Knowledge Center

FAQs for VirusScan Enterprise 8.x
Technical Articles ID:   KB71642
Last Modified:  3/1/2018


McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.


Recent updates to this article:

Date Update
February 28, 2018 Added expand and collapse design.


When will McAfee fix the Event 516 issue?
This particular event ID is not indicative of a product issue, but is the outcome of a self-check validation routine, warning that the point product may have been compromised. For the current status, see KB71083.

How do I scan a server infected with Conficker?
See KB60909.

Is VSE Federal Desktop Core Configuration (FDCC) compliant?
Yes. VSE is FDCC-compliant.

Are there any white papers for VSE?
Yes. See KB75957, which covers Archives and Compressed Files, and KB85136, Product Management Statement for On-Access Scan configuration in VSE 8.8.
This section will be updated as more white papers are created.

Why do the posted dates for patches change?
McAfee posts the best estimate for a release date in the relevant articles. The dates are subject to change as McAfee increases the scope of the patch release to deliver additional fixes to customer-reported issues, and issues may be discovered during the extensive internal certification cycle. This certification process includes standard test procedures, lab testing, production rollouts, as well as limited customer deployments. When the scope of the patch release changes, McAfee does its best to update the website with the new dates.

Why are ExtraDAT files sent to suppress detections not shown in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections will not appear in the About window because they are only intended to correct a false positive.

NOTE: ExtraDAT files that are sent to add signatures to the daily DAT file (to detect particular threats) will appear in the About window.

Are there any articles that help a new user get started?
Yes. Refer to the following articles:
  • For a quick-start guide for new users, see KB79580.
  • For tips on using VSE, see KB75857.
  • For an article on "hot topics" relevant to VSE software, see KB65944.

What environments does VSE 8.x support?
For information on supported platforms, environments, and operating systems, see KB51111.

Does VSE support Microsoft Office 2013?
Full support for Microsoft Office 2013 was provided with VSE 8.8 Patch 4 (and later).

Can I install VSE on a tablet that has Windows 8 installed?
Yes. However, the VSE On-Access Scanner can be resource-intensive for tablet hardware.

NOTE: The only version of Windows 8 not supported is Windows 8 RT.

What makes VSE a 64-bit product?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path; other binaries such as drivers are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to the \program files folder. Nevertheless, the product supports x64 natively.

What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so VSE loads the appropriate 32-bit scanner for those programs. For example, the McAfee email scan feature and Microsoft Outlook 2007.

Can VSE be installed on a Virtual Machine (VM) in a cloud platform?
Yes. VSE can be installed on a node in the cloud.
The node is supported on the basis of the NT Kernel version used by the operating system. For more information, see KB51111.

Why should I install the McAfee ePolicy Orchestrator Agent on laptops that rarely connect to the network?
McAfee Agent provides policy enforcement. After you have installed the agent and it has received your policy (configured on the ePolicy Orchestrator server), whether the laptop is on the network or off the network, the policy you defined is enforced at the policy enforcement interval you defined. This helps ensures that your company settings for your McAfee products are in place no matter where the user is physically located.

Why is nVidia listed in the Known Issues?
Various issues with nVidia software have been reported in the past and still surface occasionally. In these cases, an issue such as high CPU utilization from a McAfee process has been traced to a module that belongs to the nVidia video software injecting itself into our process(es) and then causing a thread to "run away", a condition where a thread uses all available CPU resources. The solution to these issues has been to update the nVidia software. Also check for nVidia issues as described in KB52367.

Can I use VSE 8.x to block access to USB devices?
No. Blocking access to USB devices is not supported with VSE 8.x. Although it is theoretically possible to block most USB devices using VSE Access Protection rules, there are too many potential issues for this to be supported. To efficiently block USB devices, use McAfee Data Loss Prevention. A basic solution can be found in the Microsoft Knowledge Base article 823732 at http://support.microsoft.com/kb/823732.

