Uploading a non-malware file to a SharePoint site returns "Virus Found" when Symantec Protection for Sharepoint Servers (SPSS) is installed.
search cancel

Uploading a non-malware file to a SharePoint site returns "Virus Found" when Symantec Protection for Sharepoint Servers (SPSS) is installed.

book

Article ID: 172847

calendar_today

Updated On:

Products

Protection for SharePoint Servers

Issue/Introduction

 

One of the two following scenarios are occurring:

  • When end-users attempt to upload any file to SharePoint sites  "Virus Found"  is displayed.
  • When end-users attempt to upload large files to Sharepoint sites "Virus Found" is displayed.

 

The SharePoint site display of "Virus Found" is a generic message from Microsoft's Virus Scan API (VSAPI) when no scan results are returned.

SharePoint ULS logs display the following:

w3wp.exe    SharePoint Foundation      Critical       Failed to scan file /sites/SiteName/Location/FileName.Extension due to scanner timeout.    
w3wp.exe    SharePoint Foundation      High           Virus scan took 29985 ms (get thread: 1 ms; scan: 29984 ms; clean: 0 ms)   

 

Cause

 

There are multiple possible causes for this issue.

  1. Symantec Protection for SharePoint Servers (SPSS) service is not running.
  2. No Symantec Protection Engine (SPE) scanners are avaialble.
  3. VSAPI timeout was exceeded.
  4. Symantec Protection for SharePoint Servers timeout was exceeded.

 

Resolution

 

1) Symantec Protection for SharePoint Servers (SPSS) service is not running:

When SPSS is installed to SharePoint configurations are made to define the Virus Scan server Microsoft's VSAPI will send scan requests to.  If Microsoft's VSAPI is unable to contact the defined server is will return "Virus Found" to the end user for all scan requests.

Ensure SPSS service is running.

 

2)  No Symantec Protection Engine (SPE) scanners are avaialble.

If Symantec Protection for SharePoint Servers (SPSS) has no avaialble SPE scanners to target for the scan request "Virus Found" will be displayed for all scan requests.

SPSS routinely performs ICAP connections to the defined SPE scanners to determine the status of the scanners.  If it is unable to communicate to the defined scanners it will not attempt to send scan requests to the scanner.  If all scanners are either manually disabled in SPSS, or SPSS is unable to communicate to all scanners that are listed as enabled it will fail to receive a scan verdict and report this failure to VSAPI.  VSAPI then displays this as "Virus Found".

To prevent this from occurring ensure SPSS always has at least one active scanner avaialble to perform scan requests.

 

3) VSAPI timeout was exceeded:

Microsoft's VSAPI by default has a 300 second timeout.  If this timeout is exceeded prior to Symantec Protection for Sharepoint Servers (SPSS) providing a scan result VSAPI will return "Virus Found" to the end user.

As part of SharePoint, Microsoft provides a command line tool named "STSADM.EXE".  This tool provides the options to query and modify VSAPI settings.  The following commands can be utilized to Query and Set the the VSAPI timeout:

Query VSAPI timeout value: (Default: 300 seconds)

STSADM.EXE -o getproperty -pn avtimeout 

Set VSAPI timeout value: (Default: 300 seconds)

STSADM.exe -o setproperty -pn avtimeout -pv 300

IISRESET.exe /restart

 

For more information see:  https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/aa979518(v%3Doffice.14)

 

4) Symantec Protection for SharePoint Servers (SPSS) timeout was exceeded:

Symantec Protection for Sharepoint Servers (SPSS) leverages a configuration file located at <SPSS Install Path>\SharePoint\Symantec.Sharepoint.SPSSService.exe.config to set the timeout values.

SPSS has two timeout values specified within the file:

  • ScanSendTimeoutsec  (Default 60 seconds)
  • ScanReceiveTimeoutsec  (Default 600 seconds)

By default the SPSS ScanReceiveTimeoutsec value is twice as long as VSAPI timeout meaning SPSS will never timeout before VSAPI unless VSAPI setting has been modified from default.  However, if VSAPI timeout is increased higher than SPSS timeout you can adjust the SPSS timeout by performing the following:

  1. Make a backup copy of Symantec.Sharepoint.SPSSService.exe.config
  2. Open Symantec.Sharepoint.SPSSService.exe.config in notepad.exe
  3. Locate <add key="ScanReceiveTimeoutsec" value="600" />
  4. Modify value="600" to the deired value in seconds.  Example value="900"
  5. Save the changes.
  6. Restart the Symantec Protection For Sharepoint Servers service
  7. Open a command prompt (cmd.exe)
  8. Run the command:  IISRESET /restart

 

 

Additional Information:

Configuring Symantec Protection Engine timeouts will not impact this issue.  If Symantec Protection Engine times out it will return a scan result to SPSS, which delivers a specific message to VSAPI which displays similar to the following in both the Site and in the ULS logs:

infected by "1 - The file: Filename.Extension -contains Unscannable Content.  Reason: Time Violation -Status: Blocked Source : Symantec Protection for SharePoint Servers"