Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
982 Views 8 Replies Latest reply: Jun 17, 2013 3:54 AM by Don_Martin RSS
Don_Martin Apprentice 104 posts since
Nov 11, 2010
Currently Being Moderated

May 23, 2013 10:05 AM

Timeout in Scan operation - since tonight, several systems

Hello,

 

since tonight we have several systems which are reporting back Timeouts in Scan Operations (OAS). This is nothing I´m worried about but the amount of Systems is wondering me. Normally there are two or three systems with this message in a week but since yesterday, 10 o'clock in the evening, the amount of Systems is growing. There are no similarities in system configurations, nor are these at the same domain or subnet, nor have all the Systems the same policys. Server luike Workstations, like Notebooks.

No new product was checked in, no policy change, only the normal DAT Update and some patch deployments via WSUS at the afternoon.

 

No LogFile shows strange entrys, Server and Clientlogs were checked, and I`m just puzzled why this is happening from one day to another under the given circumstances?!!? Any idea or does someone else has had the same experince in the past and maybe a clue? Log Files can be provided of course but as mentioned - there are no entrys beside the ususal one's.

 

Nachricht geändert durch Don_Martin on 23.05.13 10:05:50 CDT
  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi Don,

     

    do you mean on-access scanning timeouts occur in increasing number? That should appear in either %DEFLOGDIR%\onaccesscanlog.txt or in Windows Application event log (or in both).

     

    Is not  there any of such event?

     

    Attila

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Do the type/names of files causing the timeouts vary or not? Sometimes by filenames you can tell what operation they belong to and you could tie them with other individual actions (such as patching, software distribution, etc.) in your network.

     

    Even these files could be McAfee 's own. So some typical examples of such events might be useful to be attached here.

    Otherwise if you can decide that those files are harmless, you can exclude them from scanning.

     

    Attila

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Some of these files can belong to Internet Explorer group policy enforcement action so some gpo enforcement might be underway.

     

    Could you reboot just one of the problematic host so to exclude stuck file handles due to which OAS might fail on these files?

     

    /If your hosts are ePO managed: As far as I remember scan timed out errors appear as "detections" in ePO reports (unless you filter them). I would by all means make a query on this condition and compare if file displayed on various hosts are similar or not, just to see if I can spot a pattern./

     

    Attila

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi Don,

     

    sorry for the pause I was out of office.

     

    Well, my best tip would be to exclude the .inf and .pf files, just as well as .lnk files from scanning. Apparently these are most likely not to be containing harmful content. You can identify the processes that uses these types of files and set up a low-risk process exclusion list with these files.

    As for why timeouts occur in increasing number I have no convincing explanation, and I'd say we might just ignore them by doing the above.

     

    Attila

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points