7 Replies Latest reply on Aug 4, 2016 2:43 PM by whitead

    Scan Timeout: Access Denied

    mrseagull

      Versions:
      EPO 5.3
      Agent 5.0.1.516
      MOVE AV [multi-platform] 3.6.1.141
      VirusScan Enterprise 8.8.0.1445

       

      I recently deployed MOVE AV to a limited amount of VMware VDI machines and we're running into an issue. A user is attempting to install a piece of software and the files used by the installation keep getting locked up in scans and the installation fails.

       

      In Windows Logs, Application, I see this:

      "Deferred scan is in progress for file 'V:\Users\bi0400\AppData\Local\Temp\OWP2EB1.tmp\sharepointdesigner.ww\spdww.cab '. (A thread in \Device\Mup\nasvs1\users$\BI0400\My Documents\downloads from c\en_sharepoint_designer_2013_with_sp1_x86_3948134.exe process took 45 seconds for scanning. Hence, access denied.)"

       

      In EPO, I see this in the event log of the machine:

       

      Server ID:SERVER
      Event Received Time:9/17/15 2:13:28 PM
      Event Generated Time:9/17/15 2:09:23 PM
      Agent GUID:38183660-5CD0-11E5-1271-000000000000
      Detecting Prod ID (deprecated):MOVEVOFF2600
      Detecting Product Name:MOVE AV Client
      Detecting Product Version:3.6.1
      Detecting Product Host Name:VDESKTOP
      Detecting Product IPv4 Address:10.25.12.227
      Detecting Product IP Address:10.25.12.227
      Detecting Product MAC Address:
      DAT Version:
      Engine Version:
      Threat Source Host Name:
      Threat Source IPv4 Address:10.25.12.227
      Threat Source IP Address:10.25.12.227
      Threat Source MAC Address:
      Threat Source User Name:
      Threat Source Process Name:
      Threat Source URL:
      Threat Target Host Name:IT-2
      Threat Target IPv4 Address:10.25.12.227
      Threat Target IP Address:10.25.12.227
      Threat Target MAC Address:
      Threat Target User Name:DOMAIN\USER
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:\Device\Mup\server\users$\USER\My Documents\downloads from c\en_sharepoint_designer_2013_with_sp1_x86_3948134.exe
      Threat Target File Path:V:\Users\USER\AppData\Local\Temp\OWP2EB1.tmp\sharepointdesigner.ww\spdww.cab
      Event Category:Scan started
      Event ID:34283
      Threat Severity:Warning
      Threat Name:Deferred Scan Started
      Threat Type:None
      Action Taken:denied
      Threat Handled:False
      Analyzer Detection Method:OAS

      *Domain and usernames sanitized

       

      Most settings and policies are default. I'm concerned about going into production with this, and having applications delayed or disrupted by scans timing out and denying access to the file. I would appreciate any advice with this issue. Please let me know if any more details are needed.