Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
| Date |
Update |
| March 10, 2020 |
Minor formatting changes; no changes to content. |
| January 28, 2020 |
McAfee Agent 4.x information removed. MA 4.8.x is now End of Life. |
| July 24, 2017 |
Corrections to macompatsvc.exe. VSE 8.7i tables deleted because the version is End of Life. |
This article provides a brief description of the processes associated with VSE and MA. The sequence in which the main components load is also described below.
MA 5.x Processes
| Process name |
Description |
| FrmInst.exe |
The MA installation program. |
| macmnsvc.exe |
Hosts multiple MA services such as Peer-to-Peer server, Wake-up, and RelayServer. |
| masvc.exe |
Performs functions such as:
- Property collection
- Policy enforcement
- Scheduling of tasks
- Agent-server communication
- Triggers update sessions.
|
| macompatsvc.exe |
The compatibility service for the McAfee Agent service. The McAfee Agent service starts this service and communicates to the several managed product plug-ins. |
| CmdAgent.exe |
The command-line program that invokes MA. |
| maconfig.exe |
The command-line program used to configure different options of MA. |
| UpdaterUI.exe |
Provides the user interface for the updates. These processes also control the MA icon in the Windows notification area and are loaded using the Run key in the Windows registry. |
| McTray.exe |
The Windows notification area icon management tool. It runs under the same user session, and is started with UdaterUI.exe. |
| McScript.exe |
Runs scripts for the updating of DAT files, Engines, Service Packs, or any other component that is checked in to a repository. This process loads when the update task is started. |
| McScript_InUse.exe |
Enables an MA deployment task to complete without having files locked in use. |
| McScanCheck.exe |
The command-line program used by McScript_InUse.exe to perform DAT or Engine updates. |
| marepomirror.exe |
Performs repository mirroring for VSE. |
VSE 8.8 Processes
| Process name |
Description |
| Mcshield.exe |
The McShield on-access scanner Service. |
Scan32.exe /
Scan64.exe |
The on-demand scanner Process that loads when an On Demand Scan is started. |
| Shstat.exe |
Loads from the Run key in the Windows registry. For current MA versions, it integrates with McTray.exe (by loading a DLL), then exits. It is responsible for loading the following:
- McAfee VirusScan (vShield) +icon in the Windows notification area.
- VSE About screen
- On-access scanner statistics
- Messages window.
|
| VsTskMgr.exe |
Facilitates janitorial duties within the product. |
| mfevtps.exe |
Provides trust validation for all McAfee processes. |
| mfeann.exe |
Loaded by Vstskmgr.exe. It is responsible for event creation and logging. |
VSE 8.8 Drivers
| Process name |
Description |
| mfeapfk.sys |
The Access Protection content driver, which provides Access Protection for File/Folder and Registry Blocking. |
| mfeavfk.sys |
A file system filter content driver used for antivirus scanning and maintaining a file cache. |
| mfebopk.sys |
A Buffer Overflow Protection content driver. (N/A for x64) |
| mfeclnk.sys |
Used during rootkit removal. |
| mfeelamk.sys |
The Early Launch Anti-Malware (ELAM) driver. This component is used with the Microsoft ELAM framework to verify that boot start drivers do not contain malware. Available for Windows 8 and later (Windows kernel version 6.2 and later). |
| mfehidk.sys |
The Host Intrusion Detection Link Driver. Facilitates I/O events for relevant content drivers. |
| mferkdet.sys |
Used during On Demand Scan functionality to scan for rootkits. |
| Mfetdik2.sys |
The TDI filter driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows operating systems. |
Mfewfpk.sys /
Mfefirek.sys |
The Windows Filtering Platform driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows Vista Service Pack 1 and later. |
The following procedure describes the sequence in which the main components load:
- The computer starts (drivers and services load):
- If the operating system is Windows 8 (or later), the mfeelamk.sys driver is loaded using the Microsoft ELAM framework.
- The mfehidk.sys driver loads.
- The mfetdik.sys/mfewfpk.sys driver loads.
- The mfeavfk.sys driver loads.
- The Service Control Manager automatically starts the mfevtps.exe service.
- The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functionality, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
- The McShield service loads the mfeapfk.sys driver.
- The McShield service loads the mfebopk.sys driver.
- The FrameworkService loads NaPrdMgr to communicate with managed product plug-ins.
- The user logs in (items in the Run key are loaded):
- The UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
- The UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
- The ShStat, vShield icon showing statistics, displays OAS messages window when OAS detections occur.
- The mfeann.exe process starts.
- Other components are loaded (as needed):
- The McScript/McScript_In_Use runs scripted operations for MA.
- The Scan32 on-demand scanner, used when scheduled On Demand Scan tasks run.
- The McConsole displays the Console, also performs an On Demand Scan if invoked by the user through the Console.
- The ShCfg32, On Access Scanner property configuration.
- The ScnCfg32, On Demand Scan property configuration. It also performs an On Demand Scan if invoked by the user through this screen.
