Question: Why does the actual scan time in the SPE log exceed the configured timeout value in the SPE configuration?

Answer: Symantec Protection Engine checks the time after each step in the scanning process, and not in real-time

Example: Here are the steps that are performed during scanning of a file called example.zip that contains two files

1. A copy of example.zip is copied to the scan temp directory.
2. The scan timer starts.
3. The root container example.zip is scanned for threats.
4. The scan timer is checked to see if it exceeds the scan timeout.
5. The first sub-file is extracted from the root container.
6. The scan timer is again checked to see if it exceeds the scan timeout.
7. The first sub-file is checked for threats.
8. The scan timer is again checked to see if it exceeds the scan timeout.
9. Steps 5 through 8 are repeated for each file contained within example.zip.

If a file scan or file extraction takes a long time the scan timeout may have been exceeded by several seconds before the timer check is performed. In this example if it takes 20 seconds to extract the first file from the example.zip root container and the "Time to extract file meets or exceeds" is set to 15 seconds the scan will abort with a container violation of "extract time exceeded" and the scan time will be logged as just over 20 seconds.