One of the two following scenarios are occurring:
The SharePoint site display of "Virus Found" is a generic message from Microsoft's Virus Scan API (VSAPI) when no scan results are returned.
SharePoint ULS logs display the following:
w3wp.exe SharePoint Foundation Critical Failed to scan file /sites/SiteName/Location/FileName.Extension due to scanner timeout.
w3wp.exe SharePoint Foundation High Virus scan took 29985 ms (get thread: 1 ms; scan: 29984 ms; clean: 0 ms)
There are multiple possible causes for this issue.
1) Symantec Protection for SharePoint Servers (SPSS) service is not running:
When SPSS is installed to SharePoint configurations are made to define the Virus Scan server Microsoft's VSAPI will send scan requests to. If Microsoft's VSAPI is unable to contact the defined server is will return "Virus Found" to the end user for all scan requests.
Ensure SPSS service is running.
2) No Symantec Protection Engine (SPE) scanners are avaialble.
If Symantec Protection for SharePoint Servers (SPSS) has no avaialble SPE scanners to target for the scan request "Virus Found" will be displayed for all scan requests.
SPSS routinely performs ICAP connections to the defined SPE scanners to determine the status of the scanners. If it is unable to communicate to the defined scanners it will not attempt to send scan requests to the scanner. If all scanners are either manually disabled in SPSS, or SPSS is unable to communicate to all scanners that are listed as enabled it will fail to receive a scan verdict and report this failure to VSAPI. VSAPI then displays this as "Virus Found".
To prevent this from occurring ensure SPSS always has at least one active scanner avaialble to perform scan requests.
3) VSAPI timeout was exceeded:
Microsoft's VSAPI by default has a 300 second timeout. If this timeout is exceeded prior to Symantec Protection for Sharepoint Servers (SPSS) providing a scan result VSAPI will return "Virus Found" to the end user.
As part of SharePoint, Microsoft provides a command line tool named "STSADM.EXE". This tool provides the options to query and modify VSAPI settings. The following commands can be utilized to Query and Set the the VSAPI timeout:
Query VSAPI timeout value: (Default: 300 seconds)
STSADM.EXE -o getproperty -pn avtimeout
Set VSAPI timeout value: (Default: 300 seconds)
STSADM.exe -o setproperty -pn avtimeout -pv 300
4) Symantec Protection for SharePoint Servers (SPSS) timeout was exceeded:
Symantec Protection for Sharepoint Servers (SPSS) leverages a configuration file located at <SPSS Install Path>\SharePoint\Symantec.Sharepoint.SPSSService.exe.config to set the timeout values.
SPSS has two timeout values specified within the file:
By default the SPSS ScanReceiveTimeoutsec value is twice as long as VSAPI timeout meaning SPSS will never timeout before VSAPI unless VSAPI setting has been modified from default. However, if VSAPI timeout is increased higher than SPSS timeout you can adjust the SPSS timeout by performing the following:
Configuring Symantec Protection Engine timeouts will not impact this issue. If Symantec Protection Engine times out it will return a scan result to SPSS, which delivers a specific message to VSAPI which displays similar to the following in both the Site and in the ULS logs:
infected by "1 - The file: Filename.Extension -contains Unscannable Content. Reason: Time Violation -Status: Blocked Source : Symantec Protection for SharePoint Servers"