Outlook stops responding or has performance issues after VirusScan Enterprise 8.8 mail scan plug-in is loaded

Technical Articles ID: KB77573
Last Modified: 8/24/2017

Environment

McAfee VirusScan Enterprise (VSE) 8.8 with/without patches
Microsoft Outlook 2010, 2013, 2016

Summary

Recent updates to this article:

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Date	Update
Aug 23, 2017	Added details to several sections for a discovered issue (Patch 9 and earlier), where there is prolonged attachment scan time. Added link to the Autodiscover for Exchange issue documented in KB86832.
Aug 17, 2017	Correction to previous edit; the correct link in the workaround should have been KB69030. Added a link to KB79673 in the Related Information section.
Aug 10, 2017	Added a link to KB77573 in the workaround section.
July 27, 2017	Based off customer feedback, added Outlook 2013 and 2016. Moved details to Solution 2 to cover best practices to minimize the delay. Moved details to cause section.

Problem

Users report any of the following symptoms:

Outlook temporarily stops responding.
Performance lags when receiving email.
Performance lags when receiving email with attachments.
Performance lags when receiving calendar invitations.
Latency in being able to open emails.

Cause

When new email arrives, this triggers action from the EmailScan plug-in. The Outlook client is locked (to the user this could be seen as unresponsive) while steps are taken to determine the new mail object is safe, after which the client is released. The symptom of Outlook being locked (unresponsive) is intentional to avoid users accessing potentially infected mail. However, an unreasonable delay is not intentional and is typically a result of an issue highlighting the incurred pause.

Email scan process

When the Outlook client receives a new mail notification, the EmailScan plug-in is given an opportunity to scan the object.
The add-in initiates a process of locating the item in the Exchange mail stores and downloading it locally for scanning.
While this happens, you are prevented from interacting with the Outlook client. This can give the appearance that the system has stopped responding.
After the scanning process completes, access to Outlook is restored.

The prolonged scan duration where Outlook remains paused can be influenced by multiple external factors to which VirusScan is subject, and that include the following:

Users being remote or roaming and not on the LAN or local to the mail server.
Configuration resulting in an Outlook PST file residing on a remote drive.
The size of mail messages and attachments.
The type of mail item and, therefore, which store the Exchange copies it to.
The size of the user's mailbox, specifically the number of items in the calendar (if the lag occurs when receiving an invite).
Incorrectly configured Autodiscovery for Exchange feature. For details, see KB86832.

The duration of the pause can be influenced by features and settings native to VirusScan Enterprise that include:

VSE Patch installed.
DAT content and Engine version.
On delivery email scan policy setting. For example Scan configuration - Attachments to scan.
GTI connectivity and Artemis (Heuristic network check for suspicious files) settings.

Solution

The underlying behavior of locking the Outlook client while the scanning process occurs is expected behavior; it secures against users launching mail/attachments before they can be scanned.

Excessive delays are not desired and improvements have been made within the VSE product releases for the following:

Issue	Solution
Where lag occurs in direct response to calendar invites being received.	Optimized with VSE 8.8 Patch 4 and later.
Where there is a prolonged scan duration of email attachments. Examples: Office documents.	Improvements made in VSE 8.8 Patch 10 (up to 80% reduction of scan duration).

Refer to the Solution 2 section for assistance with minimizing the delay.

Patches are cumulative; McAfee recommends that you install the latest one.

VSE 8.8 Patch 11 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 11 supports all supported Windows operating systems.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Solution

Best practices to minimize the delay:

Install the latest VSE Patch.
Use the latest DAT and Engine.
Use Default + additional file types, specified in the Scan Configuration for On Delivery Email Scan policy.
Restrict the size of the user mailbox.
Restrict the size of attachments users can send or receive.
Locate Outlook PST files on the local disk. For a documented issue, see KB59974.
Verify Autodiscover for Exchange is properly configured. For details, see KB86832.
Ensure GTI connectivity. For how to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server, see KB53733.
NOTES:
- If GTI is absent, then disable Heuristic network check for suspicious files. For details, see KB70130.
- To review a known issue where Outlook pauses for an extended period when receiving attachments due to DNS query timeouts, see KB75933.
Turn on Cached Exchange Mode. For details, refer to the solution section in KB75933.

Workaround

Disable the EmailScan feature via policy.

NOTE: This can be an effective workaround when the underlying performance issue main cause is unavoidable, such as a roaming user profile resulting in a PST on a remote share. It is advised that you evaluate whether you can safely disable the EmailScan feature in your environment (for example, when the Exchange server is already protected).

Alternatively, remove the On-Delivery Email Scanner component from the installation.
For how to remove or prevent installation of the VirusScan Enterprise On Delivery Email Scanner, see KB69030.

Related Information

Also see a related article which covers the topic Performance improvement tips for VirusScan Enterprise 8.8. For details, see KB79673.

Affected Products

Best Practices
Known Issue/Product Defect
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Summary

Problem

Cause

Solution

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Summary

Problem

Cause

Solution

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title