ScanRealtimeTimeoutE

ScanRealtimeTimeoutE_3_Rule (Rule)

Knowledge Base article:

Management Pack
Summary

The Realtime Scan Job exceeded the scanning time limit for a particular scan task. A timeout action deliberately results in the Realtime Scan Job being reloaded.

 
Causes

1. Extremely large or highly compressed files that result in a very large file scanning task.
2. Files that cause a particular scan engine to hang during scanning execution.

 
Resolutions

Recovery from this situation is automatic. However, if this type of event occurs frequently, you are advised to contact Microsoft Support.

 
© 2006 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.ForeFront.Exchange.Forefront_Security_for_Exchange_Server___Hub_Transport__Mailbox__Public_Folder_Installation
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityLow
RemotableTrue
Alert Message
ScanRealtimeTimeoutE

$Data/EventDescription$
CommentMom2005ID='{4C130004-F24C-4C80-938E-488A44C6DB28}';MOM2005ComputerGroupID={E5B12036-BF17-41E6-9649-E18D61E71190}

Member Modules:

ID Module Type TypeId RunAs 
_04B70447_389D_4DBE_B99E_A5ACC8636261_ DataSource System.Mom.BackwardCompatibility.GenericLogProvider2 Default
CollectEventData WriteAction Microsoft.SystemCenter.CollectEvent Default
CollectEventDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default
GenerateAlert WriteAction System.Mom.BackwardCompatibility.AlertResponse Default

Source Code:

<Rule ID="ScanRealtimeTimeoutE_3_Rule" Target="Microsoft.ForeFront.Exchange.Forefront_Security_for_Exchange_Server___Hub_Transport__Mailbox__Public_Folder_Installation" Enabled="true" ConfirmDelivery="false" Comment="Mom2005ID='{4C130004-F24C-4C80-938E-488A44C6DB28}';MOM2005ComputerGroupID={E5B12036-BF17-41E6-9649-E18D61E71190}">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="_04B70447_389D_4DBE_B99E_A5ACC8636261_" Comment="{04B70447-389D-4DBE-B99E-A5ACC8636261}" TypeID="MomBackwardCompatibility!System.Mom.BackwardCompatibility.GenericLogProvider2">
<PublisherName>Forefront ProgramLog</PublisherName>
<DirectoryRecords>
<DirectoryRecord>
<Directory>%PROGRAMFILES%\Microsoft Forefront Security\Exchange Server\Data</Directory>
<Patterns>
<Pattern>ProgramLog.txt</Pattern>
</Patterns>
</DirectoryRecord>
</DirectoryRecords>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">EventDescription</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Realtime scan exceeded the allotted scan time limit</Pattern>
</RegExExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="MomBackwardCompatibility!System.Mom.BackwardCompatibility.AlertResponse">
<AlertGeneration>
<GenerateAlert>true</GenerateAlert>
<Owner/>
<Description>
$Data/EventDescription$
</Description>
<AlertLevel>30</AlertLevel>
<ResolutionState/>
<Source>
$Data/PublisherName$
</Source>
<Name>ScanRealtimeTimeoutE</Name>
<CustomFields>
<CustomField>Microsoft Forefront Server Security</CustomField>
<CustomField>Forefront Security For Exchange Server</CustomField>
<CustomField>ScanJobFailure</CustomField>
<CustomField/>
<CustomField/>
</CustomFields>
</AlertGeneration>
<InvokerType>0</InvokerType>
</WriteAction>
<WriteAction ID="CollectEventData" TypeID="SystemCenterLibrary!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="CollectEventDataWarehouse" TypeID="DataWarehouseLibrary!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>