/
Problems in connection with virus scanners

Problems in connection with virus scanners

For virus scanners we strongly advise to add an exclusion of all scans for the SEAL Installation directories (usually D:\SEAL\* ).
We do not recommend exclusions for single processes as this would affect several hundred exe files.

It can, even though an exclusion is active, still come to scanning access of the virus scanners to these excluded directories, which then can lead to the following problems:

  • Performance problems while executing / transmitting jobs

  • The postgreSQL database runs into a deadlock

  • JBoss does not react any more, the jobs are removed from the Input directories (gates) but not listed in the OCON

  • Conversions in PLOSSYS 4 or DPF stay in status converting

  • PDF Tools like for example PDFPrae.exe get stuck and run endless

  • Office conversions do not finish - Office application does not close

  • GNU tar for Windows cannot be started anymore (Exception)

If you use CheckMK, we recommend to temporarily deactivate it. Should then no more problems occur, check if an update is available for CheckMK. For one customer, an update of the Check MK Windows Agent to version 1.6.0p22 solved the problem.

For the PLOSSYS Output Engine we recommend to exclude the following directories:
%ProgramFiles%\SEAL Systems\PLOSSYS\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\ghost\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\pdf2ps\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\pdfstamp\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\ps2pdf\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\sapgof\
Further the respective executable program files under "C:\Program Files\SEAL Systems" should be excluded from scans, for example nodejs.exe, mongodb.exe, consul.exe, nssm.exe, etc.

 

One way to check if the exclusion of a directory is working correctly is by using the EICAR testfile. More information about this can be found on the website: https://www.eicar.org/download-anti-malware-testfile/
Please keep in mind that the string should be copied into an .exe file. Files with the .txt extension sometimes are not identified.

Even if this test is negative, it is still possible that these problems are related to the virus scanner. Here a Screenshot where the virus scanner is active on the server even though an exclusion exist for the directory. The EICAR test also was negative. For the analysis, all active Windows processes were checked with the Process Monitor. The Process Monitor is available directly from Microsoft.

virusscanner_active-20241202-145403.png

In order to get a good overview in the Process Monitor, we advise to exclude all sources except the "File System Activity".

procmon activity-20241202-145435.png


Furthermore a filter should be set on the ..\data\ directory via the Process Monitor Filter (Filter->Filter, <CTRL>-<L> or by clicking on the related icon).

procmon filter-20241202-145508.png


If you know the name of the virus scanner process, you can filter for it only too.

Such virus scanner activities can result in slow database access. You can see this in the postgresql logfiles.

database_log-20241202-145530.png

If the database inquiries take exceptionally long, it is possible that the Watchdog gets active. In contrast to other processes, the Watchdog utilizes a query with a timeout in order to not block the process. If this timeout (Default-Wert 10sec) is reached, the DPF will be restarted via "dpfrestart".
This leads to entries in the postgresql-Log führt (10061 Connection refused, bzw. 10054 Connection reset by peer), as the postgres connections to the processmanager, workingunitmanager and jobcleaner are not closed but broken apart - dpfrestart is not mincing around.
This also means that if the error is listed in the postgresql logfile, it is not an error caused by the postgresql, but more a call for help.
The database works with WAL-files (Write-Ahead-Log), which means to execute a COMMIT, the information has to be written into the WAL. If a Virusscanner is active on this file, the COMMIT can take several seconds instead of nanoseconds.
This means that the performance of the database degrades till it is unusable (processes are aborted), as the timeout for SQL is never set this high.

The combination how some virus scanners search for viruses and locks binaries in the process, and the deceptive behavior to ignored excluded directories, gives us no option to bypass that in our or external software (which comes with our software). After a restart and processing of the same files no error will occour. Problems may occour one time in the postgresql next time in the pdftools.

Please report this to the software supplier.

So whenever you encounter any of the sporadic problems described above, please check if an Antivirus program is installed on your system and if it is possible, deactivate it for testing.
Also make sure that the Antivirus program has the most current virus signatures.


Testscript

SEAL Systems provides a script which can check if the directories which are used by the SEAL software are excluded from antivirus programs.
Please install the necessary package (attached at the end of this FAQ) as described in this FAQ: https://sos-sealsystems.atlassian.net/wiki/spaces/SOSEN/pages/18025102

Usage

  • Open a SEAL Shell

  • Start the test with: testscan -s

  • The test takes around 2 minutes

  • Remove the testfiles with: testscan -x

The following results can occur:
exists - everything fine
not readable! - file exists, but cannot be active
lost! - file got lost, check installation prerequisites

“Not readable” and “lost” indicate that the antivirus program is active on the directories shown.