Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Scan Engine inconsistent

Created: 30 Sep 2011 | 6 comments
Is there something here I'm not seeing?  I did an strace on the process and the unable to connect is after the file has been sent and it's waiting on a response.
 
 
 
 ./ssecls -server remotehost:1344   fileToScan.war
 
    Virus scan process began : Fri Sep 30 12:56:52 2011
Virus scan process completed : Fri Sep 30 12:57:04 2011
 
        Defs Version = 20090930.037
 Commandline Scanner = 4.3.2.12
 
         Total Bytes = 16792492 (Mbytes 16.0146)
             Elapsed = 12.0300
           Scan Rate =  1.33 (Mbytes/sec)
 
      Files Excluded = 0
       Files Scanned = 1
 Directories Scanned = 0
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 0
 
No error was found during the scan
 
[klrice@localhost virus]$  ./ssecls -server remotehost:1344   fileToScan.war 
Error: unable to connect to the Scan Engine.
[klrice@localhost virus]$  ./ssecls -server remotehost:1344   fileToScan.war 
Error: unable to connect to the Scan Engine.
[klrice@localhost virus]$  ./ssecls -server remotehost:1344   fileToScan.war 
 
    Virus scan process began : Fri Sep 30 12:57:12 2011
Virus scan process completed : Fri Sep 30 12:57:25 2011
 
        Defs Version = 20090930.037
 Commandline Scanner = 4.3.2.12
 
         Total Bytes = 16792492 (Mbytes 16.0146)
             Elapsed = 12.9980
           Scan Rate =  1.23 (Mbytes/sec)
 
      Files Excluded = 0
       Files Scanned = 1
 Directories Scanned = 0
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 0
 
No error was found during the scan
 

Comments 6 CommentsJump to latest comment

BenDC's picture

If the scan engine is quite busy this could cause this behavior but otherwise I would tend to suspect the network.

Benc_Smith's picture

Hi Kris,

I would say you could start off by taking a network packet capture from the client sending the request (it looks like the client is not local to the scanner), and review ther packet capture during the times the error occurred.  This way you can confirm if it is an issue with Scan Engine just not responding to the client's scan request in time, or possible something else is happening on the client (for example it was not able to open a socket).

Thanks,
Ben

kzqqql's picture

Hello experts,

I am evaluating the product by running few tests on certain file systems, on one occasion the scan process reported 2 errors:

==================================================================================

    Virus scan process began : Fri Oct 14 10:07:00 2011
Virus scan process completed : Fri Oct 14 19:02:12 2011

        Defs Version = 20110518.036
 Commandline Scanner = 4.3.2.19
             Elapsed = 32111.8750

      Files Excluded = 0
       Files Scanned = 2162681
 Directories Scanned = 1002
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 2
      Files Infected = 0

Error list:

Error processing file /objective/data1/volume1/doc/395/A2218395.3
Error processing file /objective/data1/volume1/doc/395/A2218395.4

===================================================================================

However these 2 files were marked as cleaned by another anti-virus product, they are not corrupted either, their file permission/attributes are same as other files on same directory.  What would be the possible cause?

BTW, files A2218395.1 and A2218395.2 had no error in scan.

Another issue is: I downloaded and installed the anti virus updates package (20111010-020-unix.sh) from FTP site, then restarted the scan engine, however the  "Defs Version" is still showing older version, am I missing any steps?  

Thank you in advance.

Davinci_uk's picture

I tried to manaully download defs as well,

Just rememeber, these are in a different location to the normal SEP clients.

I.e.2008 > c:\Program Data\Symantec\Java LiveUpdate\Downloads

I also do not know why intellignet updaters does not detect this directroy - maybe you need to copy and run from the dir?

TSE-JDavis's picture

Scan Engine is not fully compatible with a 64-bit environment. On a 32-bit operating system, definitions are saved to C:\Progam Files\Common Files\Symantec Shared\VirusDefs. Scan Engine is hardcoded to only look here for the shared definitions site. Intelligent Updater knows that on a 64-bit operating system, 32-bit definitions are stored in C:\Program Files (x86)\Common Files\Symantec Shared\VirusDefs. Intelligent updater doesn't see any product using that directory, so it says no products found.

Please follow this document to manually drop the definitions into the directory Scan Engine is looking for them:

http://www.symantec.com/business/support/index?pag...

Davinci_uk's picture

Thats great - thanks fo the detailed explanantion!

Makes sense now.