Knowledge Center

FAQs for VirusScan Enterprise 8.x
Technical Articles ID:  KB71642
Last Modified:  2/10/2016


McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

NOTE: VSE 8.7i reached End of Life on December 31, 2015. See KB84590 for details.


General For product information covering miscellaneous topics.
Compatibility Interaction between other products including operating systems, hardware, software, and McAfee Agent.
Installation/Upgrade Information about installing, removing, DAT files, upgrading, or Patches. Related information on ePolicy Orchestrator and End of Life.
Configuration Includes best practices, optimizing, customizing cache, using system variables, and exclusions.
Functionality Product features and functions, including ScriptScan, On-Access ScannerOn-Demand Scanner, Access Protection, Buffer Overflow Protection, caching, and RunTime DAT.

NOTE: This article deals with general queries on VSE as well as version specific questions.

When will Intel Security fix the Event 516 issue?
This particular event ID is not indicative of a product issue, but is the outcome of a self-check validation routine, warning that the point product may have been compromised. For the current status, see KB71083. For the latest information on issues discovered with the product, see KB51111.

How do I scan a server infected with Conficker?
See KB60909.

Is VSE Federal Desktop Core Configuration (FDCC) compliant?
Yes. VSE is FDCC compliant.

Has Intel Security created any white papers for VSE?
Yes. See KB75957, which covers Archives and Compressed Files, and KB85136, Product Management Statement for On-Access Scan configuration in VirusScan Enterprise 8.8. 
This section will be updated as more white papers are created.
Why do the posted dates for patches change?
Intel Security posts the best estimate for a release date in the relevant articles. The dates are subject to change as Intel Security increases the scope of the patch release to deliver additional fixes to customer reported issues, and issues discovered during the extensive internal certification cycle. This certification process includes standard test procedures, lab testing, McAfee production rollouts, as well as limited customer deployments. When the scope of the patch release changes, Intel Security does its best to update the website with the new dates.

Why are ExtraDAT files sent to suppress detections not shown in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections will not appear in the About window because they are only intended to correct a false positive.

ExtraDAT files that are sent to add signatures to the daily DAT file (to detect particular threats) will appear in the About window.

Are there any articles that help a new user get started?
What environments does VSE 8.x support?
For information on supported platforms, environments, and operating systems, see KB51111

Does VSE support Microsoft Office 2013?
Full support for Microsoft Office 2013 is provided with VSE 8.8 Patch 4.
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

 You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

Can I install VSE on a tablet that has Windows 8 installed?
Yes. However, the VSE OAS can be resource-intensive for tablet hardware.
NOTE: The only version of Windows 8 not supported is Windows 8 RT.

When will there be a 64-bit version?
VSE has been a 64-bit product since version 8.5i. Version 8.0i had 64-bit drivers, but processes ran in 32-bit compatibility mode.

What makes VSE a 64-bit product?
VirusScan installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path; other binaries such as drivers are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to the \program files folder. Nevertheless, the product supports x64 natively.

What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so VirusScan loads the appropriate 32-bit scanner for those programs. For example, the McAfee email scan feature and Microsoft Outlook 2007.

Can VSE be installed on a VM in a cloud platform?
Yes. VirusScan Enterprise can be installed on a node in the cloud.
The node is supported on the basis of the NT Kernel version used by the operating system. For more information, see KB51111.

Why should I install the McAfee (ePO) Agent on laptops that rarely connect to the network?
The ePO Agent provides policy enforcement. After you have installed the agent and it has received your policy, configured at the ePO server, whether the laptop is on the network or off the network, the policy you defined is going to be enforced at the policy enforcement interval you defined. This helps ensures that your company settings for your McAfee products are in place no matter where the user roams.

Why is nVidia listed in the Known Issues?
Some issues have been reported in the past and still surface occasionally, where a problem with the product - usually a high CPU utilization from a McAfee process - has been narrowed down to a module belonging to the nVidia video software injecting itself into our process(es) and then causing a thread to "runaway", a condition where a thread is using all available CPU. The solution to these issues has been to update the nVidia software. Also check for nVidia issues as described in KB52367 and KB70299.

