Microsoft KB Archive/900638

= Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied =

Article ID: 900638

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows XP Media Center Edition 2005
 * Microsoft Windows XP Media Center Edition 2004
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP for Itanium-based Systems Version 2003
 * Microsoft Windows XP Professional 64-Bit Edition (Itanium)
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition 2005
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Systems Management Server 2003
 * Microsoft Baseline Security Analyzer 2.0

-



SYMPTOMS
Consider the following scenario. You are running antivirus software on the computer. Either of the following actions occurs:
 * The Wsusscan.cab file or the Wsusscn2.cab file is copied to a local computer.
 * The Wsusscan.cab file or the Wsusscn2.cab file is copied from a folder on a local computer to a different folder on the same local computer.

Note The Wsusscan.cab file or the Wsusscn2.cab file may be copied by Microsoft Systems Management Server (SMS) or the Microsoft Baseline Security Analyzer (MBSA) to perform an offline security scan.

After either of the previous actions occurs, you may experience one or more of the following symptoms:
 * CPU use may increase to 100 percent.
 * The computer may be slow to respond.
 * The computer may appear to stop responding.
 * Virus scanning may take a long time.
 * The virus scanning process may quit or may time out.
 * System resources may become low and may not be recoverable.

Note The symptoms that you experience depend on the antivirus software that you are using and the scan options, such as scanning inside archived files, that you have configured.



CAUSE
This issue occurs because the antivirus software on the computer scans the Wsusscan.cab file or the Wsusscn2.cab file.



WORKAROUND
To work around this issue, configure the antivirus software by using any one of the following methods.

Notes
 * The antivirus software that you use may not support the following methods.
 * These methods are listed in order from least risky to most risky.
 * If you do not want to use the methods described in this article to work around this problem, and if you are using the SMS 2003 Inventory Tool for Microsoft Updates to perform software update scans, you can schedule those scans during non-business hours. By scanning after business hours, end-users are less likely to notice any affect on the performance of the computer that is being scanned.

Method 1
Exclude the Wsusscan.cab file and the Wsusscn2.cab file from the antivirus scan.

Notes
 * Because the Wsusscan.cab file and the Wsusscn2.cab file contain several nested cabinet files, excluding only these files is not typically sufficient to reduce unusually high CPU usage. To significantly reduce CPU usage, also exclude nested cabinet files that are within the Wsusscan.cab file and the Wsusscn2.cab file.
 * If a virus is present in a .cab file, the virus should be detected when the file is uncompressed. Therefore, there is almost no increased risk in using this method.

Method 2
Exclude all .cab files from the antivirus scan.

Note If a virus is present in a .cab file, the virus should be detected when the file is uncompressed. Therefore, there is almost no increased risk in using this method.

Method 3
Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.

Exclude all archived files from the antivirus scan.

Method 4
Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.

Exclude the following items from the antivirus scan:
 * The folder in which the Wsusscan.cab file or the Wsusscn2.cab file is located.
 * The path of the Wsusscan.cab file or the Wsusscn2.cab file on the local computer.



MORE INFORMATION
The Wsusscan.cab file and the Wsusscn2.cab file are archive-based files. These files contain security-related update metadata. This metadata is used for scanning for updates that are available on Microsoft Update and which apply to the computer against which the scan is being run. The Wsusscan.cab file or the Wsusscn2.cab file is used to perform a scan of the computer locally, in an offline manner, without having to be connected to the Microsoft Update Web site.

For more information about offline scanning and Windows Update Agent (WUA), visit the following Microsoft Web sites:

http://msdn2.microsoft.com/en-us/library/aa387290.aspx

http://msdn2.microsoft.com/en-us/library/aa387292.aspx

Keywords: kbtshoot kbprb kbsecantivirus kbexpertiseadvanced kbexpertiseinter KB900638

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.