Video Screencast Help

SEP scan stuck on a specific pdf file

Created: 28 Aug 2012 | 21 comments

There is a pdf file that the Symantec scan always stucked on. It stuck so long that the next schedule scan start and the old scan was still scanning. We didn't have this problem on this file on SEP 11 but it always happen since we upgrade to 12. We ran manual scan on the same file and it has the same behavour. I checked the file and were able to read it without any issue, so there should not be any corruption on the file itself.

Is there a way to find what the cause of the problem was?

 

Thanks

 

 

Comments 21 CommentsJump to latest comment

pete_4u2002's picture

can you scan only that pdf file and let know scan completes, right click onthe pdf file and select scan for viruses

Swapnil khare's picture

Is this file on a Shared drive ?

If yes move it to some local drive first .

How big is the size of the file ?

Which server is this is a DB server or which one ?

is this file in read only mode or is it protected or shared with other users ?

uncheck read only / diable shares if this is shared and then try to scan

let us know how it goes .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

lastday's picture

This is a file stored on a local drive where SEP client is installed. It is about 40M and it is not read-only.

I copied this file to another location and tried the manual scan and it still stuck there for 2 hours and I stopped the scan.

Swapnil khare's picture

What happens if you copy this file entirely on another machine and then scan it ?

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

Swapnil khare's picture

Well this is not going good , try below

What version of PDF is this Adobe Reader?

Try upgrading it if this is at lower version if this fails too then copy the content from this PDF and make a new PDF file scan it and see what happens , if this one fails too let us know .

All the best

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

lastday's picture

What do you mean by lower the version? I checked the pdf properties and it was created in 6. I am not sure how to clone the content from one pdf to another one. It has quite a few images in there and I don't think saving as doc will work.

.Brian's picture

See if this may help:

 

How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events

http://www.symantec.com/business/support/index?page=content&id=TECH98079

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Is this PDF file good and authenticated? Is the file Password protected?

What version of SEP 12.1 are you running? If you are running an older version of SEP 12.1, could you migrate to the Latest version of SEP 12.1 RU1 MP1 and check if that resolves the issue.

Did you work on the steps provided by Brian above?

Awaiting your reply.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

Suggest you to raise case to Support.

 

40mb ain't that big file.... let them check further

 

One thing you can self-test is copy this pdf file to different PC and scan it there.... see what happens

lastday's picture

the pdf is not password protected or secured in any nature. I did try doing the scan on anther PC and it is still the same. However, it worked with SEP 11. Tried saving as another PDF didn't help either. I don't think Brian's suggested KB is related to our case it we don't use Process Monitor and it was the manual scan not the auto protect trigger the problem.

 

We are running SEP 12.1 RU1 MP1.

Swapnil khare's picture

Do you have a policy in Application and device control to Control stuxnet Virus which was through PDF ?

If this is managed client i would suggest to create a test group and then move this client from sepm to this test group reboot the problem machine , make sure policy number is matching to test group and sep on this machine proceed with scan ...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

lastday's picture

No, we don't use application and device control and it is disabled. As I said this happen on any machine with SEP12 installed.

Swapnil khare's picture

Did you try moving machine from SEPM to another group within SEPM and then scan ?

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

lastday's picture

The machines that I tried to scan the file are from different group, they have different policy but the setting is almost identical.

The problem is it only happen on this particular pdf.

Swapnil khare's picture

Please open incident with Support

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

la_ripper's picture

can you upload the vp debug logs. 

THis log will record the scanning process . 

Below are the steps to collect vpdebug logs : 

http://www.symantec.com/business/support/index?page=content&id=TECH102939

Note : Please collect the lgos by reproducing the issue. 

Int he mean while can you try the below steps : 

 

i) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans

 

Look if you can find alpha number letter for example : b97f12f7-9b40-e6dc-0102-53a977ab6236

IF there is more then one as such delete it reboot the machien and check . 

ii)Exlcude the pdf from scanning and check if the scan proceeds. 

Awaiting vpdebug.logs to understand whats happening

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

lastday's picture

Thanks guys. I have created a support instance using the Symantec support portal.

 

 

John Cooperfield's picture

Are you able to post a resolution, so others can see it?

 

Thanks

lastday's picture

Actually there is a bug with the decomposing engine in 12.1 RU1. The problem is fixed by upgrading the client to 12.1 RU2.

 

John Cooperfield's picture

 

FYI For the decomposer bug. Symantec pushed out silent fix through LiveUpdate on about Dec. 28, 2012.

The fix leaves behind a very small log file.

 

About the LiveUpdate patch for Symantec Advisory SYM-12-017

               http://www.symantec.com/docs/TECH200168

or  http://www.symantec.com/business/support/index?page=content&id=TECH200168

 

HTH