Can I use VSE 8.x to block access to USB devices?
No. Blocking access to USB devices is not supported with VSE 8.x. Although it is theoretically possible to block most USB devices using VSE Access Protection, there are too many potential issues for this to be supported. To efficiently block USB devices, use McAfee Data Loss Prevention. A basic solution can be found in the Microsoft Knowledge Base article 823732 at http://support.microsoft.com/kb/823732.

Are there any compatibility issues with VSE 8.x and the Microsoft Volume Shadow Copy Service (VSS)?
There are currently no known issues between the Microsoft VSS and VSE 8.x.
NOTE: VSS captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. See: http://msdn.microsoft.com/library/aa384649(VS.85).aspx.

Why is Windows Defender removed automatically when I install VSE?
With the release of Windows 8/Windows Server 2012 operating systems and later, VSE no longer requires to uninstall Windows Defender. VSE 8.8 Patch 3 and later will support Window 8 and Windows Server 2012.

Can I install two different anti-virus products on a single system?
No. Having two On-Access scanners can lead to several problems. The most common is a performance issue because two On-Access scanners will scan the same file. For a list of products that you can remove if you have VSE 8.8 or 8.7i installed, see KB72251.

What exclusions are required when VSE is installed on VMware Horizon?
Exclusions are normally provided by the third-party software vendor, not the AV vendor.
Refer to the VMware article 2052489 for how to configure antivirus exclusions for VMware Horizon Mirage 3.x and 4. For details, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2052489.

Is VSE affected by the changes made in Windows Authenticode Signature Verification?
VSE is not affected.
NOTE: The Security bulletin for this patch is available at: https://support.microsoft.com/kb/2893294.

Back to Contents

Why should I upgrade from VSE 8.7i to 8.8?
To see what's new and what's improved in VSE 8.8, see PD22973. To see the known issues, see KB70393.

How do I download VSE 8.8?
  • For details about downloading McAfee products, security updates, patches, or hotfixes, see KB56057.
  • A training video about how to obtain the installation files for VSE is available at TU30279.

How do I install VSE locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run SetupVSE.exe, and then complete the installation wizard. A training video about how to install VSE as a standalone installation in unmanaged environments is available at TU30278.

NOTE: SetupVSE.exe supports many of the MSI command line options as well as product-specific options. For a complete list of options, see PD22944.

Is a restart required after installing a VSE patch?
No. Patch installations never force a restart. Even when a restart is ideally required, this is suppressed by the installer to minimize inconvenience. The product will function as expected without the reboot. However, to ensure older drivers are removed from memory and to have a clean computing environment, Intel Security recommends that you restart patched systems at your earliest convenience.

How do I install VSE via ePO?
Add the installation package to your repository, and then create/modify a Deployment Task. Refer to the ePO 4.6 Product Guide (PD22975) or ePO 4.5 Product Guide (PD21812) for instructions.

NOTE: The Deployment Task also allows for command-line options to be specified. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see the VSE 8.8 Installation Guide (PD22944).

Is it necessary to preinstall a McAfee Agent when VSE is not managed by ePO?
It is not necessary to preinstall the McAfee Agent prior to installing VSE. This is because the McAfee Agent has two modes of operation (Agent and Updater), where the Updater is a subset of the Agent. If no Agent is present when installing VSE, VSE will install an Updater.

Why does the product install to the Program Files (x86) folder?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to a "x64" subfolder from the installation path; other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to "\program files". Nevertheless, the product supports x64 natively.

What products are removed when you install VSE 8.x?
See KB72251 for products that can be removed when VSE 8.x is installed and KB72497 for the non-removal of SaaS Endpoint Protection during a VSE 8.8 installation.

Why does the VSE 8.8 About window not show AntiSpyware is installed?
From VSE 8.8, the AntiSpyware Enterprise module is no longer separate from VSE. It has been fully integrated into the product. You can enable or disable anti-spyware features using the standard methods. You can do this locally, via the VSE console, or centrally managed through ePO. See also KB70860, which deals with VSE add-on modules that stop functioning after upgrading from VSE 8.7i to 8.8.