Are there any compatibility issues with VSE 8.x and the Microsoft Volume Shadow Copy Service (VSS)?
There are currently no known issues between the Microsoft VSS and VSE 8.x.
NOTE: VSS captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. See: http://msdn.microsoft.com/library/aa384649(VS.85).aspx.

Why is Windows Defender removed automatically when I install VSE?
With the release of Windows 8/Windows Server 2012 operating systems and later, VSE no longer requires Windows Defender be uninstalled. VSE 8.8 Patch 3 and later support Window 8 and Windows Server 2012.

Can I install two different anti-virus products on a single system?
No. Having two On-Access scanners can lead to several problems. The most common is a performance issue because two On-Access scanners will scan the same file. For a list of products that you can remove if you have VSE 8.8 installed, see KB72251.

What exclusions are required when VSE is installed on VMware Horizon?
Exclusions are normally provided by the third-party software vendor, not the AV vendor. Refer to VMware article 2082045 (Antivirus executable exclusion list for VMware Horizon View).
For details, visit the VMware site https://kb.vmware.com/selfservice and search for article 2082045.
To view the Antivirus Best Practices for VMware Horizon View 5.x, see https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/VMware-View-AntiVirusPractices-TN-EN.pdf

Is VSE affected by the changes made in Windows Authenticode Signature Verification?
No. VSE is not affected.

NOTE: The Security bulletin for this patch is available at: https://support.microsoft.com/kb/2893294

Can I use McAfee Installation Designer with VSE 8.8?
Installation Designer works with all patch levels of VSE 8.8.

Back to Top

Why should I upgrade to VSE 8.8?
It is recommended that you upgrade to the most recent version of VSE to take advantage of new features and enhancements to existing functionality. To see new and improved features in VSE 8.8, refer to PD22973. To see the known issues, see KB70393.

How do I download VSE 8.8? For details about downloading McAfee products, security updates, patches, or hotfixes, see KB56057.

How do I install VSE locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run SetupVSE.exe, and then complete the installation wizard. See the video below to learn how to install VSE as a stand-alone installation in unmanaged environments:

NOTE: SetupVSE.exe supports many of the MSI command line options as well as product-specific options. For a complete list of options, see PD22944.

How do I install VSE ePolicy Orchestrator?
Add the installation package to your repository, and then create/modify a Deployment Task. Refer to the ePolicy Orchestrator 5.1.0 Product Guide (PD24808) or ePolicy Orchestrator 5.3.0 Product Guide (PD25504) for instructions.

NOTE: The Deployment Task also allows for command-line options to be specified. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see the VirusScan Enterprise 8.8 Installation Guide (PD22944).

Is it necessary to preinstall a McAfee Agent when VSE is not managed by ePolicy Orchestrator?
No. You do not need to preinstall the McAfee Agent prior to installing VSE. This is because the McAfee Agent has two modes of operation (Agent and Updater), where the Updater is a subset of the Agent. If no Agent is present when you install VSE, it will automatically install an Updater.

Does VSE require the C$ share to be enabled to successfully deploy from ePolicy Orchestrator?
No, McAfee Agent will take care of all files that require downloading; Windows file sharing is not used during the deployment process.

Why does the product install to the Program Files (x86) folder?
VSE installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to a "x64" subfolder from the installation path; other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to "\program files". Nevertheless, the product supports x64 natively.

What products are removed when you install VSE 8.x?
See KB72251 for products that can be removed when VSE 8.x is installed.

Why does the VSE 8.8 About window not show AntiSpyware is installed?
From VSE 8.8, the AntiSpyware Enterprise module is no longer separate from VSE. It has been fully integrated into the product. You can enable or disable anti-spyware features using the standard methods. You can do this locally, via the VSE console, or through ePolicy Orchestrator policies.

Why are there no DAT files in the installation package?
VSE no longer ships with DAT or signature files included. This allows upgrade deployments to have smaller deployment packages, and the DATs of the prior version will be used when the newer version installs.

