Warning "The scanning feature seems to be hung or the scan engine is overloaded"
|Article:TECH89983|||||Created: 2008-01-28|||||Updated: 2011-10-18|||||Article URL http://www.symantec.com/docs/TECH89983|
Scan Engine is sending e-mail alerts notifying administrators with the following message:
"The scanning feature seems to be hung or the scan engine is overloaded"
Message "The scanning feature seems to be hung or the scan engine is overloaded" sent in E-Mail notifications.
The message may be also found in Scan Engine local log file.
E-Mail (SMTP) alerts must be configured in Scan Engine to receive notifications.
Symantec Scan Engine 5.2 introduced a new feature which periodically (every 60 seconds) checks whether Scan Engine is responsive and able to process scan requests. Typically, this Warning is a sign that the Symantec Scan Engine process is out of threads and had to queue up new incoming requests.
The following are the most common causes for this Warning to be generated:
- IF Scan Engine is unable to get to and respond to these queued requests fast enough, it is possible that it will fail the self-test, causing the mentioned Warning to occur.
- The Symantec Scan Engine process or server could be overloaded.
Please note that this Warning may be seen even under heavy load conditions affecting the server on which Scan Engine is installed, regardless of the amount of scan requests.
Below is an excerpt of the self-test scanning feature description from the product's Implementation Guide (page 229):
- If your client uses the ICAP protocol or the RPC protocol, Symantec Scan Engine installs with a self-test scanning feature.
Symantec Scan Engine performs a test every minute to check whether it is responsive and able to scan files. A test file is sent for Symantec Scan Engine to scan.
If Symantec Scan Engine does not respond with a scan result before the timeout period expires, a Warning message is logged.
Each self-test scan occurs 1 minute after the last self-test scan finishes.
Some potential solutions could be as simple as increasing the Number of available threads for scanning, to adding one more Symantec Scan Engine server to help alleviate the scan load from the potentially overloaded server.
Below is a list of areas to investigate and that could cause the Warning to be logged:
- Local AntiVirus realtime scanning. When an AntiVirus product is installed on the same server as Scan Engine, and realtime scanning is enabled on the filesystem, all folders used by Scan Engine must be excluded from it.
- Possible network issues: they could cause delays leading to queued scan requests.
- Possible system-related issues: such as excessive hard disk usage, excessive CPU usage, they all cause delays to Scan Engine self test.
To further troubleshoot this message, please contact Symantec Support.
The self-test scanning feature may also be manually disabled by following the steps below.
NOTE: Disabling the Symantec Scan Engine selfscantest is not recommended.
It provides an early warning to the possibility of Scan Engine being overloaded.
To disable selfscantest at a Windows cmd prompt
- From a command prompt, navigate to
:\Program Files\Symantec\Scan Engine
- Execute the following command:
java –jar xmlmodifier.jar –s /configuration/logging/selfscantest/@enabled false configuration.xml
To disable the Symantec Scan Engine selfscantest at a Linux or Solaris shell prompt
- From a command prompt, navigate to /opt/SYMCScan/bin
- Execute the following command:
/usr/java/jre1.5.0_15/bin/java –jar xmlmodifier.jar –s /configuration/logging/selfscantest/@enabled false configuration.xml
NOTE: Java may be installed to a different location. If so, please substitute the appropriate path for the java executable in the command above.
Article URL http://www.symantec.com/docs/TECH89983