Problem

• Occasionally a policy flow with the McAfee Anti-Virus filter is taking much longer than normal.
• Traffic monitor >detail view >Filter execution path> execution time show large value for McAfee filter. ex: 20+ seconds instead of a second or less.
• Trace log at Debug level shows: "DEBUG Filter [McAfee Anti-Virus] completes in [large number] milliseconds."
• Several concurrent transactions using the McAfee scan filter all show a longer execution time, and it looks like they all un-block and finish close together.

Resolution

First, you can rule out if it is just a very large message by adding the HTTP Parser filter just before the McAfee filter in your policy. Some filters execute as fast as possible, without waiting for the full payload to have been sent by the client, and some filters pause until the full payload is available to work with. The HTTP Parser filter's execution time will show how long it took for the client to send the payload, and then the McAfee filter execution time would only show how long the scan took.

Assuming what you are seeing is the actual McAfee filter time. Be aware of the following two conditions that are known to slow\pause\block that filter (for all threads).

1. First startup, when the scan library and Java classes are loaded.
2. During a virus definitions update.

Recommendations:

• Only load virus definition updates during periods of low traffic or maintenance window.
• If the startup delay is a problem, only start API GW instances when traffic is re-directed, and make sure a first call to a McAfee policy completes before the time sensitive traffic is re-enabled.

Detection:

To verify if either of these two conditions were the cause of a particular delay, you can Grep your instance trace logs for the following strings. Note the indicated log level. The end of the delay period can be seen at INFO, but the start of the period can only be seen if you are logging at DEBUG level.

1. Startup

DEBUG level, string seen at start of the delay "registered scanner class"
INFO level, string seen at end of the delay "McAfee scanner initialised."

2. Definition update

DEBUG level, string at start of delay "McAfee virus scanner: attempt to load new dataset"
INFO level, string at end of the delay: "McAfee virus scanner: signatures updated"

Note that only one of the paused threads will have these log lines, though others may also be blocked. For the others, the cause must be inferred by noting that their McAfee filters all finished after the thread with the tell-tail log statement.

Documentation:

Note, the specific condition that can cause single threaded behavior and delay is noted in the documentation:
From the Policy Developer Filter Reference:
"When the [McAfee] engine is stopped and restarted, any messages that require scanning are suspended until the restart completes. In addition, an initiated reload is suspended until all currently active scans are completed."