McAfee anti-virus products have an intentional cutoff time when the scan of a particular file must stop; the scan time-out feature is intended to prevent a denial of service.
All McAfee anti-virus products work in a similar way:
- A request for a file is intercepted by the On-Access Scanner.
- The file is scanned.
-
The file is passed to the user or application that requested the file or, if the file is infected, the appropriate action is taken by the scanner and the user is informed of the infection.
NOTE: Any file that is actively being scanned is unavailable until the scan completes.
The amount of time taken to scan the file depends primarily on the following factors:
- File complexity
- File size
- File location
- File type - File extensions such as .jar, .chm, .cab, and .zip are all archive files that typically use a very high rate of compression. To scan these archives, each file must be extracted from the archive and scanned individually. This can use a large amount of memory, depending on the type of data in the archive and how well it compresses.
- Processing power of the computer scanning the files (and amount of memory if the file must be uncompressed)
- Network speed (if the file has to be copied over a network to be scanned)
If a time-out mechanism is not used, you are denied access to the file until the scan is complete (this might be minutes or even hours, depending on the factors previously mentioned). For example, if the file is still being scanned after 30 seconds, the scanner will time out. The length of time before this time-out occurs varies by product and can usually be configured. For information on configuring scan time-out settings for your product, see the appropriate product guide.
If the scan of a particular file takes longer than allowed by the time-out value, the scan is stopped. An event is generated in the application event log to note that the scan timed out on the file after the defined scan time-out value. This information is also sent to Alert Manager and ePolicy Orchestrator if they are installed. An example of this error message is:
The scan of FILENAME has taken too long to complete and is being cancelled. Scan engine xxx and DAT version is xxxx
NOTE: Scan time-out behavior is present in all McAfee anti-virus On-Access Scanners. On-Demand scans do not have a time-out and take as long as required to fully scan any target files, with the exception of Endpoint Security 10.1.x and later, which has a built-in non-configurable timeout of 45 seconds.
All McAfee desktop and server products scan all files in an archive upon extraction. If a large and complex archive causes the scan to time out, there is little risk. When the contents are extracted to the hard disk, each file is scanned individually by the On-Access Scanner.