Why are there no DAT files in the installation package?
VSE no longer ships with DAT or signature files included. This allows upgrade deployments to have smaller deployment packages, and the DATs of the prior version will be used when the newer version installs (applicable to VSE 8.5i and later). For details about DAT-less packages and how to include DATs in the installation package, see KB68449.

How does the DAT update affect the new cache?
As a rule, anti-virus clean file scan cache information is purged when the signature update occurs to allow for files to be re-scanned using the new signatures. VSE 8.8 behaves the same way, but it will purge only data that is unsafe to keep in the cache. In other words, the system may still benefit somewhat from the cache after a DAT update has occurred.

Why do ExtraDAT files sent to suppress detections not appear in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive.
NOTE: ExtraDAT files that are sent to add signatures to the daily DAT file to detect particular threats do appear in the About window.

What happens if a restart does not occur after installation?
A restart is not required to begin taking advantage of VSE functionality. However, a restart is recommended to ensure a cleaner Windows environment.

What are the Trusted Installers?
From VSE 8.8, the On-Access Scanner allows you to configure whether to scan Trusted Installers. When not selected (trust the Trusted Installers), the following applies:
  • Any MSI product that is being installed by the Msiexec.exe process, is signed by Intel Security or Microsoft, and does not include a merge template as part of the command line, is whitelisted.
  • I/O by a Vista and newer TrustedInstaller.exe process that is signed by Microsoft and running under the well-known TrustedInstaller service account SID, is whitelisted.
  • I/O on any version of Windows from Update.exe that is appropriately signed by Microsoft, is whitelisted.

What does not work until restart occurs?
If you are making use of the network drive scanning feature, and if scanning DFS shares is hosted on remote systems, a reboot is necessary to fully enable that configuration.

How do you remove the product?
VSE can generally be removed through Windows Add/Remove programs. However, if this fails, manually remove the product as follows
    • VSE 8.8: see KB71179.
    • VSE 8.7i: see KB59996.
    • VSE 8.x using msiexec.exe: see KB52648.
    • AntiSpyware Enterprise 8.x: see KB58443.
    • VSE 8.5i: see KB50602. (Retained for legacy products that have failed to upgrade and need manual removal instructions)
Is my product version supported?
For End of Life and End of Support information see Product & Technology Support Lifecycle at www.mcafee.com/us/support/support-eol.aspx and KB51111.

If I have VSE 8.7 Patch 5 (RTW), do I require the reposted (revised) VSE 8.7 Patch 5? 
No. However, you do require VSE 8.7 Patch 5 Hotfix 643440, which is available on the Product Downloads site (http://mcafee.com/us/downloads/downloads.aspx) on the Hotfix tab.

If I have the reposted VSE 8.7 Patch 5, do I require Hotfix 643440?

How do I distinguish between reposted VSE 8.7 Patch 5 and the original VSE 8.7 Patch 5 release? 
The revised patch also includes the code for VSE 8.7 Patch 5 Hotfix 643440, and it creates the appropriate registry value to indicate the presence of that hotfix. The registry value is found in HKLM\Software\McAfee\DesktopProtection and it reports 643440 to ePO via property collection. This is listed in the Fixes field for each node that has it as well as indicating Patch 5 is installed. The original VSE 8.7 Patch 5 would not report that the hotfix was present.

What is the difference between having VSE 8.7 Patch 5 (RTW) with Hotfix 643440 and installing the reposted VSE 8.7 Patch 5?

Does VSE require the C$ share to be enabled to successfully deploy from ePO?
No, McAfee Agent will take care of all files that require downloading; Windows file sharing is not used during the deployment process.

Back to Contents 
There is a lot you can do to prevent issues. Following the best practices is often key to avoiding issues.
When is a restart required?
A reboot is not required to begin taking advantage of VSE functionality. A reboot is recommended to ensure a cleaner Windows environment.

How do I stop McAfee services?
VirusScan Enterprise uses a self-protection mechanism to prevent even administrators from stopping the services. It is controlled via the Access Protection properties, Prevent McAfee Services From Being Stopped option. If you disable this option, you can stop the McAfee services via normal means.
What are the best practices on how to configure the On-Demand Scanner? 
For configuring on-demand scan file scan threads for best performance, see the VSE 8.8 Best Practices Guide (PD22940).

