Summary

In InterScan Messaging Security Suite (IMSS), the user could enable Smart Scan Method to scan emails.

The VSAPI Engine uses the local pattern files to check if the scanned content contains malware and obtain cleaning instructions. If the content looks suspicious but the malware cannot be detected and cleaned using the local pattern files, it calculates the Cyclic Redundancy Check (CRC) sum for the initial portion of the content and submits this sum to the global File Reputation Server to query the malware database for all records matching the CRC. The File Reputation Server will find the malware pattern which matches the CRC to the VSAPI Engine to help it detect and clean the malware.

Sometimes, when using Smart Scan, the user may encounter a query timeout issue, such as errors appearing in log.imss.yyyymmdd.xxxx log:

2015/04/14 12:08:53 GMT+02:00        [12335:4015381392] [NORMAL][iCRC] ICRC_QUERY_ERR_NETWORK_TIMEOUT (../src/VirusFilter.cpp:1057)    2015/04/14 12:08:53 GMT+02:00        [12335:4015381392] [NORMAL][iCRC] try to insert tb_smartscan_query_error with error_time(1429006133), error_type(1) (../src/VirusFilter.cpp:1803)    2015/04/14 12:08:53 GMT+02:00        [12335:4015381392] [DEBUG]TmDBConnection::createOdbcEnv    2015/04/14 12:08:53 GMT+02:00        [12335:4015381392] [DIAGNOSTIC][iCRC] success to insert tb_smartscan_query_error (../src/VirusFilter.cpp:1843)    

It is because iCRC module has query timeout threshold of 1.5 seconds. It means that when IMSVA scan those emails, if it spends more than 1.5 seconds to query iCRC server timeout will happen and email status will be unscanned.