out on the file after the defined scan timeout value. This information is also sent to Alert Manager and ePolicy Orchestrator if they are installed. An example of this error message would be as follows:
The scan of FILENAME has taken too long to complete and is being cancelled. Scan engine xxx and DAT version is xxxx
All McAfee desktop and server products scan all files in an archive upon extraction. If a large and complex archive causes the scan to time out, there is little risk. When the contents are extracted to the hard disk, each file is scanned individually by the On-Access Scanner.
Affected Products
MOVE Antivirus Agentless 3.0
MOVE Antivirus Agentless 2.x
SaaS - AntiVirus/Anti-Spyware Protection 6.0.3
SaaS - AntiVirus/Anti-Spyware Protection 5.4
Security for Lotus Domino 7.5
Security for Mac 1.2
Security for Microsoft Exchange 8.0
Security for Microsoft Exchange 7.6
Threat Prevention and Removal
VirusScan Enterprise 8.8
VirusScan Enterprise 8.7i
VirusScan Enterprise for Linux 1.9
VirusScan Enterprise for Linux 1.7
VirusScan Enterprise for Linux 1.6
