Knowledge Center

FAQs for VirusScan Enterprise 8.x
Technical Articles ID:   KB71642
Last Modified:  9/2/2016


McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

NOTE: VSE 8.7i reached End of Life on December 31, 2015. See KB84590 for details.


General For product information covering miscellaneous topics.
Compatibility Interaction between other products including operating systems, hardware, software, and McAfee Agent.
Installation/Upgrade Information about installing, removing, DAT files, upgrading, or Patches. Related information on ePolicy Orchestrator and End of Life.
Configuration Includes best practices, optimizing, customizing cache, using system variables, and exclusions.
Functionality Product features and functions, including ScriptScan, On-Access ScannerOn-Demand Scanner, Access Protection, Buffer Overflow Protection, caching, and RunTime DAT.

NOTE: This article contains general queries about VSE as well as version-specific questions.

When will Intel Security fix the Event 516 issue?
This particular event ID is not indicative of a product issue, but is the outcome of a self-check validation routine, warning that the point product may have been compromised. For the current status, see KB71083. For the latest information on issues discovered with the product, see KB51111.

How do I scan a server infected with Conficker?
See KB60909.

Is VSE Federal Desktop Core Configuration (FDCC) compliant?
Yes. VSE is FDCC-compliant.

Has Intel Security created any white papers for VSE?
Yes. See KB75957, which covers Archives and Compressed Files, and KB85136, Product Management Statement for On-Access Scan configuration in VirusScan Enterprise 8.8. 
This section will be updated as more white papers are created.
Why do the posted dates for patches change?
Intel Security posts the best estimate for a release date in the relevant articles. The dates are subject to change as Intel Security increases the scope of the patch release to deliver additional fixes to customer-reported issues, and issues may be discovered during the extensive internal certification cycle. This certification process includes standard test procedures, lab testing, McAfee production rollouts, as well as limited customer deployments. When the scope of the patch release changes, Intel Security does its best to update the website with the new dates.

Why are ExtraDAT files sent to suppress detections not shown in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections will not appear in the About window because they are only intended to correct a false positive.

NOTE: ExtraDAT files that are sent to add signatures to the daily DAT file (to detect particular threats) will appear in the About window.

Are there any articles that help a new user get started?
Yes. Refer to the following articles:
What environments does VSE 8.x support?
For information on supported platforms, environments, and operating systems, see KB51111

Does VSE support Microsoft Office 2013?
Full support for Microsoft Office 2013 was provided with VSE 8.8 Patch 4 (and later).
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

 You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

Can I install VSE on a tablet that has Windows 8 installed?
Yes. However, the VSE On-Access Scanner can be resource-intensive for tablet hardware.
The only version of Windows 8 not supported is Windows 8 RT.

What makes VSE a 64-bit product?
VirusScan installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path; other binaries such as drivers are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to the \program files folder. Nevertheless, the product supports x64 natively.

What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so VirusScan loads the appropriate 32-bit scanner for those programs. For example, the McAfee email scan feature and Microsoft Outlook 2007.

Can VSE be installed on a Virtual Machine (VM) in a cloud platform?
Yes. VirusScan Enterprise can be installed on a node in the cloud.
The node is supported on the basis of the NT Kernel version used by the operating system. For more information, see KB51111.

Why should I install the McAfee (ePO) Agent on laptops that rarely connect to the network?
McAfee Agent provides policy enforcement. After you have installed the agent and it has received your policy (configured on the ePO server), whether the laptop is on the network or off the network, the policy you defined enforced at the policy enforcement interval you defined. This helps ensures that your company settings for your McAfee products are in place no matter where the user is physically located.

Why is nVidia listed in the Known Issues?
Various issues with NVidia software have been reported in the past and still surface occasionally. In these cases, an issue such as high CPU utilization from a McAfee process has been traced to a module that belongs to the nVidia video software injecting itself into our process(es) and then causing a thread to "run away", a condition where a thread uses all available CPU resources. The solution to these issues has been to update the nVidia software. Also check for nVidia issues as described in KB52367.

