KB85136—Product Management Statement for On-Access Scan configuration in VSE 8.8
Why do the posted dates for patches change?
McAfee posts the best estimate for a release date in the relevant Knowledge Base articles. The dates are subject to change if McAfee increases the scope of the patch release to deliver more fixes to customer-reported issues. Also, issues might be discovered during the extensive internal certification cycle. This certification process includes standard test procedures, lab testing, production rollouts, and limited customer deployments. When the scope of the patch release changes, McAfee does its best to update the website with the new dates.
Why are Extra.DAT files sent to suppress detections not shown in About VirusScan Enterprise?
Extra.DAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive.
NOTE: Extra.DAT files that are sent to add signatures to the regular DAT file to detect particular threats do appear in the About window.
Does VSE support the Windows 10 Unified Write Filter (UWF) feature?
No.
Does VSE support Microsoft Office 2013?
Full support for Microsoft Office 2013 is provided with VSE 8.8 Patch 4 and later. To download patches, see the Related Information section below.
Can I install VSE on a tablet that has Windows 8 installed?
Yes. But, the VSE on-access scanner can be resource-intensive for tablet hardware.
NOTE: The only version of Windows 8 not supported is Windows 8 RT.
What makes VSE a 64-bit product?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to the program files folder. Nevertheless, the product supports x64 natively.
What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so VSE loads the appropriate 32-bit scanner for those programs. For example, the McAfee email scan feature and Microsoft Outlook 2007.
Can VSE be installed on a Virtual Machine (VM) in a cloud platform?
Yes. You can install VSE on a node in the cloud. The node is supported based on the NT Kernel version used by the operating system.
Why must I install the ePolicy Orchestrator Agent on laptops that rarely connect to the network?
McAfee Agent provides policy enforcement. After you install the agent and it receives your policy, which is configured on the ePO server, the policy is enforced at the policy enforcement interval you defined. Enforcement occurs whether the laptop is on the network or off the network. This enforcement ensures that your company settings for your McAfee products are in place no matter where the user is physically located.
Why is nVidia listed in the Known Issues?
Many issues with nVidia software have been reported. In these cases, an issue such as high CPU utilization from a McAfee process has been traced to a module that belongs to the nVidia video software that injects itself into our processes. It then causes a thread to "run away," a condition where a thread uses all available CPU resources. The solution to these issues is to update the nVidia software. Also, you can verify nVidia issues as described in KB52367.
Can I use VSE 8.x to block access to USB devices?
No. Blocking access to USB devices is not supported with VSE 8.x. Although it is theoretically possible to block most USB devices using VSE Access Protection rules, there are too many potential issues for this ability to be supported. To efficiently block USB devices, use McAfee Data Loss Prevention. For a basic solution, see Microsoft Knowledge Base article 823732 at http://support.microsoft.com/kb/823732.
Why is Windows Defender removed automatically when I install VSE?
With the release of Windows 8 or Windows Server 2012 operating systems and later, VSE no longer requires Windows Defender be uninstalled. VSE 8.8 Patch 3 and later support Window 8 and Windows Server 2012.
Can I install two different antivirus products on a single system?
No. Having two on-access scanners can lead to several problems. The most common is a performance issue because two on-access scanners are scanning the same file. For a list of products that you can remove if you have VSE 8.8 installed, see KB72251.
Why must I upgrade to VSE 8.8?
McAfee recommends that you upgrade to the most recent version of VSE to take advantage of new features and enhancements to existing functionality.
NOTES:
To see new and improved features in VSE 8.8, click, see the product documentation at https://docs.mcafee.com/.
How do I download VSE 8.8?
For details about downloading McAfee products, security updates, patches, or hotfixes, see the Related Information section below.
How do I install VSE locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run SetupVSE.exe, and then complete the installation wizard. See the video below to learn how to install VSE as a standalone installation in unmanaged environments:
NOTE: The SetupVSE.exe file supports many of the MSI command-line options and product-specific options. For a complete list of options, see VirusScan Enterprise 8.8 Installation Guide.
How do I install VSE using ePolicy Orchestrator?
Add the installation package to your repository, and then create or modify a Deployment Task. For instructions, see the ePolicy Orchestrator Product Guide for your version.
NOTE: The Deployment Task also allows you to specify command-line options. This ability allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see VirusScan Enterprise 8.8 Installation Guide.
Do I need to preinstall McAfee Agent if ePO does not manage VSE?
