@the_rock 

I will change the timeout value in $FWDIR/conf/malware_config and verify whether the same issue occurs in my lab.

This issue never happens in my lab (its on R82 jumbo 44), so I will send you content of that file from both cluster and single gw managed by R82 mgmt server. Single gw is R82 and cluster is R81.20 version. Its night my time, so will send it in the morning.

@Baggy Im fairly positive content would be same on both R81.20 and R82, but will confirm, for sure.

@the_rock 

I tested on R81.20.
No error output for “Reason: Timeout was exceeded” was found.
However, I have confirmed the following log entries:

R81.20
・Threat Prevention Advanced Settings
Resource Classfication mode：Hold
・Threat Prevention Profile Settings
Anti-Virus Settings
File Types Process all file types
Enable deep inspection scanning checked
Threat Emulation advanced settings
Emulation Connection Handling Mode：Maximum Prevention

・fw.log
------------------------------
Time: 2025-11-11T07:00:39Z
Interface Direction: inbound
Interface Name: eth1
Id: c0a801eb-81c7-e423-6913-5da7005c0000
Id Generated By Indexer: true
First: true
Sequencenum: 2
Client Type: Chrome
Service ID: https
Source: 192.168.1.195
Source Port: 58407
Destination: 104.21.47.248
Destination Port: 443
IP Protocol: 6
Log ID: 4000
Session Identification Number:0x0,0x0,0x0,0x0
Reason: Failed to process the file
Verdict: Error
Proxied Source IP: 192.168.1.195
Action: Detect
Type: Log
Policy Name: Standard
Policy Management: mgmt3
Db Tag: {1B633208-42C3-D444-89E6-98D5B57999B1}
Policy Date: 2025-11-11T06:57:25Z
Blade: Threat Emulation
Origin: mgmt3
Service: TCP/443
Product Family: Threat
Action: Inspect
Resource: https://files.testfile.org/ZIPC/60MB-Corrupt-Testfile.Org.zip
Log Server Origin: 192.168.1.235
Interface: eth1
Description: Threat Emulation

Time: 2025-11-11T07:00:39Z
Id: 7e16cd9f-ab70-2f20-39db-4a5d748e194a
Id Generated By Indexer: false
First: false
Sequencenum: 1
Log ID: 4000
Source: 192.168.1.195
Destination: 104.21.47.248
IP Protocol: 6
Source Port: 58407
Destination Port: 443
Threat Prevention Rule ID:F50127A1-D5C9-4BAC-8C3F-2D2557E6FFAD
Scope: 192.168.1.195
File Name: 60MB-Corrupt-Testfile.Org.zip
File Type: zip
File MD5: 6894f10dddc6562a107ea8e84a12f75e
File SHA-1: 83e470b4e7c4ebb1e2da13f749b99f7dfcbd7ccb
File SHA-256: 42559ecca7659e92ec038dc4cb8b3af1a2d93c03de88c4c4689e94bcd8b932b1
Verdict: Error
Analyzed On: Check Point Threat Cloud
Errors: File was not emulated on some of the operating systems. reason: archive: archive tool gets an error during extraction process. Win7,Office 2013,Adobe 11: archive tool gets an error during extraction process. WinXP,Office 2003/7,Adobe 9: archive tool gets an error during extraction process.
Determined By: Win7,Office 2013,Adobe 11: archive. WinXP,Office 2003/7,Adobe 9: archive.
Protection Type: HTTP Emulation
Severity: Informational
Confidence Level: N/A
Log Uid: 39DB4A5D-748E-194A-9FCD-167E202F70AB
Special Attack: 0
Action: Accept
Packet Capture: Packet Capture
Type: Log
Blade: Threat Emulation
Origin: mgmt3
Service: TCP/443
Product Family: Threat
File Size: 62914560
Log Server Origin: 192.168.1.235
Description: Threat Emulation
Description: Extracted files name:, /var/log/files_repository/Archive_Tool/8785455D-CDCA-49C6-B22F-D9325B260629/602351/archive_tool/tmp/3090fcc2-8fea-4a2c-9cf9-b798dd19b558/archives/{96BDA193-109B-1849-A784-4EED01EEECFF}, Extracted files type:, {96bda193-109b-1849-a784-4eed01eeecff}, Extracted files sha1:, Extracted files verdict:, Damaged
------------------------------

・/opt/CPsuite-R81.20/fw1/log/tp_failures.elg
------------------------------

Time:11/11 16:00:58; Inst:2; Conn:dir 0, 192.168.1.195:58407 -> 104.21.47.248:443 IPP 6; Session:100; App:CI_AV; Last Buffer Seen:1; rule_id:1; profile_id:1; AV Performed Hold:15:59:37; TE Performed Hold:15:59:37; Accumulated File Size:62914560; RAD Cache Miss:1; RAD Performed Hold:15:59:37; File Type ID:7204; File MD5:6894f10dddc6562a107ea8e84a12f75e; RAD Async Response Time:15:59:38; RAD Verdict:ACCEPT; Flexible Hold:1; TE Async Response Time:15:59:39; TE Verdict:NONE; AV Async Response Time:15:59:39; AV Verdict:NONE; TE Async Response Time:16:00:39; TE Verdict:NONE; Action None From US Failure:1; Fail-Open:1; Session ended with error:1; av_handler:ffffc90051ca97e0; Final Action:ACCEPT; Final Async Action Time:16:00:39; Strict Hold Start Sending File:1;

Time:11/11 16:03:31; Inst:0; Conn:dir 0, 192.168.1.195:58564 -> 18.172.52.34:443 IPP 6; Session:157; App:CI_AV; File Name:20251111064927035688; IFI Max File Size Exceeded:1; Content-Length:25622537; Strict Hold:1; Last Buffer Seen:1; rule_id:1; profile_id:1; AV Performed Hold:16:03:24; TE Performed Hold:16:03:24; Accumulated File Size:25622537; RAD Cache Miss:1; RAD Performed Hold:16:03:24; File Type ID:7204; File MD5:ec0aeb2e40fdec70a17675998a0015b4; RAD Async Response Time:16:03:24; RAD Verdict:ACCEPT; TE Async Response Time:16:03:25; TE Verdict:NONE; TE Async Response Time:16:03:25; TE Verdict:ACCEPT; AV Async Response Time:16:03:25; AV Verdict:NONE; Action None From US Failure:1; Fail-Open:1; Session ended with error:1; av_handler:ffffc900617e0d00; Final Action:ACCEPT; Final Async Action Time:16:03:25; Strict Hold Start Sending File:1;
------------------------------

regards,
Baggy

I should be able to get all this info for you soon from my lab, will put it all in notepad++ and attach.

@Baggy 

Here is the file I promised with values in R81.20 and R82. To me, looks same as what you have, but I would still try increase them.

@Baggy Let me know please if changing those values helps. Needless to say, just to be on the safe side, please have a backup beforehand. Hope it helps, but if not, I can do some more checks in the lab.