Process descriptions for VirusScan Enterprise and McAfee Agent

Technical Articles ID:   KB65784
Last Modified:  4/16/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.8.x
McAfee Agent (MA) 5.x

Summary

Recent updates to this article:

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Date Update
April 16, 2020 Fixed the MA 5.x Processes table.
March 10, 2020 Minor formatting changes; no changes to content.
January 28, 2020 McAfee Agent 4.x information removed. MA 4.8.x is now End of Life.
July 24, 2017 Corrections to macompatsvc.exe. VSE 8.7i tables deleted because the version is End of Life.
 
This article provides a brief description of the processes associated with VSE and MA. The sequence in which the main components load is also described below.

MA 5.x Processes
 
Windows process Non-Windows process Description
masvc.exe masvc Performs functions such as property collection, policy enforcement, scheduling of tasks, agent-server communication, and trigger update session.
macmnsvc.exe macmnsvc Hosts multiple McAfee Agent services such as peer-to-peer server, wake-up, and RelayServer.
macompatsvc.exe macompatsvc This executable is the compatibility service for the McAfee Agent service. McAfee Agent service starts this service and communicates to the managed product plug-ins.
cmdagent.exe cmdagent A command-line program that invokes McAfee Agent. To know more about switches available with this command, use:

cmdagent.exe -h
FrmInst.exe N/A McAfee Agent installation program. To know more about switches available with this command, use:

FrmInst.exe /h
maconfig.exe maconfig A command-line program used to configure different options of McAfee Agent. To know more about switches available with this command, use:

maconfig –help
McScanCheck.exe McScanCheck A command-line program used by McScript_InUse.exe to perform DAT or engine updates.
McScript_InUse.exe Mue_InUse Runs scripts for updating DAT files, engines, service packs, or any other component checked in to a repository. This process loads when update task is started.
UpdaterUI.exe N/A Provides user interface for updates. It also controls the McAfee Agent icon in the system tray and is loaded using the Run key in the Windows registry.
marepomirror.exe N/A Performs repository mirroring according to the policy settings.
FramePkg.exe N/A McAfee Agent installer.
mctray.exe N/A System tray icon management tool. It runs under the same user session and is started by UdaterUI.exe.
mcupdater.exe   Initiates the McAfee® Data Exchange Layer (DXL) client installer as part of McAfee Agent install.


VSE 8.8 Processes
 
Process name Description
Mcshield.exe The McShield on-access scanner Service.
Scan32.exe /
Scan64.exe
The on-demand scanner Process that loads when an On Demand Scan is started.
Shstat.exe Loads from the Run key in the Windows registry. For current MA versions, it integrates with McTray.exe (by loading a DLL), then exits. It is responsible for loading the following:
  • McAfee VirusScan (vShield) +icon in the Windows notification area.
  • VSE About screen
  • On-access scanner statistics
  • Messages window.
VsTskMgr.exe Facilitates janitorial duties within the product.
mfevtps.exe Provides trust validation for all McAfee processes.
mfeann.exe Loaded by Vstskmgr.exe. It is responsible for event creation and logging.


VSE 8.8 Drivers
 
Process name Description
mfeapfk.sys The Access Protection content driver, which provides Access Protection for File/Folder and Registry Blocking.
mfeavfk.sys A file system filter content driver used for antivirus scanning and maintaining a file cache.
mfebopk.sys A Buffer Overflow Protection content driver. (N/A for x64)
mfeclnk.sys Used during rootkit removal.
mfeelamk.sys The Early Launch Anti-Malware (ELAM) driver. This component is used with the Microsoft ELAM framework to verify that boot start drivers do not contain malware. Available for Windows 8 and later (Windows kernel version 6.2 and later).
mfehidk.sys The Host Intrusion Detection Link Driver. Facilitates I/O events for relevant content drivers.
mferkdet.sys Used during On Demand Scan functionality to scan for rootkits.
Mfetdik2.sys The TDI filter driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows operating systems.
Mfewfpk.sys /
Mfefirek.sys
The Windows Filtering Platform driver. Access Protection uses this driver for Port Blocking and IP Source identification on Windows Vista Service Pack 1 and later.
The following procedure describes the sequence in which the main components load:
  1. The computer starts (drivers and services load):
    • If the operating system is Windows 8 (or later), the mfeelamk.sys driver is loaded using the Microsoft ELAM framework.
    • The mfehidk.sys driver loads.
    • The mfetdik.sys/mfewfpk.sys driver loads.
    • The mfeavfk.sys driver loads.
    • The Service Control Manager automatically starts the mfevtps.exe service.
    • The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functionality, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
    • The McShield service loads the mfeapfk.sys driver.
    • The McShield service loads the mfebopk.sys driver.
    • The FrameworkService loads NaPrdMgr to communicate with managed product plug-ins.
       
  2. The user logs in (items in the Run key are loaded):
    • The UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
    • The UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
    • The ShStat, vShield icon showing statistics, displays OAS messages window when OAS detections occur.
    • The mfeann.exe process starts.
       
  3. Other components are loaded (as needed):
    • The McScript/McScript_In_Use runs scripted operations for MA.
    • The Scan32 on-demand scanner, used when scheduled On Demand Scan tasks run.
    • The McConsole displays the Console, also performs an On Demand Scan if invoked by the user through the Console.
    • The ShCfg32, On Access Scanner property configuration.
    • The ScnCfg32, On Demand Scan property configuration. It also performs an On Demand Scan if invoked by the user through this screen.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.