How does the DAT update affect the new cache?
As a rule, anti-virus clean file scan cache information is purged when a signature update occurs to allow for files to be re-scanned using the new signatures. VSE 8.8 behaves the same way, but it will purge only data that is unsafe to keep in the cache. In other words, the system may still benefit somewhat from the cache after a DAT update has occurred.

Why do Extra.DAT files sent to suppress detections not appear in About VirusScan Enterprise?
Extra.DAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive.
NOTE: Extra.DAT files that are sent to add signatures to the daily DAT file to detect particular threats do appear in the About window.

Is a restart required after installing a VSE patch?
No. Patch installations never force a restart. Even when a restart is ideally required, this is suppressed by the installer to minimize inconvenience. The product will function as expected without the reboot. However, to ensure older drivers are removed from memory and to have a clean computing environment, it is recommended that you restart patched systems at your earliest convenience.

What happens if a restart does not occur after installation?
A restart is not required to begin using VSE functionality. However, a restart is recommended to ensure a cleaner Windows environment and enable certain network scanning functionality.

What features do not work until a restart occurs?
If you are making use of the Network Drive Scanning feature, and if scanning DFS shares is hosted on remote systems, a reboot is necessary to fully enable that configuration.

What are the Trusted Installers?
From VSE 8.8, the On-Access Scanner allows you to configure whether to scan Trusted Installers. When not selected (trust the Trusted Installers), the following applies:
  • Any MSI product that is being installed by the Msiexec.exe process, is signed by McAfee or Microsoft, and does not include a merge template as part of the command line, is whitelisted.
  • I/O by a Vista and newer TrustedInstaller.exe process that is signed by Microsoft and running under the well-known TrustedInstaller service account SID, is whitelisted.
  • I/O on any version of Windows from Update.exe that is appropriately signed by Microsoft, is whitelisted.

How do you remove the product?
VSE can generally be removed through Programs and Features or Apps & features (depending on your version of Windows). However, if this fails, manually remove the product as detailed in KB52648 (using msiexec.exe).

Is my product version supported?
For End of Life and End of Support information see the Product & Technology Support Lifecycle at www.mcafee.com/us/support/support-eol.aspx and KB51111.

Back to Top

There is a lot you can do to prevent issues. Following the best practices is often key to avoiding issues.

How do I stop McAfee services?
VSE uses a self-protection mechanism to prevent even administrators from stopping the services. It is controlled via the Access Protection properties, Prevent McAfee Services From Being Stopped option. If you disable this option, you can stop the McAfee services via normal means.

What are the best practices on how to configure the On-Demand Scanner?
For configuring On-Demand Scan file scan threads for best performance, see the VirusScan Enterprise 8.8 Best Practices Guide (PD22940).

Why is McShield using CPU during On-Demand Scan?
One of the improvements made for memory reduction was for the On-Demand Scanner (scan32.exe or scan64.exe) to use the instance of the DAT files and Engine already loaded in memory by the On-Access Scanner. As a result, when an On-Demand Scan is launched, you will see it using the McShield.exe process. It does not mean that the On-Demand Scanner (ODS) and On-Access Scanner (OAS) are scanning the same file.

Does the On-Access Scanner scan items being scanned by the On-Demand Scanner?
The VSE OAS scans every file access on Read or Write cycles when a file is accessed by another process. However, when the ODS Scan32.exe scans files, it does not trigger further scanning by the OAS. This is because there is an established trust between OAS and ODS. Therefore, when ODS is scanning files, an exclusion is automatically applied to the files being scanned by ODS scan32.exe. If another process tries to access these files, OAS scans the activity as expected.

How does an incremental On-Demand Scan work?
Incremental scanning occurs only under the following circumstances:
  • If an ODS was unable to complete within the time specified.

