4 Replies Latest reply on Sep 5, 2013 12:04 PM by midnightdevil

    Outlook and VSE - Scan Time Out

    midnightdevil

      Hello dear friends

       

      I'm currently analyzing an issue which seems to be affecting one user.

       

      He has recently "complained" about his computer slowing down when using Outlook, more specifically when sending and receiving emails.

       

      I have found on his event viewer the following event:

       

      A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 20000 ms to complete a request.

      The process will be terminated. Thread id : 1544 (0x608)

      Thread address : 0x770C7094

      Thread message :

       

       

      Build VSCORE.15.0.0.466 / 5400.1158

      Object being scanned = \Device\HarddiskVolume2\WINDOWS\FONTS\MSMINCHO.TTC

      by C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

      4(0)(0)

      4(0)(0)

      7200(0)(0)

      7595(0)(0)

      7005(0)(0)

      7004(0)(0)

      5006(0)(0)

      5004(0)(0)

       

      ---------------------------

       

      I detected the event on OnAccessScan.log.

      Scan Timeout -

      C:\Program  Files\Microsoft Office\Office12\OUTLOOK.EXE

      C:\Windows\system32\MSOERT2.dll

       

      -------------------------

       

      Now, I can't simply disable On Access Scan or add Outlook as a low risk exclusion (company security policy). Besides, there's tons of users with the same configuration and he's the only one with this issue.

       

      He's using Windows 7 / Outlook 2007 SP3 / VSE 8.8 managed by ePO 4.6.6 which I'm the Administrator.

       

      Disabling On Access Policies is also a risk.

       

      As a trial, I disabled Buffer Overflow in order to see if the performance issue persists - He replied it's "slightly" better but not substancially better. Still has performance break down during these operations.

       

      I also uninstalled VSE 8.8 Patch 2 and installed all over again - no different results.

       

      Now, I know the engine bypasses a file if the same is being used / opened and McAfee registers the ScanTimeOut event.

       

      Note that I'm not next to the user to actually "see" this happening.

       

      My question is, what else is there to do to diagnose this issue or solve the problem ?

       

      I have the same software configuration he does and I cannot complain.

       

      We use on the ePO the recommended exclusions for workstations and servers (different profiles, of course).

       

      A little help please?

       

      PS -

       

      I also noticed similar events on his computer like this one:

      A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 20000 ms to complete a request.

      The process will be terminated. Thread id : 4156 (0x103c)

      Thread address : 0x770C7094

      Thread message :

       

       

      Build VSCORE.15.0.0.466 / 5400.1158

      Object being scanned = \Device\HarddiskVolume2\WINDOWS\FONTS\MSMINCHO.TTC

      by C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

      4(0)(0)

      4(0)(0)

      7200(0)(0)

      7595(0)(0)

      7005(0)(0)

      7004(0)(0)

      5006(0)(0)

      5004(0)(0)

       

      ---------------------

       

      But so far, he only complained about outlook

       

       

      Thank you so much in advance for any tips and help.

       

      MD

        • 1. Re: Outlook and VSE - Scan Time Out
          wwarren

          A cautionary note:

           

          Your timeout value is set to 10 seconds.

          In case you were not aware, you are allowing the real-time scanner a maximum of 10 seconds to scan a file, and if it does not complete within that timeframe to allow access to the file _unscanned_.

           

          The matter of why a particular file takes longer than 10s to scan is what your post is about; one you can take up with McAfee Labs by sending them samples etc and they may be able to either tell you why it takes 'x' time, or find ways to improve the detection drivers needed for that type of file, or whitelist it, or something else.

           

          Since you say others with the same configuration, presumably the same file too, and not experiencing timeouts suggests that one users node has something else installed that's slowing down the scan process (i.e. reads of the file from our scanner) - typically that means another file-system filter is involved.

          • 2. Re: Outlook and VSE - Scan Time Out
            midnightdevil

            I though 20000ms would be 20 seconds I am aware yes.

            I did some research about this issue before posting including some KB's which I don't have the number atm. But it was recommended two things.

             

            - Updating the Office package to Service Pack 2 - The user has Sp3 installed - Check

            - Installed VSE8.8 SP2 (in that particular case, they were suggesting some issues with updating from previous versions and recommended a "clean" install of the VSE 8.8 Patch 2 - Check

             

            I have checked what other software could be causing this issue, but I can't find anything else besides the standard workstation applications.

            • 3. Re: Outlook and VSE - Scan Time Out
              wwarren

              Yeah, it's 10 seconds - that is what is configured in the policy.

              After 10 seconds the product tries to stop scanning. It allows itself another 10s (20s total) to successfully stop - if the 20s limit is hit, the service self-terminates because it has to assume the scan engine has locked up and we do not want to deadlock the system.

               

              If not a 3rd party, the other factors that contribute to timeouts are largely environmental. For our part you'd look at DAT version, Engine version, and how long it actually takes to scan the file using the command line scanner.

              • 4. Re: Outlook and VSE - Scan Time Out
                midnightdevil

                Thank you, I'll report back tomorrow once I got the results from the testing