Tuesday, May 29, 2012 9:21 AM
I have installed Forefront Protection 2010 for SharePoint installed on the SharePoint Server (running Windows Server 2008 x64). After Scan Engine Updates we are getting the below error in the SharePoint url and is not accessible at all.
virus scanner has encountered an error in scanning the file. Please try opening the file directly from the browser, or contact your administrator.
Date and Time: 29-5-2012
Also in the Event Viewer log in the SharePoint Server we get following error:Scan/Clean document https://sharepoint/_catalogs/theme/Themed/9262B884/theme.thmx failed with error code -2146697192
We belive the main css of the SharePoint is blocked so is there any way to add it to the exemption rule? Also this is what we are assuming but please let me know if you guys know any other cause to the problem and also solutions if any? Let me know if you need any more information from my side.
Please help as it is critical for us to start the SharePoint website as soon as possible.
Thursday, May 31, 2012 8:10 AMModerator
Thank you for the post.
If there are more inquiries on this issue, please feel free to let us know.
TechNet Community Support
Tuesday, June 05, 2012 7:11 AM
Thanks for the reply. Just want to know is there any option to exclude the whole folder instead of File? I want to exclude the whole SharePoint installation folder. Because the main issue we are facing is while FEP scanning it timesout at the main css of SharePoint website and hence it blocks the css. Now beacsue of that SharePoint homepage does not load and gives above mentioned error while some sub pages opens with text only and css is missing. So we just want to exclude the whole folder in a way css from scanning too.
Please let me know how can we do that? Also let me know if any more information is needed or if my explaination was confusing.
Thursday, June 07, 2012 2:51 AMModerator
As far as I know, no option to exclude folder. The workaround is to use wildcard characters to refine filters based on quarantined files list.
TechNet Community Support
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, June 08, 2012 4:10 AM
- Marked As Answer by Rick TanModerator Friday, July 06, 2012 2:41 AM
Wednesday, June 13, 2012 5:21 PM
I think there is a bit of confusion here. The file/folder exclusions specified above by Rick are for the file system AV (FEP or FCS). The AV that is scanning the content of the SharePoint database is FPSP. (Confusing I know :) ). You should defintely configure the exclusions in the KB article that Rick previously provided.
That said, it looks like the error that you are receiving is coming from FPSP rather than FEP. With FPSP it is not possible, by design, to skip the AV scanning of of any file type. The realtime AV scanning is basically on or off.
From message above it looks like somthing occurred during scanning that was unexpected. Normally these events are either a timeout event or an engine error event. The incidents log in Forefront should provide you with further details ("FPSP Console-->Monitoring-->Incidents").
The problem can arise that if a file is marked as infected, then SharePoint will block future access to this file. To resolve this, you must perform a manual scan ("FPSP Console-->Tasks-->On-Demand Scan", or "FPSP Console-->Policy Management-->Antimalware-->Scheduled"), which will force the file to be rescanned even if it is marked as infected in the SharePoint database. You can configure the scan to only scan a subset of the whole database.
If this is a timeout event, then the timeout can be increased, "FPSP console-->Policy Management-->Antimalware-->Realtime-->Maximum container scan time" and "Sharepoint Central Administration-->Security-->Manage Antivirus Settings-->Antivirus timeout".
If this is an EngineError, then probably the easiest way to address this is to rebuild the engine (if you know which one caused the issue) or all the engines (please do this 1 by 1).
The easiest way to rebuild the engines is to rename the individual engine folder, (normally located in "C:\Program Files\Microsoft Forefront Protection for SharePoint\Data\Engines\amd64), e.g rename the "Norman" folder to "Old.Norman".
After doing this, open the FPSP console, navigate to "Policy Management-->Global Settings-->Advanced Options". Here set the "Engine Management" to "Manual", click save and under "Update scheduling", highlight the engine that you previously renamed and click "Update selected engine".
I hope this helps,
Thursday, June 14, 2012 10:46 AM
Thanks for the detailed reply. Thanks for understanding my issue. Finally we have started walking in the right direction here. Yes it is an issue with FPSP not FEP. I think there is a confusion as there are 2 different products FEP for SP and FPSP(Forefront Protection 2010 for SharePoint). We have FPSP. Now 1 thing i would like to know is where can we find the logs as in your mentioned path (FPSP Console-> Monitoring-> Incidents) is empty. There is none to see so we actually want to see the logs. The reason why i tell you:
Ok FEP is finding some infected files and block access to it but we do not get any message that which file was infected or did it Quarantine it or block it or removed it.. No message at all so may be in the logs we might find out which file it is detecting as infected and blocks it and in a way the SharePoint site gets blocked eventiually. So please tell me how can i check the logs and where can i find it as Incident is empty. So we can determine if it is due to Timeout or Engine failure issue.
Also as per your suggestion i have already increased the time-out period in both the Container scan time and AV Timeout. Also we have disabled engine updates for all and now we disabled all the engines except 1 Microsoft engine is running so all other engines are disabled and updates for all the engines is diables. So do you think it might be an engine issue? So please guide me here so we can determine the cause of the issue and tried to resolve it.
Tuesday, June 19, 2012 7:31 AM
Hope you are doing fine. Well it has been few days since your last post, so just following up did you get any chance to look at my earlier post? If so please guide me where can i look for the logs so i can determine if it is an engine issue or timeout and rectify the issue please.
Any help from anybody is appreciated as it has led us to think of completely uninstall FPSP if not found solution soon enough. Help please.
Wednesday, June 20, 2012 8:56 AM
If you want to confirm if FPSP is blocking the file or not, the best way is to use the verbose logging option. To do this, open a Forefront powershell window and enter the powershell command:-
Set-FSSPTracing -Level verbose
When you have finished reproducing the issue, you should run:-
Set-FSSPTracing -Level information
To reset the tracing level to its normal state.
To cut down the number of event you will need to review in the final log file, if possible I would recommend that before and after reproducing the issue, you should restart the Forefront Controller service as this should force all buffered event to be flushed to the programlog.etl file, the current programlog.etl renamed and archived to the ProgramlogArchive folder and a new programlog.etl file created.
After you have done all of this, you need to locate the interesting programlog*.etl file, (these have the filename structure, Programlog-<Date and Time written backwards>.etl). This willl probably be in the ProgramlogArchive folder, if you have restarted the service.
When you have located the correct programlog, you need to format this. Details on how to format a programlog can be found at:-
(you will have to change the filename from programlog.etl to Programlog-<Date and Time written backwards>.etl)
You should then be able to search the text log file produced to find the file thats experiencing the issue. If you do not find the file anywhere, this would point to Sharepoint blocking access to this file, in which case you should run a manual or scheduled scan to force this file to be rescanned and the VirusStatus flag reset.
I hope this helps,