    NOTE: By default, no time limit is assigned to an ODS task.
  • If an ODS was interrupted because of a shutdown notification.

How does the On-Demand Scanner know when to resume a scan?
Incremental scanning occurs only if the scan could not complete within an explicitly specified time (default is no time limit), or if the task was interrupted because of a shutdown notification. Under either of these circumstances, VSE will initiate an incremental scan starting with the last file that was scanned.
  1. The ODS task starts at the Start time configured above.
  2. The scan stops when it reaches the allotted time, configured under Stop the task if it runs for, and records what the last file was that it successfully scanned.
  3. When the schedule for this ODS task repeats, the task continues from where it was interrupted previously.

    To determine which files were last scanned, see KB78969.

What can I do to improve performance?
For configuring performance improvements, see the VirusScan Enterprise 8.8 Best Practices Guide (PD22940).

How do I limit CPU and memory usage of McShield.exe?
For configuring performance improvements, see the VirusScan Enterprise 8.8 Best Practices Guide (PD22940).

How do I configure VSE 8.8 cache persistence?
For cache persistence, see KB71905 for best practices.

How do I investigate performance issues?
There are a number of approaches, and the following information is intended to allow you to follow the steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. These steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. More tools are listed in KB72766.
  • Task Manager
    Press CTRL+SHIFT+ESC to open Task Manager. Sort by the CPU column to see what process or processes are using CPU. Note that the number is a percentage of all available processors or cores, so 25 percent on a four-CPU system would mean a process is pegging one of the cores, which is usually indicative of a problem. You can investigate further after the offending process or processes have been identified.
  • Performance Monitor
    You can use Performance Monitor (PerfMon) to convey specifics of how much CPU is being used and for how long, giving you an idea of how the system or users are being affected. Use PerfMon to monitor the performance object's Process, Processor, and Memory, capturing all counters and instances. The product development team advises that you use a sampling rate of one (1) second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything because this allows the capture to run for longer periods of time without creating an unwieldy log file.
  • McAfee Profiler
    McAfee Profiler for VSE was released to give visibility into what the product is doing, such as what files are being scanned. The tool provides a mechanism for generating reports to add understanding to the data that is collected.
    NOTE: You might be able to create exclusions and/or leverage the High/Low/Default scanning profiles to create a configuration that improves performance. For more details about this tool, see KB69683.
  • Windows Performance Monitoring Tool (XPerf)
    In Microsoft Vista and newer operating systems, Microsoft has provided a powerful tool that can give very detailed information about a performance problem, including the API that is being called the most. Vendors can use this information typically at an engineering/development level where symbols files for source code are accessible. This helps understand more clearly what code paths are being exercised.
Customers are advised to work with Technical Support if your performance issues have not been addressed after following these steps.

Why is Access Protection / Buffer Overflow Protection still enabled when disabling the On-Access Scanner?
One of the architectural changes with VSE 8.8 was to separate Access Protection (AP)/Buffer Overflow Protection (BOP) from the status of the On-Access scanner. In earlier versions of VSE, all three would be disabled if you disabled the On-Access Scanner. Separating the disable function allows for Zero Day Protection features (AP and BOP) to remain enabled should the real-time scanner fail.

Can I change the Account used by the McAfee McShield service?
While this is technically possible, the product development team recommends that you do not do this. By default, the McShield service runs as the System Account, which ensures it has access to any local resources and for any remote scanning. If Network Drive Scanning is enabled, the process impersonates the requestor. No other account can be elevated to the same permissions that a local System Account can. Using any other account incurs the risk of not having access to some part of the registry, files, and so on, in order to perform a successful clean operation.

Are exclusions required for Hyper-V systems on a computer that is running Windows server?
Yes. Microsoft has a list of recommended exclusions that are outlined in KB78364.