Why is McShield using CPU during On-Demand Scan?
One of the improvements made for memory reduction was for the On-Demand Scanner (scan32.exe or scan64.exe) to use the instance of the DAT files and Engine already loaded in memory by the On-Access scanner. As a result, when an On-Demand Scan is launched, you will see it using the McShield.exe process. It does not mean that the On-Demand Scanner (ODS) and On-Access Scanner (OAS) are scanning the same file.

Does the On-Access Scanner scan items being scanned by the On-Demand Scanner?
The VSE OAS scans every file access on Read or Write cycles when a file is accessed by another process. However, when the ODS Scan32.exe scans files, it does not trigger further scanning by the OAS. This is because there is an established trust between OAS and ODS. Therefore, when ODS is scanning files, an exclusion is automatically applied to the files being scanned by ODS scan32.exe. If another process tries to access these files, OAS scans the activity as expected.

How does an incremental On-Demand Scan work?
Incremental scanning occurs only under the following circumstances:
  • If an ODS was unable to complete within the time specified.

    NOTE: By default, no time limit is assigned to an On-Demand Scan task. 
  • If an ODS was interrupted because of a shutdown notification.
How does the On-Demand Scanner know when to resume a scan?
Incremental scanning only occurs if the scan could not complete within an explicitly specified time (default is no time limit) or if the task was interrupted because of a shutdown notification. Under either of these circumstances, VSE will initiate an incremental scan starting with the last file that was scanned.
  1. The ODS task starts at the Start time configured above.
  2. The scan stops when it reaches the allotted time, configured under Stop the task if it runs for, and records what the last file was that it successfully scanned.
  3. When the schedule for this ODS task repeats, the task continues from where it was interrupted previously.  

    For how to determine which files were last scanned, see KB78969.
What can I do to improve performance?
For configuring Performance Improvements, see the VSE 8.8 Best Practices Guide (PD22940).

 How do I limit CPU and memory usage of McShield.exe?
For configuring performance improvements, see the VSE 8.8 Best Practices Guide (PD22940).

How do I configure VSE 8.8 cache persistence?
For cache persistence, see KB71905 for best practices.

How do I investigate performance issues?
There are a number of approaches, and the following information is intended to allow you to follow the steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. These steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. More tools are listed in KB72766.
  • Task Manager
    Press CTRL+SHIFT+ESC to open Task Manager. Sort by the CPU column to see what process or processes are using CPU. Note that the number is a percentage of all available processors or cores, so 25 percent on a four-CPU system would mean a process is pegging one of the cores, which is usually indicative of a problem. You can investigate further after the offending process or processes have been identified.
  • Performance Monitor
    You can use Performance Monitor (PerfMon) to convey specifics of how much CPU is being used and for how long, giving you an idea of how the system or users are being affected. Use PerfMon to monitor the performance object's Process, Processor, and Memory, capturing all counters and instances. Intel Security advises that you use a sampling rate of 1 second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything because this allows the capture to run for longer periods of time without creating an unwieldy log file.
  • McAfee Profiler
    Intel Security released the McAfee Profiler for VirusScan to give visibility into what the product is doing, such as what files are being scanned. The tool provides a mechanism for generating reports to add understanding to the data that is collected.
    NOTE: You might be able to create exclusions and/or leverage the Hi/Low/Default scanning profiles to create a configuration that improves performance. For more details about this tool, see KB69683.
  • Windows Performance Monitoring Tool (XPerf)
    In Microsoft Vista and newer operating systems, Microsoft has provided a powerful tool that can give very detailed information about a performance problem, including the API that is being called the most. Vendors can use this information typically at an engineering/development level where symbols files for source code are accessible. This helps understand more clearly what code paths are being exercised. You can also use this tool on Windows XP or Windows 2003 but not to the same level of detail.
Intel Security advises you to work with Technical Support if your performance issues have not been addressed after following these steps.

