Using Symantec Protection Engine (SPE) to scan small files sometimes takes much longer than expected.  During times when file scanning is taking longer than expected the following message may be seen in the SSE########.log.

scanning feature hung or Symantec Protection Engine is overloaded

SPE 9.x

VirtualHome in the configuration.xml is set to "true"

SPE 9.0.x introduced a featured called VirtualHome.  This feature installed a controller process which was responsible for performing definition updates via LiveUpdate.  Due to issues with the VirtualHome feature, it was disabled by default in SPE 9.2 and newer.

When files are scanned they acquire a ReadLock (shared access) on the mutex.  If LiveUpdate is run, using the VirtualHome feature, it requires an exclusive WriteLock on the mutex.  Since there is already a ReadLock on the mutex, the LiveUpdate thread can not get a WriteLock and the thread goes into a waiting condition.  Any new scan that is started while the WriteLock is in the waiting condition will not be able to get a ReadLock until the previous files have been scanned and the LiveUpdate process has completed.  This can cause scans that would normally take seconds to scan to take much longer.

Disable to VirtualHome  feature so that LiveUpdate happens directly through the symcscan process which doesn't require exclusive access to the mutex.  This will cause the definition updates and scans to occur in parallel.  To disable VirtualHome run the following command from the <SPE_INSTALL_FOLDER> and then restart the SPE services.

xmlmodifier -s //VirtualHome/@enabled false configuration.xml