No. You do not need to preinstall the McAfee Agent before installing VSE. McAfee Agent has two modes of operation, Agent and Updater. The Updater is a subset of the Agent. If no Agent is present when you install VSE, it automatically installs an Updater.
Does VSE require that you enable the C$ share to successfully deploy from ePolicy Orchestrator?
No. McAfee Agent takes care of all files that need to be downloaded. Windows file sharing is not used during the deployment process.
Why does the product install to the Program Files (x86)folder?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to a "x64" subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to \program files. Nevertheless, the product supports x64 natively.
What products are removed when you install VSE 8.x?
See KB72251 for a list of products that are removed when VSE 8.x is installed.
Why does the VSE 8.8 About window not show that antispyware is installed?
From VSE 8.8, the AntiSpyware Enterprise module is no longer separate from VSE. It is fully integrated into the product. You can enable or disable antispyware features using the standard methods. You can enable and disable locally, through the VSE console, or through ePolicy Orchestrator policies.
Why are there no DAT files in the installation package?
VSE no longer ships with DAT or signature files included, so upgrade deployments have smaller deployment packages. The DATs of the earlier version are used when the newer version installs.
How does the DAT update affect the new cache?
As a rule, antivirus clean file scan cache information is purged when a signature update occurs. This action allows files to be rescanned using the new signatures. VSE 8.8 behaves the same way, but it purges only data that is unsafe to keep in the cache. In other words, the system might still benefit from the cache after a DAT update occurs.
Why do Extra.DAT files sent to suppress detections not appear in About VirusScan Enterprise?
The Extra.DAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive. NOTE: The Extra.DAT files that are sent to add signatures to the regular DAT file, which detect particular threats, do appear in the About window.
Do I need to restart after I install a VSE patch?
No. Patch installations never force a restart. Even when a restart is needed, the installer suppresses it to minimize inconvenience. The product functions as expected without the reboot. But, to make sure that older drivers are removed from memory and to have a clean computing environment, McAfee recommends that you restart patched systems at your earliest convenience.
What happens if a restart does not occur after installation?
A restart is not needed to begin using VSE functionality. But, McAfee recommends that you restart the system to ensure a cleaner Windows environment.
The following features do not work until a restart occurs:
Network Drive Scanning feature.
If scanning Distributed File System (DFS) shares is hosted on remote systems, a reboot is needed to fully enable that configuration.
What are the Trusted Installers?
In VSE 8.8, the on-access scanner allows you to configure whether to scan Trusted Installers. When not selected (trust the Trusted Installers), the following applies:
Any MSI product that installs by the Msiexec.exe process, is signed by McAfee or Microsoft, and does not include a merge template as part of the command line, is whitelisted.
I/O by a Vista and newer TrustedInstaller.exe process that is signed by Microsoft and running under the well-known TrustedInstaller service account SID, is whitelisted.
I/O on any version of Windows from Update.exe that is appropriately signed by Microsoft, is whitelisted.
How do you remove the product?
You can remove VSE through Programs and Features or Apps and features,depending on your version of Windows. But, if this method fails, you can manually remove the product using msiexec.exe as explained in KB52648.
How do I stop McAfee services?
VSE uses a self-protection mechanism to prevent even administrators from stopping the services. It is controlled through the Access Protection properties, Prevent McAfee Services From Being Stopped option. If you disable this option, you can stop the McAfee services through the usual methods.
What are the best practices on how to configure the on-demand scanner?
To configure on-demand scan file scan threads for best performance, see VirusScan Enterprise 8.8 Best Practices Guide.
Why is McShield using CPU during an on-demand scan?
One improvement for memory reduction is for the on-demand scanner (scan32.exe or scan64.exe) to use the instance of the DAT files and Engine already loaded in memory by the on-access scanner. As a result, when an on-demand scan starts, you see it using the McShield.exe process. It does not mean that the on-demand scanner (ODS) and on-access scanner (OAS) are scanning the same file.
Does the on-access scanner (OAS) scan items that are being scanned by the on-demand scanner?
No. The VSE OAS scans every file access on Read or Write cycles when a file is accessed by another process. But, when the ODS Scan32.exe scans files, it does not trigger further scanning by the OAS because there is an established trust between OAS and ODS. So, when ODS is scanning files, an exclusion is automatically applied to the files being scanned by ODS scan32.exe. If another process tries to access these files, OAS scans the activity as expected.
How does an incremental on-demand scan work?
