can you scan only that pdf file and let know scan completes, right click onthe pdf file and select scan for viruses

Is this file on a Shared drive ?

If yes move it to some local drive first .

How big is the size of the file ?

Which server is this is a DB server or which one ?

is this file in read only mode or is it protected or shared with other users ?

uncheck read only / diable shares if this is shared and then try to scan

let us know how it goes .

This is a file stored on a local drive where SEP client is installed. It is about 40M and it is not read-only.

I copied this file to another location and tried the manual scan and it still stuck there for 2 hours and I stopped the scan.

What happens if you copy this file entirely on another machine and then scan it ?

that is what I did and it behaved the same

Well this is not going good , try below

What version of PDF is this Adobe Reader?

Try upgrading it if this is at lower version if this fails too then copy the content from this PDF and make a new PDF file scan it and see what happens , if this one fails too let us know .

All the best

What do you mean by lower the version? I checked the pdf properties and it was created in 6. I am not sure how to clone the content from one pdf to another one. It has quite a few images in there and I don't think saving as doc will work.

See if this may help:

How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events

http://www.symantec.com/business/support/index?page=content&id=TECH98079

Hello,

Is this PDF file good and authenticated? Is the file Password protected?

What version of SEP 12.1 are you running? If you are running an older version of SEP 12.1, could you migrate to the Latest version of SEP 12.1 RU1 MP1 and check if that resolves the issue.

Did you work on the steps provided by Brian above?

Awaiting your reply.

Suggest you to raise case to Support.

40mb ain't that big file.... let them check further

One thing you can self-test is copy this pdf file to different PC and scan it there.... see what happens

the pdf is not password protected or secured in any nature. I did try doing the scan on anther PC and it is still the same. However, it worked with SEP 11. Tried saving as another PDF didn't help either. I don't think Brian's suggested KB is related to our case it we don't use Process Monitor and it was the manual scan not the auto protect trigger the problem.

We are running SEP 12.1 RU1 MP1.

Do you have a policy in Application and device control to Control stuxnet Virus which was through PDF ?

If this is managed client i would suggest to create a test group and then move this client from sepm to this test group reboot the problem machine , make sure policy number is matching to test group and sep on this machine proceed with scan ...

No, we don't use application and device control and it is disabled. As I said this happen on any machine with SEP12 installed.

Did you try moving machine from SEPM to another group within SEPM and then scan ?

The machines that I tried to scan the file are from different group, they have different policy but the setting is almost identical.

The problem is it only happen on this particular pdf.

Please open incident with Support

can you upload the vp debug logs. 

THis log will record the scanning process . 

Below are the steps to collect vpdebug logs : 

http://www.symantec.com/business/support/index?page=content&id=TECH102939

Note : Please collect the lgos by reproducing the issue. 

Int he mean while can you try the below steps : 

i) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans

Look if you can find alpha number letter for example : b97f12f7-9b40-e6dc-0102-53a977ab6236

IF there is more then one as such delete it reboot the machien and check . 

ii)Exlcude the pdf from scanning and check if the scan proceeds. 

Awaiting vpdebug.logs to understand whats happening

Thanks guys. I have created a support instance using the Symantec support portal.

Actually there is a bug with the decomposing engine in 12.1 RU1. The problem is fixed by upgrading the client to 12.1 RU2.