Why is Access Protection / Buffer Overflow Protection still enabled when disabling the On-Access Scanner?
One of the architectural changes with this release was to separate Access Protection (AP)/Buffer Overflow Protection (BOP) from the status of the On-Access scanner. In earlier versions of VSE, all three would be disabled if you disabled the On-Access Scanner. Separating the disable function allows for Zero Day Protection features (AP and BOP) to remain enabled should the real-time scanner fail.

Can I change the Account used by the McAfee McShield service?
While this is technically possible, Intel Security recommends that you do not do this. By default, the McShield service runs as the System Account, which ensures it has access to any local resources and for any remote scanning. If network drive scanning is enabled, the process impersonates the requestor. No other account can be elevated to the same permissions that a local System Account can. Using any other account incurs the risk of not having access to some part of the registry, files, and so on, in order to perform a successful clean operation.

Are exclusions required for Hyper-V systems on a computer that is running Windows server?
Yes. Microsoft has a list of recommended exclusions that are outlined in KB78364.

NOTE: VSE exclusion is one of the most important features to understand and implement. See KB66909 to obtain all the essential information that any new or existing user might want to know before deploying VSE to their production environment, including:
  • Understanding VSE Exclusions
  • Understanding High-Risk, Low-Risk, and Default processes configuration and usage
  • Understanding Exclusions in Low-Risk processes
  • Why some processes should be added to low-risk exclusions
  • How to use wildcards when creating exclusions in VSE
  • How to create Low-Risk and High-Risk process exclusions in VSE
  • How to use the EICAR anti-malware test file with McAfee products
How does Access Protection (AP) work?
AP is a behavior blocking feature, also known as Zero Day Protection, with capability of blocking Ports, Files / Folders, and the Windows Registry. Each of these features has an associated kernel-level driver to filter the respective activity, and compares actions against a list of rules. Any action found to be in breach of a rule is acted upon. The action taken in response depends on what has been configured for the appropriate rule.

Intel Security provides a number of helpful standard rules. Those we believe are essential are enabled by default. You can define your own rules as required.

How does Buffer Overflow Protection (BOP) work?
BOP monitors processes and Application Program interfaces, checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but will stop code execution that occurs from that overrun. This is a common exploit method used by malware against vulnerable applications to gain access to data or the system, and/or to further propagate itself. See KB58007 for a list of processes protected by BOP.

Protection is accomplished by having kernel-level hooks (also known as "kernel patching" of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is not supported on 64-bit platforms because its kernel cannot be "patched". This BOP feature can be made redundant if Data Execution Prevention (DEP) is in place.

In VSE 8.8 Patch 4 and later, the processing for detecting and enforcing buffer overflow protection is deferred to the Data Execution Prevention technology available in hardware that supports it. DEP is enabled for the processes that VirusScan Enterprise monitors. Any violations are reported as usual, however, the details of the report beyond Process name are of little value, as defining module or API exclusions with 8.8 Patch 4 or later has no effect.

Are there conflicts between the Windows Data Execution Prevention (DEP) and BOP?
No. For a detailed explanation of DEP and BOP, see KB58554.
With 8.8 Patch 4 and later, the BOP feature leverages DEP to perform evaluation and enforcement; DEP is a hardware enforcement methodology for buffer overflow protection, and is faster at making the distinction for code executing safely or not.

How does the On-Access Scanner work?
A file system filter driver monitors all file activity and determines, based on configuration, whether a file object that is being accessed requires scanning. If so, the On-Access Scanner service (McShield.exe) processes the file object further to determine if exclusions are applicable. If they are not, the OAS service performs a scan and reports the results back to the filter driver. McShield.exe loads the McAfee Engine and DAT files into memory to facilitate scanning and actions taken on infected files.

What happens to file attributes when VSE accesses files for scanning using the On-Access Scanner (OAS) and On-Demand Scanner (ODS)?
OAS or ODS access to files does not change any file attributes when scanning files. File attributes are only changed when OAS or ODS detects a virus and removes the malicious code from a file. 

How does VSE OAS or ODS handle archive file scanning?
VSE scans each file in an archive. However, because there is no function for re-packing the archive, it is opened each time a file in the archive is scanned. Because archives cannot be re-packed, no actions can be taken on individual files within them. Therefore, if an infected file is detected within an archive, the entire archive is treated as an infected file.