NOTE: VSE exclusion is one of the most important features to understand and implement. See KB66909 to obtain all the essential information that any new or existing user might want to know before deploying VSE to their production environment, including:
  • Understanding VSE Exclusions
  • Understanding High-Risk, Low-Risk, and Default processes configuration and usage
  • Understanding Exclusions in Low-Risk processes
  • Why some processes should be added to Low-Risk exclusions
  • How to use wildcards when creating exclusions in VSE
  • How to create Low-Risk and High-Risk process exclusions in VSE
  • How to use the EICAR anti-malware test file with McAfee products
Back to Top

How does Access Protection (AP) work?
AP is a behavior blocking feature, also known as Zero Day Protection, with the capability to block Ports, Files / Folders, and the Windows Registry. Each of these features has an associated kernel-level driver to filter the respective activity, and compares actions against a list of rules. Any action found to be in breach of a rule is acted upon. The action taken in response depends on what has been configured for the appropriate rule.

The product development team provides a number of helpful standard rules. Those we believe are essential are enabled by default. You can define your own rules as required.

Can fully-qualified pathnames and wildcards be used in Access Protection exclusions and inclusions (rules 'Processes to include' and 'Processes to exclude')?
Process names may be used with or without fully-qualified pathnames, and with or without wildcards in the fully-qualified pathname or process name. For example, all of the following are acceptable:

How does Buffer Overflow Protection (BOP) work?
BOP monitors processes and Application Program Interfaces (APIs), checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but will stop code execution that occurs from that overrun. This is a common exploit method used by malware against vulnerable applications to gain access to data or the system, and/or to further propagate itself. See KB58007 for a list of processes protected by BOP.

Protection is accomplished by having kernel-level hooks (also known as "kernel patching" of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is not supported on 64-bit platforms because its kernel cannot be "patched". This BOP feature can be made redundant if Data Execution Prevention (DEP) is in place.

In VSE 8.8 Patch 4 and later, the processing for detecting and enforcing buffer overflow protection is deferred to the Data Execution Prevention (DEP) technology available in hardware that supports it. DEP is enabled for the processes that VSE monitors. Any violations are reported as usual; however, the details of the report beyond Process name are of little value because defining module or API exclusions with 8.8 Patch 4 or later has no effect.

Are there conflicts between the Windows Data Execution Prevention (DEP) and BOP?
No. For a detailed explanation of DEP and BOP, see KB58554.
With 8.8 Patch 4 and later, the BOP feature leverages DEP to perform evaluation and enforcement. DEP is a hardware enforcement methodology for buffer overflow protection, and is faster at making the distinction for code executing safely or not.

How does the On-Access Scanner work?
A file system filter driver monitors all file activity and determines, based on configuration, whether a file object that is being accessed requires scanning. If so, the On-Access Scanner service (McShield.exe) processes the file object further to determine whether exclusions are applicable. If they are not, the OAS service performs a scan and reports the results back to the filter driver. McShield.exe loads the McAfee Engine and DAT files into memory to facilitate scanning and actions taken on infected files.

What happens to file attributes when VSE accesses files for scanning using the On-Access Scanner (OAS) and On-Demand Scanner (ODS)?
OAS or ODS access to files does not change any file attributes when scanning files. File attributes are changed only when OAS or ODS detects a virus and removes the malicious code from a file.

How does VSE OAS or ODS handle archive file scanning?
VSE scans each file in an archive. However, because there is no function for re-packing the archive, it is opened each time a file in the archive is scanned. Because archives cannot be re-packed, no actions can be taken on individual files within them. Therefore, if an infected file is detected within an archive, the entire archive is treated as an infected file.

IMPORTANT: If you choose not to delete (partially) infected archive files, extracted copies of infected files contained in an archive will be cleaned or deleted on extraction.

Why are files with a .CSV extension included in the default list of file types scanned by the VSE On-Access Scanner?
Though these files contain only passive text data, the product includes detection for files with a .CSV extension because malicious binary data can be included in such files to exploit potential Buffer Overflows in the program that processes the data.