Can I use VSE 8.x to block access to USB devices?
No. Blocking access to USB devices is not supported with VSE 8.x. Although it is theoretically possible to block most USB devices using VSE Access Protection rules, there are too many potential issues for this to be supported. To efficiently block USB devices, use McAfee Data Loss Prevention. A basic solution can be found in the Microsoft Knowledge Base article 823732 at http://support.microsoft.com/kb/823732.

Are there any compatibility issues with VSE 8.x and the Microsoft Volume Shadow Copy Service (VSS)?
There are currently no known issues between the Microsoft VSS and VSE 8.x.

VSS captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. See: http://msdn.microsoft.com/library/aa384649(VS.85).aspx.

Why is Windows Defender removed automatically when I install VSE?
With the release of Windows 8/Windows Server 2012 operating systems and later, VSE no longer requires Windows Defender be uninstalled. VSE 8.8 Patch 3 and later support Window 8 and Windows Server 2012.

Can I install two different anti-virus products on a single system?
No. Having two On-Access scanners can lead to several problems. The most common is a performance issue because two On-Access scanners will scan the same file. For a list of products that you can remove if you have VSE 8.8 installed, see KB72251.

What exclusions are required when VSE is installed on VMware Horizon?
Exclusions are normally provided by the third-party software vendor, not the AV vendor. Refer to VMware article 2052489 for how to configure antivirus exclusions for VMware Horizon Mirage 3.x and 4. For details, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2052489.

Is VSE affected by the changes made in Windows Authenticode Signature Verification?
No. VSE is not affected.
The Security bulletin for this patch is available at: https://support.microsoft.com/kb/2893294

Can I use McAfee Installation Designer with VSE 8.8?
Installation Designer works with all patch levels of VSE 8.8 except Patch 8. Patch 8 is not currently compatible with Installation Designer, though it is planned for a future update or release.

Back to Contents

Why should I upgrade to VSE 8.8?
Intel Security recommends that you upgrade to the most recent version of VirusScan Enterprise to take advantage of new features and enhancements to existing functionality. To see new and improved features in VSE 8.8, refer to PD22973. To see the known issues, see KB70393.

How do I download VSE 8.8?
For details about downloading McAfee products, security updates, patches, or hotfixes, see KB56057

How do I install VSE locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run SetupVSE.exe, and then complete the installation wizard. See the video below to learn how to install VSE as a stand-alone installation in unmanaged environments:

NOTE: SetupVSE.exe supports many of the MSI command line options as well as product-specific options. For a complete list of options, see PD22944.

How do I install VSE via ePO?
Add the installation package to your repository, and then create/modify a Deployment Task. Refer to the ePO 5.1.0 Product Guide (PD24808) or ePO 5.3.0 Product Guide (PD25504) for instructions.

NOTE: The Deployment Task also allows for command-line options to be specified. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see the VSE 8.8 Installation Guide (PD22944).

Is it necessary to preinstall a McAfee Agent when VSE is not managed by ePO?
No. You do not need to preinstall the McAfee Agent prior to installing VSE. This is because the McAfee Agent has two modes of operation (Agent and Updater), where the Updater is a subset of the Agent. If no Agent is present when you install VSE, it will automatically install an Updater.

Does VSE require the C$ share to be enabled to successfully deploy from ePO?
No, McAfee Agent will take care of all files that require downloading; Windows file sharing is not used during the deployment process.

Why does the product install to the Program Files (x86) folder?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to a "x64" subfolder from the installation path; other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to "\program files". Nevertheless, the product supports x64 natively.

What products are removed when you install VSE 8.x?
See KB72251 for products that can be removed when VSE 8.x is installed and KB72497 for the non-removal of SaaS Endpoint Protection during a VSE 8.8 installation.

Why does the VSE 8.8 About window not show AntiSpyware is installed?
From VSE 8.8, the AntiSpyware Enterprise module is no longer separate from VSE. It has been fully integrated into the product. You can enable or disable anti-spyware features using the standard methods. You can do this locally, via the VSE console, or through ePO policies.

