Process description and load order for VirusScan Enterprise and McAfee Agent
Technical Articles ID:
KB65784
Last Modified: 1/16/2020
Environment
McAfee Agent (MA) 5.x, 4.x
McAfee VirusScan Enterprise (VSE) 8.8.x
Summary
Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
| Date |
Update |
| July 24, 2017 |
Corrections to macompatsvc.exe made. VSE 8.7i tables deleted because the version is End-of-Life. |
Solution
This article provides a brief description of the processes associated with VirusScan Enterprise and McAfee Agent. In addition, the sequence in which the main components are loaded is also described below.
MA 5.x Processes
| Process name |
Description |
| FrmInst.exe |
The MA installation program. |
| macmnsvc.exe |
Hosts multiple MA services such as Peer-to-Peer server, Wake-up, and RelayServer. |
| masvc.exe |
Performs functions such as property collection, policy enforcement, scheduling of tasks, agent-server communication, and triggers update sessions. |
| macompatsvc.exe |
The compatibility service for the McAfee Agent service. The McAfee Agent service starts this service and communicates to the various managed product plugins. |
| CmdAgent.exe |
The command line program that invokes MA. |
| maconfig.exe |
The command line program used to configure different options of MA. |
| UpdaterUI.exe |
Provides the user interface for the updates. These processes also control the MA icon in the System tray and are loaded using the Run key in the Windows registry. |
| McTray.exe |
The System tray icon management tool. It runs under the same user session, and is started by UdaterUI.exe. |
| McScript.exe |
Runs scripts for the updating of DAT files, Engines, Service Packs, or any other component that is checked into a repository. This process loads when the update task is started. |
| McScript_InUse.exe |
Enables an MA deployment task to be able to complete without having files locked in use. |
| McScanCheck.exe |
The command line program used by McScript_InUse.exe to perform DAT or Engine updates. |
| marepomirror.exe |
Performs repository mirroring for VSE. |
MA 4.x Processes
| Process name |
Description |
| McScript.exe |
Runs scripts for the updating of DAT files, Engines, Service Packs, or any other component that is checked into a repository. This process loads when the update task is started. |
| UpdaterUI.exe UdaterUI |
Provides the user interface for the updates. These processes also control the MA icon in the System tray and are loaded using the Run key in the Windows registry. |
| naPrdMgr.exe |
The Product Manager for the McAfee Framework service. It is loaded by the Framework service and communicates to the various point product plugins. |
| FrameworkService.exe |
Provides the majority of MA functionality. |
| Cleanup.exe |
Cleans up after installations or removals of MA. |
| CmdAgent.exe |
The command line program that invokes MA. |
| FrmInst.exe |
The MA installation program. |
| McScript_InUse.exe |
Enables an MA deployment task to be able to complete without having files locked in use. |
| McTray.exe |
The System tray icon management tool. It runs under the same user session, and is started by UdaterUI.exe. |
VSE 8.8 Processes
|
Process name
|
Description |
| Mcshield.exe |
The McShield On-Access Scanner Service. |
Scan32.exe /
Scan64.exe |
The On-Demand Scanner Process that loads when an On Demand Scan is started. |
|
Shstat.exe
|
Loads from the Run key in the Windows registry. For current MA versions, it integrates with McTray.exe (by loading a DLL), then exits. It is responsible for loading the McAfee VirusScan (Vshield) +icon in the Windows system tray, the VSE About screen, the On-Access Scanner statistics, and the messages window. |
| VsTskMgr.exe |
Facilitates janitorial duties within the product. |
| mfevtps.exe |
Provides trust validation for all McAfee processes. |
| mfeann.exe |
Loaded by Vstskmgr.exe. It is responsible for event creation and logging. |
VSE 8.8 Drivers
| Process name |
Description |
| mfeapfk.sys |
The Access Protection content driver, which provides Access Protection for File/Folder and Registry Blocking. |
| mfeavfk.sys |
A file system filter content driver used for Anti-Virus scanning and maintaining a file cache. |
| mfebopk.sys |
A Buffer Overflow Protection content driver. (N/A for x64) |
| mfeclnk.sys |
Used during rootkit removal. |
| mfeelamk.sys |
The Early Launch Anti-Malware (ELAM) driver. This component is used in conjunction with the Microsoft ELAM framework to verify that boot start drivers do not contain malware. Available for Windows 8 and later (Windows kernel version 6.2 and later). |
| mfehidk.sys |
The Host Intrusion Detection Link Driver. Facilitates I/O events for relevant content drivers. |
| mferkdet.sys |
Used during On Demand Scan functionality to scan for rootkits. |
| Mfetdik2.sys |
The TDI filter driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows operating systems released prior to Windows Vista Service Pack 1. |
Mfewfpk.sys /
Mfefirek.sys |
The Windows Filtering Platform driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows Vista Service Pack 1 and later. |
The following procedure describes the sequence in which the main components load:
- The computer starts (drivers and services load):
- If the operating system is Windows 8 (or later), the mfeelamk.sys driver is loaded by the Microsoft ELAM framework.
- The mfehidk.sys driver loads.
- The mfetdik.sys/mfewfpk.sys driver loads.
- The mfeavfk.sys driver loads.
- The Service Control Manager automatically starts the mfevtps.exe service.
- The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functionality, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
- McShield loads the mfeapfk.sys driver.
- McShield loads the mfebopk.sys driver.
- FrameworkService loads NaPrdMgr to communicate with point product plugins.
- The user logs in (items in the Run key are loaded):
- UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
- UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
- ShStat, Vshield icon showing statistics, displays OAS messages window when OAS detections occur.
- The mfeann.exe process starts.
- Other components are loaded (as required):
- McScript/McScript_In_Use runs scripted operations for MA.
- Scan32 On Demand Scanner, used when scheduled On Demand Scan tasks launch.
- McConsole displays the Console, also performs an On Demand Scan if invoked by the user through the Console.
- ShCfg32, On Access Scanner property configuration.
- ScnCfg32, On Demand Scan property configuration. This also performs an On Demand Scan if invoked by the user through this screen.
|