Incremental scanning occurs only under the following circumstances:
If an ODS is unable to complete within the time specified. A time limit is not assigned to an ODS task by default.
If an ODS is interrupted because of a shutdown notification.
An ODS knows when to resume a scan under either of the above circumstances. VSE initiates an incremental scan starting with the last file that was scanned.
To determine which files were last scanned, see KB78969.
Example:
The ODS task starts at the Start time that is configured.
The scan stops when it reaches the allotted time, configured under Stop the task, if it runs for and records the last file that it successfully scanned.
When the schedule for this ODS task repeats, the task continues from where it was interrupted previously.
How do I limit CPU and memory usage of McShield.exe?
For configuring performance improvements, see VirusScan Enterprise 8.8 Best Practices Guide.
How do I configure VSE 8.8 cache persistence?
For cache persistence best practices, see KB71905.
How do I investigate performance issues?
There are several approaches you can use to investigate performance issues. For information about tools to help you investigate performance issues, see KB72766.
IMPORTANT:Work with Technical Support if your performance issues have not been addressed after following these steps.
Why is Access Protection/Buffer Overflow Protection still enabled after I disable the on-access scanner?
One of the architectural changes in VSE 8.8 separates Access Protection (AP)/Buffer Overflow Protection (BOP) from the status of the OAS. In earlier versions of VSE, all three would be disabled if you disabled the OAS. This separation allows for Zero Day Protection features (AP and BOP) to remain enabled if the real-time scanner fails.
Can I change the Account used by the McAfee McShield service?
Although you can change the account, the product development team recommends that you do not change it. By default, the McShield service runs as the System Account, which ensures that it has access to any local resources and for any remote scanning. If Network Drive Scanning is enabled, the process impersonates the requestor. You cannot elevate any other account to the same permissions as a local System Account. Using any other account incurs the risk of not having access to some part of the registry, files, or other items, to perform a successful clean operation.
Are exclusions needed for Hyper-V systems on a computer that is running Windows Server?
Yes. Microsoft has a list of recommended exclusions that are outlined in KB78364.
NOTE: VSE exclusion is one of the most important features to understand and implement. See KB66909 for information that a user might want to know before deploying VSE to their production environment, including:
Understanding VSE Exclusions
Understanding High-Risk, Low-Risk, and Default processes configuration and usage
Understanding Exclusions in Low-Risk processes
Why some processes must be added to Low-Risk exclusions
How to use wildcards when creating exclusions in VSE
How to create Low-Risk and High-Risk process exclusions in VSE
How to use the EICAR antimalware test file with McAfee products
How does Access Protection (AP) work?
AP is a behavior-blocking feature, also known as Zero Day Protection, with the capability to block ports, files or folders, and the Windows Registry. Each of these features has an associated kernel-level driver to filter the respective activity, and compares actions against a list of rules. Any action found to be in breach of a rule is acted on. The action taken in response depends on what has been configured for the appropriate rule.
The product development team provides several helpful standard rules. The rules that we believe to be essential are enabled by default. You can define your own rules as needed.
Can fully qualified pathnames and wildcards be used in Access Protection exclusions and inclusions (rules 'Processes to include' and 'Processes to exclude')?
You can use process names with or without fully qualified pathnames, and with or without wildcards in the fully qualified pathname or process name. For example, the following are acceptable:
How does Buffer Overflow Protection (BOP) work?
BOP monitors processes and Application Program Interfaces (APIs). It checks for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but does stop code execution that occurs from that overrun. This code execution from an overrun is a common exploit method that malware uses against vulnerable applications to gain access to data or the system, or to further propagate itself. See KB58007 for a list of processes protected by BOP.
Protection is accomplished by having kernel-level hooks, also known as "kernel patching" of various system tables, detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is not supported on 64-bit platforms because its kernel can't be patched. This BOP feature can be made redundant if Data Execution Prevention (DEP) is in place.
NOTES:
In VSE 8.8 Patch 4 and later, the processing for detecting and enforcing buffer overflow protection is deferred to the Data Execution Prevention (DEP) technology available in hardware that supports it. DEP is enabled for the processes that VSE monitors. Any violations are reported as usual, but the details of the report beyond Process name are of little value because defining module or API exclusions with 8.8 Patch 4 or later has no effect.
With 8.8 Patch 4 and later, the BOP feature uses DEP to perform evaluation and enforcement. DEP is a hardware enforcement method for buffer overflow protection, and is faster at deciding the distinction for code executing safely or not.
How does the on-access scanner (OAS) work?
