When running AV scans enterprise-wide I sometimes get various messages, such as 'scan timed out', 'access denied', 'Scan was cancelled', 'clean error'.
Could you please tell me how to properly resolve these?
Using epo 4.5, AV 8.7.0, HIPS 7.0
Thanks!Message was edited by: newbieal on 3/7/11 8:29:51 AM CST
Scan timeout events are normally from the VirusScan On-Access - General properties values of 'Maximum Archive can Time' or 'Enforce a maximum Scanning Time for all files'.
it's ok to recieve this message, but if you wish you can turn both settings off or increase the values. The defaults are 15 seconds and 45 seconds repsectively which is a fair trade off between scanning most files to completion and not hogging resources locally.
Access denied normally means the file was locked in memory during scan attempt. There's not a lot you can do about that, it will happen, it's Windows - you will see this during an on-demand scan. Again, it's normal to see these on certain files that are like to be locked. (pagefile for example). If you see files you know will be locked, exclude them from the on-demand scan.
Scan was cancelled - Short of changing the VirusScan policy to lock down the local interface there's not much you can do here either, especially If the users have local admin rights. Take a look at the user interface policies to see what you can do to stop users cancelling scans.
Clean errors need investigating in detail as they are often quite specific. it suggested malware not resolved. Take a look at the local scan logs for more detail, perhaps the local Quarantine manager too. Make sure dats are up to date and if necessary submit samples to McAfee for analysis.
Time out events can also be an indicator that an exclusion may be needed. I've seen lots of home-grown, and legacy applications/scripts that are just plain fugly.
Scan cancelled can also occur if you've set a maximum duration in the task settings.
I have seen people filter-out these types of events, but I highly advise against that. At the very least keep them for a few days, then purge them. I would rather have the data if/when I need to troubleshoot, than have to recreate afterward.
I get scan cancelled even on my machine (although I never took an action to cancel). I'm still confused as to what would cause that. But joeleisenlipz you mention: Scan cancelled can also occur if you've set a maximum duration in the task settings.. Where is this setting and what should it be set to so that I can avoid the 'scan canceled' situation. Thanks.