none
How to configure Realtime Timeout in FF for Exchange?

    Question

  • Dear all,

    following situation: E2K7 SP1 RU7, W2K8, Forefront for Exchange SP1
    We would like to change the default Realtime Timeout timer to 10 Minutes. Reason: Users which try to send emails with large attachments do get the following error message:
    Microsoft Forefront Security for Exchange Server has detected a virus.

    Virus name: "Exceeded Realtime Timeout"

    Moreover, we get the following error message in the event log:
    Source: FSEVsapi
    EventID: 5066
    Description: Realtime scan exceeded the allowed scan time limit.

    Where is the right location in the registry to change to default value????
    We´ve tried the following:
    HKEY_LM\System\CurrentControlset\Services\MSExchangeIS\Virusscan => New DWORD: RealtimeTimeout = 600000
    After restarting Exchange Server we´ve the same issue.

    Any ideas?

    Thx,
    Lars

    Friday, March 27, 2009 3:32 PM

All replies

  • Hello Lars-

    Here is information from the FSE user guide (The final two paragraphs have the information you need.):

    About Realtime scan recovery

    In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Forefront Security for Exchange Server attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and recovered.

    When the new real-time scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Forefront Security for Exchange Server deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. If Forefront Security for Exchange Server again times out while processing the message, the message will be delivered without being scanned. (For more information about General Options, see Forefront Server Security Administrator.)

    If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group will not function, but the information store will not stop.

    The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds.

    If you continue to have time-out problems, you may try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Forefront Security for Exchange Server services for the change to take effect. For more information about registry values, see Registry keys.

    ********************************

    You can find this section on Realtime scanning on TechNet here:  (http://technet.microsoft.com/en-us/library/bb795076.aspx)  You may also want to read the section on Registry Keys for additional info before you proceed. (http://technet.microsoft.com/en-us/library/bb795071.aspx)  

    -Michel 

    Wednesday, April 01, 2009 8:22 PM