Antigen for Exchange found Body of Message infected with Exceeded Internet


  • I have recently installed Antigen 9.0 SP1 on an Exchange Server 2003 server.

    I also installed Antigen 9.0 SP1 in a lab environment and I am seeing the same errors. Did I miss something in the setup?

    I'm getting emails with that subject lines and a body listed below:


    Subject line "Antigen found a virus"

    Microsoft Antigen for Exchange found a file infected with a virus.  The file is currently Removed.

    File name: "Body of Message"

    Virus name: "Exceeded Internet Timeout"

    Message subject: "Antigen found a virus"

    Sent from: "Antigen_Servername"

    Folder: "SMTP Messages\Internal"

    Location: "Domainname/First Administrative Group/Servername"



    Subject line "Antigen internet scan timed out and recovered"



    The original contents of this file have been replaced with

    this message because of its characteristics.

    File name: "Body of Message"

    Virus name: "Exceeded Internet Timeout"



    Subject line "Antigen realtime scan timed out and recovered"




    The original contents of this file have been replaced with

    this message because of its characteristics.

    File name: "Body of Message"

    Virus name: "Exceeded Internet Timeout"



    Thank you for any assistance
    Monday, January 28, 2008 2:08 PM

All replies

  • That means that the it took longer then the default time limit to scan the message. The default is 2 minutes. Because you have the Internet Scan Timeout Action set to Delete, the message was deleted. It also appears that it's actually the body of the message that Antigen is timing out on, and not an attachment:

    File name: "Body of Message"


    And that it's timing out on it's own notification - so there was another message that Antigen timed out on, Antigen sent the notification stating that it timed out on it, and then it timed out on that notification, which is odd. You have to find the original message that Antigen timed out on and look at the body of it to see if it's especially large.


    Did you change the timeout limit?


    ~Holly Kipp



    Tuesday, January 29, 2008 7:16 PM
  • I have set the Max container scan timeout to 300000 ms. That would be 5minutes.  Is there anywhere else to set the timeout?


    I am seeing theses message on two completely separate fresh installations of Antigen for Exchange.


    I am still receiving there errors. I have sent email with nothing in body, text in the body and messages with attachments. Any and all of the emails cause the timeout and virus detection notification. I currently have it set to use 4 scan engines and neutral bias.


    I am pretty sure I do not have a virus in the email as I receive the errors even when I do not have anything other than a subject line in the email.

    Thursday, January 31, 2008 5:47 PM
  • Ok now I am perplexed.

    I increased the Max container scan timeout to 600000 ms, 10 minutes and the timeout and virus messages stopped.

    I then progressively step down the time out to 5, 3, 2, and then 1 minute. Even with the timeout set to 1 minute. The timeout and virus messages have not returned.


    The system appears to be functioning correctly.


    Why did I need to increase the timeout so high for the timeout and virus messages to stop, and why did they not come back when I lowered the timeout.


    This is a fresh install would not have expected to need to adjust the time out just to make Antigen work.


    I had changed the action to detect only when I had increased the timeout to 5 minutes, so I was able to use the same message to test at 10 minutes and then the decreasing timeout. I also tested using new mail messages.


    Friday, February 01, 2008 12:44 PM
  • The Max Container Scan Time is totally seperate from the scan job timeout - the Max Container Scan Tim is described as this in the User Guide:


    Specifies the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).


    So it only affect compressed attachments. The scan job timeout is determined by a registry key called either RealtimeTimeout or InternetTimeout - by default these are hidden registry keys in HKLM->Software->Sybari Software->Antigen for Exchange. They are DWord values and should be set in decimal in milliseconds - as I said, by default they are set to 2 minutes.


    Why increasing the Max Container Scan Time resolved your issue, I don't know.You said that you even tried using emails with no body and no attachments. It seems odd that the Max Container Scan Time would affect this. I'd recommend contact Support and opening a case to further troubleshoot this - there may be something else at play here, as I've never heard of this. 



    Friday, February 01, 2008 3:58 PM