A file system filter driver monitors all file activity and determines, based on configuration, whether a file object that is being accessed requires scanning. If so, the OAS service (McShield.exe) processes the file object further to determine whether exclusions are applicable. If they are not, the OAS service performs a scan and reports the results back to the filter driver. McShield.exe loads the McAfee Engine and DAT files into memory to facilitate scanning and actions taken on infected files.
What happens to file attributes when VSE accesses files for scanning using the on-access scanner and on-demand scanner (ODS)?
OAS or ODS access to files does not change any file attributes when scanning files. File attributes are changed only when OAS or ODS detects a virus and removes the malware from a file.
How does VSE OAS or ODS handle archive file scanning?
VSE scans each file in an archive. But, because there is no function for repacking the archive, it is opened each time a file in the archive is scanned. Because archives can't be repacked, no actions can be taken on individual files within them. So, if an infected file is detected within an archive, the entire archive is treated as an infected file.
IMPORTANT: If you choose not to delete (partially) infected archive files, extracted copies of infected files contained in an archive is cleaned or deleted on extraction.
Why are files with a .CSV extension included in the default list of file types scanned by the VSE on-access scanner?
Though these files contain only passive text data, the product includes detection for files with a .CSV extension. The reason is because malicious binary data can be included in such files to exploit potential Buffer Overflows in the program that processes the data.
Does the on-access scanner have Rootkit detection abilities?
No. Rootkit detection is available only using the VSE on-demand scanner. For additional information about Rootkits, see https://blogs.mcafee.com/category/mcafee-labs/
When running an on-demand scan, does VSE include a pause function when the CPU utilization spikes?
No. Because of its design, it does not need to. For a detailed explanation and assistance when running an on-demand scan, see the following articles:
For understanding the VSE on-demand scan system resource utilization, see KB55145.
For Best Practices for on-demand scans in VSE 8.8, see KB74059.
How does the on-demand scanner work?
On-Demand Scanning has been improved by moving from single-threaded scanning to multi-threaded scanning. This move allows VSE 8.8 to complete scan tasks in a much shorter time. The file system is walked and file names are added to a scanning pool, from which an available scanning thread is retrieved and acted on. If a file is modified or written to disk after the scan had progressed past that part of the file system, it will not be scanned until next time the ODS is run. Multi-threaded scanning applies to the file system only. Available scanning threads might come from the McShield.exe process; so, you see McShield.exe as active when ODS runs instead of the expected Scan32 or Scan64 process. But, the configured settings for the ODS are still in effect for those threads. To force ODS to scan files rather than rely on McShield, the McShield service must first be stopped before you start the ODS.
How does the ODS behave during a scan when a DAT update occurs?
When either the DAT or Engine is being updated, the scan pauses for a brief period, reloads the new Engine and DAT, and resumes scanning. If McShield.exe is terminated during the update, ODS also terminates because it is wholly reliant on McShield to perform the scan. The only exception is if the ODS had started while McShield was in a stopped state.
What happens if you schedule an ODS and log off?
Tasks that are scheduled to run invoke with System Account privilege, or using the credentials specified when creating the task. The McAfee Framework service, FrameworkService.exe, handles the start of the task. As a service, this process runs continually, even when nobody is logged on to the system - thus it can invoke tasks at their appointed times.
Why does right-clicking ODS (Scan for threats...) not scan all selected files?
Right-click scan functionality is limited to 1,000 items. If you select more than 1,000 items to be scanned by a right-click ODS scan, all items over the 1,000 limit are skipped. To scan more than 1,000 files using a right-click scan, select the top-level folder that contains the files you want to scan.
What authentication is used between manual and scheduled scan tasks?
VSE allows manual and scheduled tasks to be run. When such tasks have been configured without explicitly supplying specific credentials, VSE uses the following accounts:
NT Authority / System account (for scheduled tasks, when no user is logged on)
Logged on user account (for manual tasks)
What are the differences between 'Scan all local drives' versus 'Scan all fixed drives' options?
The Scan all local drives option scans all drives connected to your computer. The drives include hard drives, CDs, and other removable media. The Scan all fixed drives option scans non-removable media only.
NOTES:
The Windows operating system establishes which drives are local, mapped, fixed, or removable.
iSCSI drives are detected as local to Windows, even when they are not.
Some USB connected drives are detected as local fixed drives because of manufacturer tagging.
Why does performance drop when the on-demand scan runs?