Why are there no DAT files in the installation package?
VSE no longer ships with DAT or signature files included. This allows upgrade deployments to have smaller deployment packages, and the DATs of the prior version will be used when the newer version installs. For details about DAT-less packages and how to include DATs in the installation package, see KB68449.

How does the DAT update affect the new cache?
As a rule, anti-virus clean file scan cache information is purged when a signature update occurs to allow for files to be re-scanned using the new signatures. VSE 8.8 behaves the same way, but it will purge only data that is unsafe to keep in the cache. In other words, the system may still benefit somewhat from the cache after a DAT update has occurred.

Why do Extra.DAT files sent to suppress detections not appear in About VirusScan Enterprise?
Extra.DAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive.
Extra.DAT files that are sent to add signatures to the daily DAT file to detect particular threats do appear in the About window.

Is a restart required after installing a VSE patch?
No. Patch installations never force a restart. Even when a restart is ideally required, this is suppressed by the installer to minimize inconvenience. The product will function as expected without the reboot. However, to ensure older drivers are removed from memory and to have a clean computing environment, Intel Security recommends that you restart patched systems at your earliest convenience.

What happens if a restart does not occur after installation?
A restart is not required to begin using VSE functionality. However, a restart is recommended to ensure a cleaner Windows environment and enable certain network scanning functionality.

What features do not work until restart occurs?
If you are making use of the network drive scanning feature, and if scanning DFS shares is hosted on remote systems, a reboot is necessary to fully enable that configuration.

What are the Trusted Installers?
From VSE 8.8, the On-Access Scanner allows you to configure whether to scan Trusted Installers. When not selected (trust the Trusted Installers), the following applies:
  • Any MSI product that is being installed by the Msiexec.exe process, is signed by Intel Security or Microsoft, and does not include a merge template as part of the command line, is whitelisted.
  • I/O by a Vista and newer TrustedInstaller.exe process that is signed by Microsoft and running under the well-known TrustedInstaller service account SID, is whitelisted.
  • I/O on any version of Windows from Update.exe that is appropriately signed by Microsoft, is whitelisted.

How do you remove the product?
VSE can generally be removed through the Windows Control Panel. However, if this fails, manually remove the product as detailed in KB71179 and KB52648 (using msiexec.exe).
Is my product version supported?
For End of Life and End of Support information see Product & Technology Support Lifecycle at www.mcafee.com/us/support/support-eol.aspx and KB51111.

Back to Contents 
There is a lot you can do to prevent issues. Following the best practices is often key to avoiding issues.

How do I stop McAfee services?
VirusScan Enterprise uses a self-protection mechanism to prevent even administrators from stopping the services. It is controlled via the Access Protection properties, Prevent McAfee Services From Being Stopped option. If you disable this option, you can stop the McAfee services via normal means.
What are the best practices on how to configure the On-Demand Scanner? 
For configuring on-demand scan file scan threads for best performance, see the VSE 8.8 Best Practices Guide (PD22940).

Why is McShield using CPU during On-Demand Scan?
One of the improvements made for memory reduction was for the On-Demand Scanner (scan32.exe or scan64.exe) to use the instance of the DAT files and Engine already loaded in memory by the On-Access scanner. As a result, when an On-Demand Scan is launched, you will see it using the McShield.exe process. It does not mean that the On-Demand Scanner (ODS) and On-Access Scanner (OAS) are scanning the same file.

Does the On-Access Scanner scan items being scanned by the On-Demand Scanner?
The VSE OAS scans every file access on Read or Write cycles when a file is accessed by another process. However, when the ODS Scan32.exe scans files, it does not trigger further scanning by the OAS. This is because there is an established trust between OAS and ODS. Therefore, when ODS is scanning files, an exclusion is automatically applied to the files being scanned by ODS scan32.exe. If another process tries to access these files, OAS scans the activity as expected.

