I am having an issue with my BeyondTrust Retina and McAfee 8.7i. It dies after taking more than 90000 milliseconds to scan c:\program files (x86)\beyondtrust\retina 5\queue.xml. It's only a small 1KB file. I can perform an on demand scan with no issues. I get an error message which reads, in part (paraphrased, it's a long message): the AV has stopped while scanning c:\program files (x86)\beyondtrust\retina 5\queue.xml by c:\program files (x86)\beyondtrust\retina 5\scanner\retinaengine.exe.
Hmm, shouldn't it be McAfee, not RetinaEngine that is scanning the xml file? Why does it time out on this very small xml file? The "by" part is what really gets me.
Timeouts occur for 1 reason, the scan is taking too long - but why it's taking too long can have multiple causes, of which only one of them is usually encountered. Trying to identify the one reason can be a challenge but there are tell-tale signs for each.
Cause A, the scan engine is stuck due to a content problem
Cause B, the scan engine is stuck due to an engine problem
Cause C, the Mcshield service is being blocked from gaining access to the file
Cause D, there is a massive amount of I/O latency
Cause E, a product issue (some logic that has become confused or is doing something rather silly)
Cause A can be tested for by scanning the file with varying DAT versions (working your way backwards).
It helps to know "when this behavior started", as that may coincide with a specific DAT content update and thereafter the issue became manifest.
This sort of problem should be reported to our McAfee Labs team va McAfee Support.
Cause B becomes a suspect after eliminating Cause A.
If the issue is not content related, see what the behavior is when doing an On-Demand scan of the same file that was giving the On Access scanner a hard time. Does the ODS crash or hang? If so, the scan engine probably does not like that file... and you should report it to McAfee Labs team via McAfee Support.
Cause C involves a 3rd party product, in particular a product that installs a file-system filter driver.
When a process touches a file, McAfee's AV filter blocks that request until we've had a chance to scan the file - and so we tell our McShield (On Access Scanner) service to scan the file. As McShield tries to gain access to the file, the 3rd party filter steps in and blocks us... eventually the timeout is hit, we self-terminate and recover only to be at risk of encountering the same problem again. This creates a potential DOS for that node because files need to be scanned and we're being blocked from scanning them, and we won't let you access them until we've scanned them! A painful scenario to experience, believe me.
The solution - the 3rd party filter driver's vendor needs to be engaged; they need to allow McShield.exe's I/O. Our development team will be happy to chat with theirs if they're open for that sort of thing.
Cause D I've only seen when someone has enabled the Network Drive Scanning option, which depends on network bandwidth to be able to read the remote files in a timely manner. Sometimes that isn't possible, and timeouts occur more frequently as a consequence.
Cause E... well, sometimes we uncover logic flaws in the product that have been exhibiting themselves as timeouts, and for some unglodly reason those timeouts had been getting ignored or perhaps it just took us forever to figure out the issue and get it fixed. Whatever the case, we address such issues as we are able - make sure you're using our "latest stuff" to avoid wasting your time researching an old problem.