7 Replies Latest reply on Sep 15, 2010 9:18 AM by runcmd

    Scan Timeouts on OAS Exclusions

    runcmd

      I have two paths on a server that are excluded from OAS scanning (including subfolders).  I will call them "C:\FOLDER1\" and "C:\FOLDER2\FOLDER3\".  These exclusions are applied to the server by a policy on the ePO.  I have confirmed that the exclusions are functioning properly by copying an EICAR to one of the excluded folders and it is not detected.  If I copy an EICAR to a folder that is not excluded, it is immediately detected and removed.  However, the OnAccessScanLog and the Event Log show scan timeouts for files in the excluded folders.  Example:

       

      OnAccessScanLog:

      7/16/2010  5:12:23 AM  Not scanned  (scan timed out)  NT AUTHORITY\SYSTEM  c:\FOLDER1\abc\def\ghi\jkl\prowin32.exe  C:\FOLDER2\FOLDER3\xyz

       

      Event Log:

      Event Type:  Information

      Event Source:  McLogEvent

      Event Category:  None

      Event ID:  257

      Date:  7/16/2010

      Time:  5:12:23 AM

      User:  NT AUTHORITY\SYSTEM

      Computer:  MYSERVER

      Description:

      The scan of C:\FOLDER2\FOLDER3\xyz has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 6044.0000.

       

      Why is the OAS scanning things in these folders?  I opened a case with support but, so far I have only been provided a link to KB55869.  This knowledge base article appears to be only a definition of what scan timeouts are.  Has anyone else seen this before?  Although I've obfuscated the paths and filenames, I'm hoping this still makes sense.  Thanks!

        • 1. Re: Scan Timeouts on OAS Exclusions
          rmetzger

          runcmd wrote:

           

          I have two paths on a server that are excluded from OAS scanning (including subfolders).  I will call them "C:\FOLDER1\" and "C:\FOLDER2\FOLDER3\".  These exclusions are applied to the server by a policy on the ePO.  I have confirmed that the exclusions are functioning properly by copying an EICAR to one of the excluded folders and it is not detected.  If I copy an EICAR to a folder that is not excluded, it is immediately detected and removed.  However, the OnAccessScanLog and the Event Log show scan timeouts for files in the excluded folders.  Example:

           

          OnAccessScanLog:

          7/16/2010  5:12:23 AM  Not scanned  (scan timed out)  NT AUTHORITY\SYSTEM  c:\FOLDER1\abc\def\ghi\jkl\prowin32.exe  C:\FOLDER2\FOLDER3\xyz

          Did you Also Include Sub-folders in the Exclusion?

           

          This 'feature' allows for the exclusion of a single folder, but to continue scanning within sub-folders from the excluded parent. Your example seems to indicate that the sub and sub-sub-folders are still getting scanned.

           

          Hope this helps.

          Ron Metzger

          • 2. Re: Scan Timeouts on OAS Exclusions
            runcmd

            As previously stated, "Exclude Subfolders" is checked on the folder exclusions.  Although EICARs are not detected in the excluded subfolders, I am seeing occasional scan timeouts for these folder contents in the log.

            • 3. Re: Scan Timeouts on OAS Exclusions
              rmetzger

              runcmd wrote:

               

              As previously stated, "Exclude Subfolders" is checked on the folder exclusions.  Although EICARs are not detected in the excluded subfolders, I am seeing occasional scan timeouts for these folder contents in the log.

              Sorry; read it five times and did not see the '(including subfolders).'

               

              Are there any junctions defined? If so, depending on how an application accesses the folder, could cause one method to work, but not the other.

               

              Just a thought,


              Ron Metzger

              1 of 1 people found this helpful
              • 4. Re: Scan Timeouts on OAS Exclusions
                runcmd

                 

                 

                Are there any junctions defined? If so, depending on how an application accesses the folder, could cause one method to work, but not the other.

                 

                 

                Hum...  That's a very interesting question.  I'll check the server and then provide an update.  Would file access by a junction point be logged as the junction point or as the actual path?  Regardless, that something definitely worth checking.  Thanks!

                • 5. Re: Scan Timeouts on OAS Exclusions
                  wwarren

                  A couple things to be aware of with exclusions -

                   

                  1)

                  Excluding C:\Folder\Filename does not help if the product is seeing \Device\harddiskVolume0\Folder\Filename.

                  You'll know if you're hitting this scenario by what gets logged. The product will log if the file was seen as \Device\etc

                   

                  2)

                  Processing an exclusion can still lead to a timeout. But it means your system is very laggy at times.

                  When the scanner receives a file for processing, it doesn't know if the file should be scanned or excluded, not until that processing is complete.

                  And the Scannerthread Timeout counter begins as soon as the file is received for processing.

                  Thus, it's possible for the Scannerthread Timeout threshold to be reached even before the scanner could determine whether to exclude the file.

                   

                  This should not be common. And if it happens at all it suggests that system is either crawling for some reason - other things were getting CPU time, or something else on the system is hindering the scanner being able to obtain some simple information about the file in question.

                  • 6. Re: Scan Timeouts on OAS Exclusions
                    runcmd

                    Excellent information!  Thank you, William!  The system in question is experiencing random performance hits.  Because of the event log entries related to OAS timeouts, the application vendor is pointing the finger at VirusScan.  Based upon the information you provided, it could very well be the case that something else is soaking up the CPU and resulting in timeouts on files in excluded folders.  This could very well mean that VSE is a victim--not a culprit.  At this point, I believe I need to follow up with our server team to determine exactly what process is spiking when the performance issue is reported.  Because the problem is intermittent, this could be tough to pin down.  If a process is accessing a lot of files, I think this could also cause OAS to spike as it tries to keep up; thereby compounding the problem.  Thanks again!

                    • 7. Re: Scan Timeouts on OAS Exclusions
                      runcmd

                      Just an update to let William know that he hit the nail on the head...  I temporarily stopped & disabled the McAfee services on the server in question and the random performance problems persisted.  I believe VirusScan has been cleared in this case and the scan timeouts were being generated due to heavy load on the server--just as you suggested.  Thanks for the help on this one!