So here is what we occassionally run into where I am.
We have some archived storage platoform for older files. We have a NetApp running most other things for user access.
We have 8 server 2008 r2 servers runnning cloud scanning on anything access from the netapp.
When there is a large (.zip only so far) file, larger that 2GB, the file begins to un-archive, and I see the temp file show up on the AV server. The problem is, is always times out with a symcscan error when this happens, and more handles keep getting opened on the file. The more the users click on it the more handles get opened, sometimes on the same AV server.
There is something strange going on when files are un-archived, and then the NetApp hands it to the Symantec servers (to presumably decompress and scan). If it helps the temp files found on the scanners were the same size as the .zip files themselves, not unpacked.
Has anyone else seen anything like this?
Event IDs when this happens-
The Symantec Protection Engine has encountered a scan error
Date/time of event = 2015-05-20 15:30:32
Event Severity Level = Error
Scanner = Decomposer
Result ID = 37
File name = \\?\UNC\10.###.###.###\ONTAP_ADMIN$\vol\xxx\xxx\xxx\xxx~1.ZIP
Scan Duration (sec) = 0.000
Connect Duration (sec) = 1447.605
Symantec Protection Engine IP address = 10.87.9.239
Uptime (in seconds) = 20463
The problem is when this happens every other file that gets scanned get put it a queue. If enough of these instances open on all servers, all files get queued and we see extremely slow performance from anything using the NetApp (user profiles are there, so really slow logins).
Thanks - BrewKnell