How does an incremental On-Demand Scan work?
Incremental scanning occurs only under the following circumstances:
  • If an ODS was unable to complete within the time specified.

    NOTE: By default, no time limit is assigned to an On-Demand Scan task. 
  • If an ODS was interrupted because of a shutdown notification.
How does the On-Demand Scanner know when to resume a scan?
Incremental scanning only occurs if the scan could not complete within an explicitly specified time (default is no time limit), or if the task was interrupted because of a shutdown notification. Under either of these circumstances, VSE will initiate an incremental scan starting with the last file that was scanned.
  1. The ODS task starts at the Start time configured above.
  2. The scan stops when it reaches the allotted time, configured under Stop the task if it runs for, and records what the last file was that it successfully scanned.
  3. When the schedule for this ODS task repeats, the task continues from where it was interrupted previously.  

    For how to determine which files were last scanned, see KB78969.
What can I do to improve performance?
For configuring performance improvements, see the VSE 8.8 Best Practices Guide (PD22940).

How do I limit CPU and memory usage of McShield.exe?
For configuring performance improvements, see the VSE 8.8 Best Practices Guide (PD22940).

How do I configure VSE 8.8 cache persistence?
For cache persistence, see KB71905 for best practices.

How do I investigate performance issues?
There are a number of approaches, and the following information is intended to allow you to follow the steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. These steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. More tools are listed in KB72766.
  • Task Manager
    Press CTRL+SHIFT+ESC to open Task Manager. Sort by the CPU column to see what process or processes are using CPU. Note that the number is a percentage of all available processors or cores, so 25 percent on a four-CPU system would mean a process is pegging one of the cores, which is usually indicative of a problem. You can investigate further after the offending process or processes have been identified.
  • Performance Monitor
    You can use Performance Monitor (PerfMon) to convey specifics of how much CPU is being used and for how long, giving you an idea of how the system or users are being affected. Use PerfMon to monitor the performance object's Process, Processor, and Memory, capturing all counters and instances. Intel Security advises that you use a sampling rate of  one (1) second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything because this allows the capture to run for longer periods of time without creating an unwieldy log file.
  • McAfee Profiler
    Intel Security released the McAfee Profiler for VirusScan to give visibility into what the product is doing, such as what files are being scanned. The tool provides a mechanism for generating reports to add understanding to the data that is collected.
    NOTE: You might be able to create exclusions and/or leverage the Hi/Low/Default scanning profiles to create a configuration that improves performance. For more details about this tool, see KB69683.
  • Windows Performance Monitoring Tool (XPerf)
    In Microsoft Vista and newer operating systems, Microsoft has provided a powerful tool that can give very detailed information about a performance problem, including the API that is being called the most. Vendors can use this information typically at an engineering/development level where symbols files for source code are accessible. This helps understand more clearly what code paths are being exercised. You can also use this tool on Windows XP or Windows 2003 but not to the same level of detail.
Intel Security advises you work with Technical Support if your performance issues have not been addressed after following these steps.

Why is Access Protection / Buffer Overflow Protection still enabled when disabling the On-Access Scanner?
One of the architectural changes with this release was to separate Access Protection (AP)/Buffer Overflow Protection (BOP) from the status of the On-Access scanner. In earlier versions of VSE, all three would be disabled if you disabled the On-Access Scanner. Separating the disable function allows for Zero Day Protection features (AP and BOP) to remain enabled should the real-time scanner fail.

Can I change the Account used by the McAfee McShield service?
While this is technically possible, Intel Security recommends that you do not do this. By default, the McShield service runs as the System Account, which ensures it has access to any local resources and for any remote scanning. If network drive scanning is enabled, the process impersonates the requestor. No other account can be elevated to the same permissions that a local System Account can. Using any other account incurs the risk of not having access to some part of the registry, files, and so on, in order to perform a successful clean operation.

Are exclusions required for Hyper-V systems on a computer that is running Windows server?
Yes. Microsoft has a list of recommended exclusions that are outlined in KB78364.

