Our antivirus products have an intentional cutoff time when the scan of a particular file must stop. The scan time-out feature is intended to prevent a denial-of-service.
All our antivirus products work in a similar way:
- The on-access scanner intercepts a request for a file.
- The file is scanned.
-
The file is passed to the user or application that requested the file. Or, if the file is infected, the scanner takes the appropriate action, and the user is informed of the infection.
NOTE: Any file that's actively being scanned is unavailable until the scan completes.
The amount of time taken to scan the file depends primarily on the following factors:
- File complexity
- File size
- File location
- File type - File extensions such as .jar, .chm, .cab, and .zip are all archive files that typically use a high rate of compression. To scan these archives, each file must be extracted from the archive and scanned individually. This process can use a large amount of memory, depending on the type of data in the archive and how well it compresses.
- Processing power of the computer scanning the files, and the amount of memory if the file must be uncompressed
- Network speed, if the file has to be copied over a network to be scanned
If a time-out mechanism isn't used, you're denied access to the file until the scan is complete. This time period might be minutes or even hours, depending on the factors previously mentioned. For example, if the file is still being scanned after 30 seconds, the scanner will time out. The length of time before this time-out occurs varies by product and can usually be configured. For information about configuring scan time-out settings for your product, see the appropriate product guide. For example, the ENS option to configure the timeout is
Specify maximum number of seconds for each file scan in the on-access scan policy. This option is described in the
Endpoint Security 10.7 Interface Reference Guide.
If the scan of a particular file takes longer than allowed by the time-out value, the scan is stopped. An event is generated in the application event log to note that the scan timed out on the file. This information is also sent to Alert Manager and ePolicy Orchestrator if they're installed. An example of this error message is as follows:
The scan of FILENAME has taken too long to complete and is being cancelled. Scan engine xxx and DAT version is xxxx
NOTE: Scan time-out behavior is present in all our antivirus on-access scanners. On-demand scans don't have a time-out and take as long as needed to fully scan any target files, except for the following:
- ENS and ENSM have a built-in, non-configurable timeout of 45 seconds.
- ENSL has a built-in, configurable timeout with a default of 45 seconds. The option in the on-demand scan policy to configure the timeout is Specify maximum number of seconds for each file scan.
All our products scan all files in an archive on extraction. If a large and complex archive causes the scan to time out, there's little risk. When the contents are extracted to the hard disk, the on-access scanner scans each file individually.