Does the On-Access Scanner have Rootkit detection abilities?
No. Rootkit detection is available only using the VSE On-Demand Scanner. For additional information on Rootkits, see:
When running an On-Demand Scan, does VSE include a pause function when the CPU utilization spikes?
No. Because of its design it does not need to. For a detailed explanation and assistance when running an On-Demand Scan, see the following articles:
  • For understanding the VSE On-Demand Scan system resource utilization, see KB55145.
  • For Best Practices for On-Demand Scans in VSE 8.8, see KB74059.

How does the On-Demand Scanner (ODS) work?
On-Demand Scanning has been improved by moving from single threaded scanning to multi-threaded scanning. This allows VSE 8.8 to complete scan tasks in a much shorter time. The file system is walked and file names are added to a scanning pool, from which an available scanning thread is retrieved and acted on. If a file is modified or written to disk after the scan had progressed past that part of the file system, it will not be scanned until next time the ODS is run. Multi-threaded scanning applies to the file system only. Available scanning threads may come from the McShield.exe process; you will therefore see McShield.exe as active when ODS runs instead of the expected Scan32 or Scan64 process. The configured settings for the ODS are still in effect for those threads however. To force ODS to scan files rather than relying on McShield, the McShield service must first be stopped prior to starting the ODS.

How does the ODS behave during a scan when a DAT update occurs?
When either the DAT or Engine is being updated, the scan pauses for a brief period of time, reloads the new Engine and DAT, and resumes scanning. If McShield.exe is terminated during the update, then so too will the ODS terminate, because it is wholly reliant on McShield to perform the scan. The only exception to this is if the ODS had started while McShield was in a stopped state.

What happens if you schedule an ODS and log off?
Tasks that are scheduled to run will invoke with System Account privilege, or using the credentials specified when creating the task. The launching of the task is handled by the McAfee Framework service, FrameworkService.exe. As a service, this process runs continually, even when nobody is logged on to the system - thus it can invoke tasks at their appointed times.

Why does a right-click ODS (Scan for threats...) not scan all selected files?
Right-click scan functionality is limited to 1,000 items. If you select more than 1,000 items to be scanned by a right-click ODS scan, all items over the 1,000 limit will be skipped. To scan more than 1,000 files using a right-click scan, select the top-level folder that contains the files you want to scan.

What authentication is used between manual and scheduled scan tasks?
VSE allows manual as well as scheduled tasks to be run. When such tasks have been configured without explicitly supplying specific credentials, VSE will use the following accounts:
  • NT Authority / System account (for scheduled tasks, when no user is logged on)
  • Logged on user account (for manual tasks)

What are the differences between 'Scan all local drives' versus 'Scan all fixed drives' options?
The Scan all local drives option scans all drives connected to your computer. This includes hard drives, CDs, and other removable media. The Scan all fixed drives option scans non-removable media only.

  • The Windows operating system establishes which drives are local, mapped, fixed, or removable.
  • iSCSI drives are generally detected as local to Windows, even when they are not.
  • Some USB connected drives are detected as local fixed drives because of manufacturer tagging.

Why does performance drop when ODS runs?
When ODS has been configured to run at a below normal or low thread priority, and if the performance of the system is still being affected, it will be the result of a) scanning of archives, or b) a corrupted file locking up the scanner.

How does the On-Demand Scanner throttle mechanism work?
An On-Demand Scan (ODS) can be set to run at a certain priority which corresponds to thread priority. Windows is a multi-tasking operating system. This is accomplished by giving processes, or rather their threads, a small amount of CPU time in which they can perform their desired tasks. Windows uses a scheduling algorithm to determine which thread is given CPU time. For the ODS threads, you can influence the priority for which it is given CPU time using the "System utilization" setting on the Performance tab when creating the On-Demand Scan task.

NOTE: This mechanism does not apply to scanning archive files. If your scan task is set to include Archive files, there may be noticeable periods of time where CPU time is used largely by the On-Demand Scan.