NOTE: VSE exclusion is one of the most important features to understand and implement. See KB66909 to obtain all the essential information that any new or existing user might want to know before deploying VSE to their production environment, including:
  • Understanding VSE Exclusions
  • Understanding High-Risk, Low-Risk, and Default processes configuration and usage
  • Understanding Exclusions in Low-Risk processes
  • Why some processes should be added to low-risk exclusions
  • How to use wildcards when creating exclusions in VSE
  • How to create Low-Risk and High-Risk process exclusions in VSE
  • How to use the EICAR anti-malware test file with McAfee products
How does Access Protection (AP) work?
AP is a behavior blocking feature, also known as Zero Day Protection, with the capability to block Ports, Files / Folders, and the Windows Registry. Each of these features has an associated kernel-level driver to filter the respective activity, and compares actions against a list of rules. Any action found to be in breach of a rule is acted upon. The action taken in response depends on what has been configured for the appropriate rule.

Intel Security provides a number of helpful standard rules. Those we believe are essential are enabled by default. You can define your own rules as required.

Can fully-qualified pathnames and wildcards be used in Access Protection exclusions and inclusions (rules 'Processes to include' and 'Processes to exclude')?
Process names may be used with or without fully-qualified pathnames, and with or without wildcards in the fully-qualified pathname or process name. For example, all of the following are acceptable:

How does Buffer Overflow Protection (BOP) work?
BOP monitors processes and Application Program interfaces, checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but will stop code execution that occurs from that overrun. This is a common exploit method used by malware against vulnerable applications to gain access to data or the system, and/or to further propagate itself. See KB58007 for a list of processes protected by BOP.

Protection is accomplished by having kernel-level hooks (also known as "kernel patching" of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is not supported on 64-bit platforms because its kernel cannot be "patched". This BOP feature can be made redundant if Data Execution Prevention (DEP) is in place.

In VSE 8.8 Patch 4 and later, the processing for detecting and enforcing buffer overflow protection is deferred to the Data Execution Prevention technology available in hardware that supports it. DEP is enabled for the processes that VirusScan Enterprise monitors. Any violations are reported as usual; however, the details of the report beyond Process name are of little value because defining module or API exclusions with 8.8 Patch 4 or later has no effect.

Are there conflicts between the Windows Data Execution Prevention (DEP) and BOP?
No. For a detailed explanation of DEP and BOP, see KB58554.
With 8.8 Patch 4 and later, the BOP feature leverages DEP to perform evaluation and enforcement. DEP is a hardware enforcement methodology for buffer overflow protection, and is faster at making the distinction for code executing safely or not.

How does the On-Access Scanner work?
A file system filter driver monitors all file activity and determines, based on configuration, whether a file object that is being accessed requires scanning. If so, the On-Access Scanner service (McShield.exe) processes the file object further to determine if exclusions are applicable. If they are not, the OAS service performs a scan and reports the results back to the filter driver. McShield.exe loads the McAfee Engine and DAT files into memory to facilitate scanning and actions taken on infected files.

What happens to file attributes when VSE accesses files for scanning using the On-Access Scanner (OAS) and On-Demand Scanner (ODS)?
OAS or ODS access to files does not change any file attributes when scanning files. File attributes are only changed when OAS or ODS detects a virus and removes the malicious code from a file. 

How does VSE OAS or ODS handle archive file scanning?
VSE scans each file in an archive. However, because there is no function for re-packing the archive, it is opened each time a file in the archive is scanned. Because archives cannot be re-packed, no actions can be taken on individual files within them. Therefore, if an infected file is detected within an archive, the entire archive is treated as an infected file.

IMPORTANT:  If you choose not to delete (partially) infected archive files, extracted copies of infected files contained in an archive will be cleaned or deleted on extraction.

Why are files with a .CSV extension included in the default list of file types scanned by the VSE On-Access Scanner?
Though these files only contain passive text data, Intel Security includes detection for files with a .CSV extension because malicious binary data can be included in such files to exploit potential Buffer Overflows in the program that processes the data.