  If you choose not to delete (partially) infected archive files, extracted copies of infected files contained in an archive will be cleaned or deleted on extraction.

Why has the 'Protected by Windows File Protection' option (that was under 'What not to scan' in VSE 8.7) been removed from VSE 8.8?
Because of advanced Rootkit functionality, it is important that VSE scans these directories even if they have been flagged as protected.

Why are files with a .CSV extension included in the default list of file types scanned by the VSE On-Access Scanner?
Though these files only contain passive text data, Intel Security includes detection for files with a .CSV extension because malicious binary data can be included in such files to exploit potential Buffer Overflows in the program that processes the data.

Does the On-Access scanner have Rootkit detection abilities?
No. Rootkit detection is only available using the VSE On-Demand Scanner. For additional information on Rootkits, see:
When running an On-Demand scan, does VSE include a pause functionality when the CPU utilization spikes?
No. Because of its design it does not need to. For a detailed explanation and assistance when running an On-Demand scan, see the following articles:
  • Understanding the VSE On-Demand Scan system resource utilization, see KB55145.
  • Best Practices for On-Demand Scans in VSE 8.8, see KB74059.

How does the On-Demand Scanner (ODS) work?
On-Demand Scanning (ODS) in this release has been improved over prior versions by moving from single threaded scanning to multi-threaded scanning. This allows VSE 8.8 to complete scan tasks in a much shorter time. The file system is walked and file names are added to a scanning pool, from which an available scanning thread is retrieved and acted on. If a file is modified or written to disk after the scan had progressed past that part of the file system, it will not be scanned until next time the ODS is run. Multi-threaded scanning applies to the file system only. Available scanning threads may come from the McShield.exe process, you will therefore see McShield.exe as active when ODS runs instead of the expected Scan32 or Scan64 process. The configured settings for the ODS are still in effect for those threads however. To force ODS to scan files rather than relying on McShield, the McShield service must first be stopped prior to starting the ODS.

How does the ODS behave during a scan when a DAT update occurs?
When either the DAT or Engine is being updated, the scan pauses for a brief period of time, reloads the new Engine and DAT, and resumes scanning. If McShield.exe is terminated during the update, then so too will the ODS terminate, because it is wholly reliant on McShield to perform the scan. The only exception to this is if the ODS had started while McShield was in a stopped state.

What happens if you schedule an ODS and log off?
Tasks that are scheduled to run will invoke with System Account privilege, or using the credentials specified when creating the task. The launching of the task is handled by the McAfee Framework service, FrameworkService.exe. As a service, this process runs continually, even when nobody is logged on to the system - thus it can invoke tasks at their appointed times.

Why does a right-click ODS (Scan for threats...) not scan all selected files?
Right-click scan functionality is limited to 1,000 items. If you select more than 1,000 items to be scanned by a right-click ODS scan, all items over the 1,000 limit will be skipped. To scan more than 1,000 files using a right-click scan, select the top-level folder that contains the files you want to scan.
What authentication is used between manual and scheduled scan tasks?
VSE allows manual as well as scheduled tasks to be run. When such tasks have been configured without explicitly supplying specific credentials, VSE will use the following accounts:
  • NT Authority / System account (for scheduled tasks, when no user is logged on)
  • Logged on user account (for manual tasks) 

What are the differences between 'Scan all local drives' versus 'Scan all fixed drives' options?
The Scan all local drives option scans all drives connected to your computer. This includes hard drives, CDs, and other removable media. The Scan all fixed drives option scans non-removable media only. 

  • The Windows operating system establishes which drives are local, mapped, fixed, or removable. 
  • iSCSI drives are generally detected as local to Windows, even when they are not.
  • Some USB connected drives are detected as local fixed drives because of manufacturer tagging.  
Why does performance drop when ODS runs?
When ODS has been configured to run at a below normal or low thread priority, and if the performance of the system is still being affected, it will be the result of a) scanning of archives, or b) a corrupted file locking up the scanner.

