SharePoint Server 2010 integrated Forefront virus scanner scans infected files multiple times


Symptoms


Consider the following scenario:

  • On a computer that is running Windows 7 or Windows Server 2008 R2 you use Explorer View to upload a file on a SharePoint Server 2010 (WebDAV) server.
  • This SharePoint server is using integrated Forefront virus scanner (Forefront Protection 2010 for SharePoint)
  • If a user adds an infected document to document library through SharePoint explorer view and SharePoint integrated Forefront virus scanner is present on the system, multiple documents are created in Forefront Protection for SharePoint 2010 quarantine.

Expected Result: one malware document is expected in quarantine.

Cause


The webclient service on the client system tries to upload the infected file again because there is a fallback mechanism when the first request is not successful.
Forefront will scan a file every time Sharepoint passes it

Resolution


The behaviour is by design in the current implementation of Windows 7 WebDAV redirector.

More Information


Example: you try to upload an infected file (eicar.com.txt from http://eicar.org/85-0-Download.html)

Sharepoint will scan each file that is being uploaded through WebDAV command PUT

When you upload an infected file (example is eicar.com.txt) the process on the client side is:

  1. Copy an empty file and set the file attributes (the modified date is correct).
  2. Copy the file content and set the file attributes. Here the modified date is set to the current time.
  3. When the content arrives at DAV server, Sharepoint replies with:

    HTTP/1.1 409 CONFLICT
    X-SharePointHealthScore: 0
    x-virus-infected: Malware Found
    X-Powered-By: ASP.NET
    MicrosoftSharePointTeamServices: 14.0.0.6112
    Date: Thu, 16 Feb 2012 13:55:04 GMT
    Content-Length: 0 

    The Sharepoint server returns status HTTP_CONFLICT (409) for the infected file, which translates to ERROR_LOCK_VIOLATION 
    "The process cannot access the file because another process has locked a portion of the file."
    on the webclient
  4. The client does not look for the reason of conflict (Malware Found), so the redirector (webclient service) is trying again,
    as there is a fallback mechanism that kicks in when the first request failes.
     

The result is the file getting scanned more than once on the SharePoint Server 2010.

Rapid publishing disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.