Does the On-Access scanner have Rootkit detection abilities?
No. Rootkit detection is only available using the VSE On-Demand Scanner. For additional information on Rootkits, see:
When running an On-Demand scan, does VSE include a pause function when the CPU utilization spikes?
No. Because of its design it does not need to. For a detailed explanation and assistance when running an On-Demand scan, see the following articles:
  • Understanding the VSE On-Demand Scan system resource utilization, see KB55145.
  • Best Practices for On-Demand Scans in VSE 8.8, see KB74059.

How does the On-Demand Scanner (ODS) work?
On-Demand Scanning in this release has been improved over prior versions by moving from single threaded scanning to multi-threaded scanning. This allows VSE 8.8 to complete scan tasks in a much shorter time. The file system is walked and file names are added to a scanning pool, from which an available scanning thread is retrieved and acted on. If a file is modified or written to disk after the scan had progressed past that part of the file system, it will not be scanned until next time the ODS is run. Multi-threaded scanning applies to the file system only. Available scanning threads may come from the McShield.exe process; you will therefore see McShield.exe as active when ODS runs instead of the expected Scan32 or Scan64 process. The configured settings for the ODS are still in effect for those threads however. To force ODS to scan files rather than relying on McShield, the McShield service must first be stopped prior to starting the ODS.

How does the ODS behave during a scan when a DAT update occurs?
When either the DAT or Engine is being updated, the scan pauses for a brief period of time, reloads the new Engine and DAT, and resumes scanning. If McShield.exe is terminated during the update, then so too will the ODS terminate, because it is wholly reliant on McShield to perform the scan. The only exception to this is if the ODS had started while McShield was in a stopped state.

What happens if you schedule an ODS and log off?
Tasks that are scheduled to run will invoke with System Account privilege, or using the credentials specified when creating the task. The launching of the task is handled by the McAfee Framework service, FrameworkService.exe. As a service, this process runs continually, even when nobody is logged on to the system - thus it can invoke tasks at their appointed times.

Why does a right-click ODS (Scan for threats...) not scan all selected files?
Right-click scan functionality is limited to 1,000 items. If you select more than 1,000 items to be scanned by a right-click ODS scan, all items over the 1,000 limit will be skipped. To scan more than 1,000 files using a right-click scan, select the top-level folder that contains the files you want to scan.
What authentication is used between manual and scheduled scan tasks?
VSE allows manual as well as scheduled tasks to be run. When such tasks have been configured without explicitly supplying specific credentials, VSE will use the following accounts:
  • NT Authority / System account (for scheduled tasks, when no user is logged on)
  • Logged on user account (for manual tasks) 
What are the differences between 'Scan all local drives' versus 'Scan all fixed drives' options?
The Scan all local drives option scans all drives connected to your computer. This includes hard drives, CDs, and other removable media. The Scan all fixed drives option scans non-removable media only. 

  • The Windows operating system establishes which drives are local, mapped, fixed, or removable. 
  • iSCSI drives are generally detected as local to Windows, even when they are not.
  • Some USB connected drives are detected as local fixed drives because of manufacturer tagging.  
Why does performance drop when ODS runs?
When ODS has been configured to run at a below normal or low thread priority, and if the performance of the system is still being affected, it will be the result of a) scanning of archives, or b) a corrupted file locking up the scanner.

How does the On-Demand Scanner throttle mechanism work?
An On-Demand Scan (ODS) can be set to run at a certain priority which corresponds to thread priority. Windows is a multi-tasking operating system. This is accomplished by giving processes, or rather their threads, a small amount of CPU time in which they can perform their desired tasks. Windows uses a scheduling algorithm to determine which thread is given CPU time. For the ODS threads, you can influence the priority for which it is given CPU time using the "System utilization" setting on the Performance tab when creating the On-Demand Scan task.