How does the On-Demand Scanner throttle mechanism work?
An On-Demand Scan (ODS) can be set to run at a certain priority which corresponds to thread priority. Windows is a multi-tasking operating system. This is accomplished by giving processes, or rather their threads, a small amount of CPU time in which they can perform their desired tasks. Windows uses a scheduling algorithm to determine which thread is given CPU time. For the ODS threads, you can influence the priority for which it is given CPU time using the "System utilization" setting on the Performance tab when creating the On-Demand Scan task. The behavior of the ODS was introduced in VSE 8.7i, Patch 1.

NOTE: This mechanism does not apply to scanning archive files. If your scan task is set to include Archive files, there may be noticeable periods of time where CPU time is used largely by the On-Demand Scan.
Can the ScriptScan feature exclude scripts by site?
The ScriptScan feature has been able to exclude scripts from VSE 8.5i (with Patch 8 and Hotfix HF472021); from VSE 8.7i white listing of URLs was added. See KB65382.

  • If using ScriptScan causes a significant negative performance impact, you can disable it locally using VirusScan Console or in managed solutions using policies in ePolicy Orchestrator.
  • There is a significant security risk in disabling ScriptScan. Applications like Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system, allowing them to execute before the On-Access scanner can prevent this. The On-Access Scanner can stop the payload of attacks via this medium but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.

How does the shared cache work? 
The clean file scan cache is a list that tracks the results of files that have been scanned and were found to be clean. The list is stored in non-page pool memory and used by the McAfee file system filter driver. Files in the cache are not scanned. Files are added to the cache after they have been scanned and were found to be clean. Files are re-scanned if they are no longer in the cache or have been modified since they were scanned. The scan cache size can grow to a maximum of 12 MB. In previous versions of VSE the maximum size was 2 MB.

How does the persistent cache work? 
The clean file scan cache can be saved on shutdown (this is enabled by default) using the setting Enable saving scan data across reboots, so that the system benefits from the cached information on startup. The data is written to the system registry hive, allowing the McAfee file system filter driver to read this information early in the boot process. Note that a limitation has been identified with Windows 2000 systems using this feature.

What is a RunTime DAT?
The RunTime DAT determines how DAT files are loaded into memory and are maintained on disk. The RunTime DAT file (MFERunTime.DAT) is created by the Scanning Engine when it initializes. MFERunTime.DAT contains signature information taken from the regular DAT files obtained from the McAfee update site. By stripping out a large number of similar signatures during the DAT loading process and placing them in a separate file, the Engine can employ a more efficient search algorithm. Testing has shown a scanning performance improvement of at least 20% on Windows systems. The use of this file also allows faster Scanning Engine initialization times.

What is the benefit of the RunTime DAT?
RunTime DATs provide significant memory usage and scanning performance improvements and deal with issues such as:
    • High memory usage of scanner processes
    • Scanner processes taking a long time to start or initialize
Is MFERunTime.DAT secure?
Yes. This file contains validation mechanisms to allow corruption and deliberate modification of the file to be detected.
Can MFERunTime.DAT file be removed?
No. This file is purposely placed in the same location as the other DAT files.

The McShield service runs as System - why does Intel Security recommend not to change this?
Although technically possible, Intel Security recommends that you do not do this because, by default, the McShield service runs as System to ensure it has access to any local resources and to allow remote scanning. If network drive scanning is enabled, the process impersonates the requestor. However, if another account is necessary, then the account used to run McShield must include the permission to act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. You can configure the Windows Security Policy Settings to achieve this by adding the account (you are attempting to use) to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. For more information, see KB75882.
Why are performance counters only available for VSE 8.7, and not included with VSE 8.8?
For VSE 8.8 installations, the McAfee Profiler should be used instead. Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Can VSE detect a virus that is encrypted by an encrypted file system (EFS)?
If the user who encrypted the file/folder launches the scan, then Yes. Otherwise, VSE does not have the ability to scan inside encrypted files or packages (neither can any anti-virus scanner). The VSE logs will show the following when one is encountered Not scanned (The file is encrypted). Detection will take place only when the file has been decrypted/opened.

Also refer to this Microsoft article, which covers EFS and issues with virus check programs: http://technet.microsoft.com/library/Cc962106.

Back to Contents 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.