Can the ScriptScan feature exclude scripts by site?
The ScriptScan feature can exclude scripts and does white listing of URLs.

  • If using ScriptScan causes a significant negative performance impact, you can disable it locally using the VSE Console or in managed solutions using policies in ePolicy Orchestrator.
  • There is a significant security risk in disabling ScriptScan. Applications like Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system, allowing them to execute before the On-Access scanner can prevent this. The On-Access Scanner can stop the payload of attacks via this medium but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.

How does the shared cache work?
The clean file scan cache is a list that tracks the results of files that have been scanned and were found to be clean. The list is stored in non-page pool memory and used by the McAfee file system filter driver. Files in the cache are not scanned. Files are added to the cache after they have been scanned and were found to be clean. Files are re-scanned if they are no longer in the cache or have been modified since they were scanned. The scan cache size can grow to a maximum of 12 MB.

How does the persistent cache work?
The clean file scan cache can be saved on shutdown (this is enabled by default) using the setting Enable saving scan data across reboots, so that the system benefits from the cached information on startup. The data is written to the system registry hive, allowing the McAfee file system filter driver to read this information early in the boot process.

How does the VSE On-Access Scanner (OAS) handle Client-side Caching interactions? Is the file local, or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file within a protected folder, from which the device will read and modify the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.

The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It is Windows that takes care of the necessary redirection that provides access to the cached, local copy.

Because the file is always considered remote, in order for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the On Demand Scanner (ODS) to scan the offline files, it must be provided the original (remote) location.

NOTE: Enabling the Network Drive Scanning feature is not recommended for most environments, because the scanning of remote objects can lead to slower performance and an increase in scanner time-outs.

What is a RunTime DAT?
The RunTime DAT determines how DAT files are loaded into memory and are maintained on disk. The RunTime DAT file ( MFERunTime.DAT ) is created by the Scanning Engine when it initializes. MFERunTime.DAT contains signature information taken from the regular DAT files obtained from the McAfee update site. By stripping out a large number of similar signatures during the DAT loading process and placing them in a separate file, the Scanning Engine can employ a more efficient search algorithm. Testing has shown a scanning performance improvement of at least 20% on Windows systems. The use of this file also allows faster Scanning Engine initialization times.

What is the benefit of the RunTime DAT?
RunTime DATs provide significant memory usage and scanning performance improvements and deal with issues such as:
  • High memory usage of scanner processes
  • Scanner processes taking a long time to start or initialize

Is MFERunTime.DAT secure?
Yes. This file contains validation mechanisms to allow corruption and deliberate modification of the file to be detected.

Can the MFERunTime.DAT file be removed?
No. This file is purposely placed in the same location as the other DAT files.

The McShield service runs as System - why does the product development team recommend not to change this?
Although technically possible, the product development team recommends that you do not change this because, by default, the McShield service runs as System to ensure it has access to any local resources and to allow remote scanning. If Network Drive Scanning is enabled, the process impersonates the requestor. However, if another account is necessary, the account used to run McShield must include the permission to act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. You can configure the Windows Security Policy Settings to achieve this by adding the account (you are attempting to use) to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

Why are performance counters not included with VSE 8.8?
For VSE 8.8 installations, the McAfee Profiler should be used instead. Profiler captures top processes and files that are accessed by the VSE On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Can VSE detect a virus that is encrypted by an encrypted file system (EFS)?
If the user who encrypted the file/folder launches the scan, then Yes. Otherwise, VSE does not have the ability to scan inside encrypted files or packages (neither can any anti-virus scanner). The VSE logs will show the following when one is encountered: Not scanned (The file is encrypted). Detection will take place only when the file has been decrypted/opened.

Also refer to this Microsoft article, which covers EFS and issues with virus check programs: http://technet.microsoft.com/library/Cc962106

Back to Top


The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.