When the on-demand scan is configured to run at a below normal or low thread priority, and if the performance of the system is affected, the locking up the scanner is the result of either:
Archive scanning
Or
Corrupted file
How does the on-demand scanner throttle mechanism work?
You can set an on-demand scan to run at a certain priority that corresponds to thread priority. Windows is a multi-tasking operating system, which is accomplished by giving processes, or their threads, a small amount of CPU time in which to perform their tasks. Windows uses a scheduling algorithm to determine which thread is given CPU time. For the on-demand scan threads, you can influence the priority for which it is given CPU time using the "System utilization" setting on the Performance tab when creating the on-demand scan task.
NOTE:This mechanism does not apply to scanning archive files. If your scan task is set to include Archive files, there might be noticeable periods of time where CPU time is used largely by the on-demand scan.
Can the ScriptScan feature exclude scripts by site?
Yes. It excludes the scripts by white listing URLs.
NOTES:
If using ScriptScan causes a significant negative performance impact, you can disable it locally using the VSE Console or in managed solutions using policies in ePolicy Orchestrator.
There is a significant security risk in disabling ScriptScan. Applications such as Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system. This action allows them to execute before the on-access scanner can prevent it. The on-access scanner can stop the payload of attacks using this medium, but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.
How does the shared cache work?
The clean file scan cache is a list that tracks the results of files that have been scanned and were found to be clean. The list is stored in non-page pool memory and used by the McAfee file system filter driver. Files in the cache are not scanned. Files are added to the cache after they have been scanned and were found to be clean. Files are rescanned if they are no longer in the cache or have been modified since last scanned. The scan cache size can grow to a maximum of 12 MB.
How does the persistent cache work?
The clean file scan cache can be saved on shutdown, and is enabled by default, using the setting Enable saving scan data across reboots. The system then benefits from the cached information at startup. The data is written to the system registry Hive, which allows the McAfee file system filter driver to read this information early in the boot process.
How does the VSE on-access scanner handle Client-side Caching interactions? Is the file local or remote?
Microsoft offline files and folders technology, or client-side caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file within a protected folder. From there, the device content is read and modified when needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.
The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. Windows takes care of the needed redirection that provides access to the cached, local copy.
Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the On Demand Scanner to scan the offline files, it must be provided the original, remote location.
NOTE: Enabling the Network Drive Scanning feature is not recommended for most environments, because the scanning of remote objects can lead to slower performance and an increase in scanner time-outs.
What is a runtime DAT?
The runtime DAT determines how DAT files are loaded into memory and are maintained on disk. The runtime DAT file (MFERunTime.DAT) is created by the Scanning Engine when it initializes. The MFERunTime.DAT file contains signature information taken from the regular DAT files obtained from the McAfee update site. By stripping out many similar signatures during the DAT loading process and placing them in a separate file, the Scan Engine can employ a more efficient search algorithm. Testing shows a scanning performance improvement of at least 20% on Windows systems. The use of this file also allows faster Scanning Engine initialization times.
NOTES:
Benefits of the runtime DAT provide significant memory usage and scanning performance improvements and deal with issues such as:
High memory use of scanner processes
Scanner processes taking a long time to start or initialize
The MFERunTime.DAT file can't be removed. This file is purposely placed in the same location as the other DAT files.
The MFERunTime.DAT is secure. The file contains validation mechanisms to allow corruption and deliberate changes of the file to be detected.
The McShield service runs as System, so why does the product development team recommend not to change this permission?
The product development team recommends that you do not change this setting. By default, the McShield service runs as System to make sure that it has access to any local resources and to allow remote scanning. If you enable Network Drive Scanning, the process impersonates the requestor. But, if another account is needed, the account used to run McShield must include the permission to act as part of the operating system (the Local System account already includes this permission). The system account allows a process to impersonate any user without authentication. The process can thus gain access to the same local resources as that user. You can configure the Windows Security Policy Settings by adding the account that you are trying to use to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Why are performance counters not included with VSE 8.8?
For VSE 8.8 installations, use the McAfee Profiler instead. Profiler captures top processes and files accessed by the VSE on-access scanner. Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.
Can VSE detect a virus that is encrypted by an encrypted file system (EFS)?
Yes, if the user who encrypted the file or folder starts the scan. Otherwise, VSE can't scan inside encrypted files or packages, and neither can any antivirus scanner. The VSE logs show the following when an EFS is encountered: Not scanned (The file is encrypted). Detection takes place only when the file has been decrypted or opened.
NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
