Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
| Date |
Update |
| April 16, 2020 |
Fixed the MA 5.x Processes table. |
| March 10, 2020 |
Minor formatting changes; no changes to content. |
| January 28, 2020 |
McAfee Agent 4.x information removed. MA 4.8.x is now End of Life. |
| July 24, 2017 |
Corrections to macompatsvc.exe. VSE 8.7i tables deleted because the version is End of Life. |
This article provides a brief description of the processes associated with VSE and MA. The sequence in which the main components load is also described below.
MA 5.x Processes
| Windows process |
Non-Windows process |
Description |
| masvc.exe |
masvc |
Performs functions such as property collection, policy enforcement, scheduling of tasks, agent-server communication, and trigger update session. |
| macmnsvc.exe |
macmnsvc |
Hosts multiple McAfee Agent services such as peer-to-peer server, wake-up, and RelayServer. |
| macompatsvc.exe |
macompatsvc |
This executable is the compatibility service for the McAfee Agent service. McAfee Agent service starts this service and communicates to the managed product plug-ins. |
| cmdagent.exe |
cmdagent |
A command-line program that invokes McAfee Agent. To know more about switches available with this command, use:
cmdagent.exe -h |
| FrmInst.exe |
N/A |
McAfee Agent installation program. To know more about switches available with this command, use:
FrmInst.exe /h |
| maconfig.exe |
maconfig |
A command-line program used to configure different options of McAfee Agent. To know more about switches available with this command, use:
maconfig –help |
| McScanCheck.exe |
McScanCheck |
A command-line program used by McScript_InUse.exe to perform DAT or engine updates. |
| McScript_InUse.exe |
Mue_InUse |
Runs scripts for updating DAT files, engines, service packs, or any other component checked in to a repository. This process loads when update task is started. |
| UpdaterUI.exe |
N/A |
Provides user interface for updates. It also controls the McAfee Agent icon in the system tray and is loaded using the Run key in the Windows registry. |
| marepomirror.exe |
N/A |
Performs repository mirroring according to the policy settings. |
| FramePkg.exe |
N/A |
McAfee Agent installer. |
| mctray.exe |
N/A |
System tray icon management tool. It runs under the same user session and is started by UdaterUI.exe. |
| mcupdater.exe |
|
Initiates the McAfee® Data Exchange Layer (DXL) client installer as part of McAfee Agent install. |
VSE 8.8 Processes
| Process name |
Description |
| Mcshield.exe |
The McShield on-access scanner Service. |
Scan32.exe /
Scan64.exe |
The on-demand scanner Process that loads when an On Demand Scan is started. |
| Shstat.exe |
Loads from the Run key in the Windows registry. For current MA versions, it integrates with McTray.exe (by loading a DLL), then exits. It is responsible for loading the following:
- McAfee VirusScan (vShield) +icon in the Windows notification area.
- VSE About screen
- On-access scanner statistics
- Messages window.
|
| VsTskMgr.exe |
Facilitates janitorial duties within the product. |
| mfevtps.exe |
Provides trust validation for all McAfee processes. |
| mfeann.exe |
Loaded by Vstskmgr.exe. It is responsible for event creation and logging. |
VSE 8.8 Drivers
| Process name |
Description |
| mfeapfk.sys |
The Access Protection content driver, which provides Access Protection for File/Folder and Registry Blocking. |
| mfeavfk.sys |
A file system filter content driver used for antivirus scanning and maintaining a file cache. |
| mfebopk.sys |
A Buffer Overflow Protection content driver. (N/A for x64) |
| mfeclnk.sys |
Used during rootkit removal. |
| mfeelamk.sys |
The Early Launch Anti-Malware (ELAM) driver. This component is used with the Microsoft ELAM framework to verify that boot start drivers do not contain malware. Available for Windows 8 and later (Windows kernel version 6.2 and later). |
| mfehidk.sys |
The Host Intrusion Detection Link Driver. Facilitates I/O events for relevant content drivers. |
| mferkdet.sys |
Used during On Demand Scan functionality to scan for rootkits. |
| Mfetdik2.sys |
The TDI filter driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows operating systems. |
Mfewfpk.sys /
Mfefirek.sys |
The Windows Filtering Platform driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows Vista Service Pack 1 and later. |
The following procedure describes the sequence in which the main components load:
- The computer starts (drivers and services load):
- If the operating system is Windows 8 (or later), the mfeelamk.sys driver is loaded using the Microsoft ELAM framework.
- The mfehidk.sys driver loads.
- The mfetdik.sys/mfewfpk.sys driver loads.
- The mfeavfk.sys driver loads.
- The Service Control Manager automatically starts the mfevtps.exe service.
- The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functionality, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
- The McShield service loads the mfeapfk.sys driver.
- The McShield service loads the mfebopk.sys driver.
- The FrameworkService loads NaPrdMgr to communicate with managed product plug-ins.
- The user logs in (items in the Run key are loaded):
- The UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
- The UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
- The ShStat, vShield icon showing statistics, displays OAS messages window when OAS detections occur.
- The mfeann.exe process starts.
- Other components are loaded (as needed):
- The McScript/McScript_In_Use runs scripted operations for MA.
- The Scan32 on-demand scanner, used when scheduled On Demand Scan tasks run.
- The McConsole displays the Console, also performs an On Demand Scan if invoked by the user through the Console.
- The ShCfg32, On Access Scanner property configuration.
- The ScnCfg32, On Demand Scan property configuration. It also performs an On Demand Scan if invoked by the user through this screen.
