Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Date |
Update |
March 26, 2021 |
McScanCheck was replaced with N/A in the row that referenced McScanCheck.exe. |
February 12, 2021 |
MA 5.5.x End of Life removed and current supported versions added. |
This article provides a brief description of the processes associated with VSE and MA. The sequence in which the main components load is also described below.
MA 5.x Processes
Windows process |
Non-Windows process |
Description |
masvc.exe |
masvc |
Performs functions such as:
- Property collection
- Policy enforcement
- Scheduling of tasks
- Agent-server communication
- Trigger update sessions
|
macmnsvc.exe |
macmnsvc |
Hosts multiple McAfee Agent services such as peer-to-peer server, wake-up, and RelayServer. |
macompatsvc.exe |
macompatsvc |
This executable is the compatibility service for the McAfee Agent service. McAfee Agent service starts this service and communicates to the managed product plug-ins. |
cmdagent.exe |
cmdagent |
A command-line program that invokes McAfee Agent. To know more about switches available with this command, use:
cmdagent.exe -h |
FrmInst.exe |
N/A |
McAfee Agent installation program. To know more about switches available with this command, use:
FrmInst.exe /h |
maconfig.exe |
maconfig |
A command-line program used to configure different options of McAfee Agent. To know more about switches available with this command, use:
maconfig –help |
McScanCheck.exe |
N/A |
A command-line program used by McScript_InUse.exe to perform DAT or engine updates. |
McScript_InUse.exe |
Mue_InUse |
Runs scripts for updating DAT files, engines, service packs, or any other component checked in to a repository. This process loads when update task is started. |
UpdaterUI.exe |
N/A |
Provides user interface for updates. It also controls the McAfee Agent icon in the notification area and is loaded using the Run key in the Windows registry. |
marepomirror.exe |
N/A |
Performs repository mirroring according to the policy settings. |
FramePkg.exe |
N/A |
McAfee Agent installer. |
mctray.exe |
N/A |
McAfee icon management tool. It runs under the same user session. The UdaterUI.exe process starts the icon. |
mcupdater.exe |
|
Initiates the McAfee® Data Exchange Layer (DXL) client installer as part of McAfee Agent install. |
VSE 8.8 Processes
Process name |
Description |
Mcshield.exe |
The McShield on-access scanner Service. |
Scan32.exe /
Scan64.exe |
The on-demand scanner Process that loads when an On Demand Scan is started. |
Shstat.exe |
Loads from the Run key in the Windows registry. For current MA versions, it integrates with McTray.exe (by loading a DLL), then exits. It is responsible for loading the following:
- McAfee VirusScan (vShield) +icon in the Windows notification area.
- VSE About screen
- On-access scanner statistics
- Messages window.
|
VsTskMgr.exe |
Facilitates janitorial duties within the product. |
mfevtps.exe |
Provides trust validation for all McAfee processes. |
mfeann.exe |
Loaded by Vstskmgr.exe. It is responsible for event creation and logging. |
VSE 8.8 Drivers
Process name |
Description |
mfeapfk.sys |
The Access Protection content driver, which provides Access Protection for File/Folder and Registry Blocking. |
mfeavfk.sys |
A file system filter content driver used for antivirus scanning and maintaining a file cache. |
mfebopk.sys |
A Buffer Overflow Protection content driver. (N/A for x64) |
mfeclnk.sys |
Used during rootkit removal. |
mfeelamk.sys |
The Early Launch Anti-Malware (ELAM) driver. This component is used with the Microsoft ELAM framework to verify that boot start drivers do not contain malware. Available for Windows 8 and later (Windows kernel version 6.2 and later). |
mfehidk.sys |
The Host Intrusion Detection Link Driver. Facilitates I/O events for relevant content drivers. |
mferkdet.sys |
Used during On Demand Scan to scan for rootkits. |
Mfetdik2.sys |
The TDI filter driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows operating systems. |
Mfewfpk.sys /
Mfefirek.sys |
The Windows Filtering Platform driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows Vista Service Pack 1 and later. |
The following procedure describes the sequence in which the main components load:
- The computer starts (drivers and services load):
- If the operating system is Windows 8 (or later), the mfeelamk.sys driver is loaded using the Microsoft ELAM framework.
- The mfehidk.sys driver loads.
- The mfetdik.sys/mfewfpk.sys driver loads.
- The mfeavfk.sys driver loads.
- The Service Control Manager automatically starts the mfevtps.exe service.
- The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functions, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
- The McShield service loads the mfeapfk.sys driver.
- The McShield service loads the mfebopk.sys driver.
- The FrameworkService loads NaPrdMgr to communicate with managed product plug-ins.
- The user logs in (items in the Run key are loaded):
- The UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
- The UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
- The ShStat, vShield icon showing statistics, displays OAS messages window when OAS detections occur.
- The mfeann.exe process starts.
- Other components are loaded (as needed):
- The McScript/McScript_In_Use runs scripted operations for MA.
- The Scan32 on-demand scanner, used when scheduled On Demand Scan tasks run.
- The McConsole displays the Console, also performs an On Demand Scan if invoked by the user through the Console.
- The ShCfg32, On Access Scanner property configuration.
- The ScnCfg32, On Demand Scan property configuration. It also performs an On Demand Scan if invoked by the user through this screen.