Question: Why does the actual scan time in the SPE log exceed the configured timeout value in the SPE configuration?
Answer: Symantec Protection Engine checks the time after each step in the scanning process, and not in real-time
Example: Here are the steps that are performed during scanning of a file called example.zip that contains two files
If a file scan or file extraction takes a long time the scan timeout may have been exceeded by several seconds before the timer check is performed. In this example if it takes 20 seconds to extract the first file from the example.zip root container and the "Time to extract file meets or exceeds" is set to 15 seconds the scan will abort with a container violation of "extract time exceeded" and the scan time will be logged as just over 20 seconds.