NOTE: This mechanism does not apply to scanning archive files. If your scan task is set to include Archive files, there may be noticeable periods of time where CPU time is used largely by the On-Demand Scan.
Can the ScriptScan feature exclude scripts by site?
The ScriptScan feature can exclude scripts and does white listing of URLs.

  • If using ScriptScan causes a significant negative performance impact, you can disable it locally using VirusScan Console or in managed solutions using policies in ePolicy Orchestrator.
  • There is a significant security risk in disabling ScriptScan. Applications like Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system, allowing them to execute before the On-Access scanner can prevent this. The On-Access Scanner can stop the payload of attacks via this medium but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.

How does the shared cache work?  
The clean file scan cache is a list that tracks the results of files that have been scanned and were found to be clean. The list is stored in non-page pool memory and used by the McAfee file system filter driver. Files in the cache are not scanned. Files are added to the cache after they have been scanned and were found to be clean. Files are re-scanned if they are no longer in the cache or have been modified since they were scanned. The scan cache size can grow to a maximum of 12 MB. In previous versions of VSE the maximum size was 2 MB.

How does the persistent cache work? 
The clean file scan cache can be saved on shutdown (this is enabled by default) using the setting Enable saving scan data across reboots, so that the system benefits from the cached information on startup. The data is written to the system registry hive, allowing the McAfee file system filter driver to read this information early in the boot process. Note that a limitation has been identified with Windows 2000 systems using this feature.

How does the VSE On-Access Scanner (OAS) handle Client-side Caching interactions? Is the file local, or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file within a protected folder, from which the device will read and modify the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.

The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the User or programs accessing the file use the same remote location. It is Windows that takes care of the necessary redirection that provides access to the cached, local copy.

Since the file is always considered remote, in order for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the On Demand Scanner (ODS) to scan the offline files, it must be provided the original (remote) location.

NOTE: Enabling the Network Drive Scanning feature is not recommended for most environments, because the scanning of remote objects can lead to slower performance and an increase in scanner time-outs.

What is a RunTime DAT?
The RunTime DAT determines how DAT files are loaded into memory and are maintained on disk. The RunTime DAT file (MFERunTime.DAT) is created by the Scanning Engine when it initializes. MFERunTime.DAT contains signature information taken from the regular DAT files obtained from the McAfee update site. By stripping out a large number of similar signatures during the DAT loading process and placing them in a separate file, the Engine can employ a more efficient search algorithm. Testing has shown a scanning performance improvement of at least 20% on Windows systems. The use of this file also allows faster Scanning Engine initialization times.

What is the benefit of the RunTime DAT?
RunTime DATs provide significant memory usage and scanning performance improvements and deal with issues such as:
  • High memory usage of scanner processes
  • Scanner processes taking a long time to start or initialize
Is MFERunTime.DAT secure?
Yes. This file contains validation mechanisms to allow corruption and deliberate modification of the file to be detected.
Can MFERunTime.DAT file be removed?
No. This file is purposely placed in the same location as the other DAT files.

The McShield service runs as System - why does Intel Security recommend not to change this?
Although technically possible, Intel Security recommends that you do not change this because, by default, the McShield service runs as System to ensure it has access to any local resources and to allow remote scanning. If network drive scanning is enabled, the process impersonates the requestor. However, if another account is necessary, then the account used to run McShield must include the permission to act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. You can configure the Windows Security Policy Settings to achieve this by adding the account (you are attempting to use) to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Why are performance counters not included with VSE 8.8?
For VSE 8.8 installations, the McAfee Profiler should be used instead. Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Can VSE detect a virus that is encrypted by an encrypted file system (EFS)?
If the user who encrypted the file/folder launches the scan, then Yes. Otherwise, VSE does not have the ability to scan inside encrypted files or packages (neither can any anti-virus scanner). The VSE logs will show the following when one is encountered Not scanned (The file is encrypted). Detection will take place only when the file has been decrypted/opened.

Also refer to this Microsoft article, which covers EFS and issues with virus check programs: http://technet.microsoft.com/library/Cc962106

Back to Contents 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.