This article explains why some software processes must be added to the VSE Low-Risk list with a Read or Write exclusion. It also offers general guidance on potential conflicts between VSE 8.x and third-party application software. The article is not specific to any particular non-McAfee application.
Some application processes are known to generate high Input/Output (I/O) when running. These processes also compete with VSE scanning activities. Generic examples of such programs are Backup applications and Encryption software. The same can apply for custom applications that have been designed internally or by third-party software vendors.
Issues might occur if an application is running high I/O, which usually involves many file read/write events or registry queries per millisecond. Since VSE processes the I/O, the third-party software or custom application can experience performance issues or errors. The issue occurs in many scenarios such as the following examples:
- Third-party software is interested in the same I/O that VSE is trying to scan or the opposite way.
Example: A backup application reads from location A and writes to location B. In this case, VSE scans the file being read (Scan on Read). VSE also scans the file that the backup application writes or modifies (Scan on Write). Some applications might even cause sharing violations to occur, when one application prevents the other from getting access, leading to other symptoms.
- Third-party software generates thousands of registry or file events per second to perform an operation. In this case, VSE processes each of the events, adding about a millisecond of overhead per event. It is fast, but multiplied by thousands, and equates to visible user impact. The reason is not because VSE is taking too long, but because the application makes so many requests per second.
- Third-party software has low tolerance for timeouts or delays. In other words, the third-party software has critical time-based dependencies where actions are assumed to be completed within a time frame. If not completed, the application exhibits unexpected behavior. You see this scenario if the software has not been well stress-tested with antivirus software or other filtering software. Or, you see it if the software relies heavily on asynchronous operations which are assumed to have been completed.
- There are system hardware specifications, operating systems, and installed programs that can also affect if the I/O overhead becomes noticeable. Microsoft Process Monitor is useful for investigating and analyzing the amount of I/O generated by a third party and VSE (see KB72766). Usually, issues that arise from these types of issues can be resolved by adding the necessary file, folder, or Low-Risk processes exclusions.
