Knowledge Center

General	For product information covering miscellaneous topics.
Compatibility	Interaction between other products including operating systems, hardware, software and McAfee Agent.
Installation/Upgrade	Information about installing, removing, DAT files, upgrading or Patches. Related information on ePolicy Orchestrator and End of Life.
Configuration	Includes best practices, optimizing, customizing cache, using system variables, and exclusions.
Functionality	Product features and functions, including ScriptScan, the On-Access Scanner, the On-Demand Scanner, Access Protection, Buffer Overflow Protection, caching and RunTime DAT.

NOTE: This article deals with general queries on VirusScan Enterprise (VSE) as well as version specific questions.

When will McAfee fix the Event 516 issue?
This particular event ID is not indicative of a product issue but the outcome of a self-check validation routine, warning that the point product may have been compromised. For the current status, see KB71083. For the latest information on issues discovered with the product, see KB70393.


How do I scan a server infected with Conficker?
See KnowledgeBase article KB60909.


Is VSE Federal Desktop Core Configuration (FDCC) compliant?
Yes. VSE is FDCC compliant.


Has McAfee created any white papers for VSE?
Yes. See KB75957 which covers Archives and Compressed Files. This section will be updated as more white papers are created:
 

Why do the posted dates for Patches change?
McAfee posts the best estimate for a release date in the relevant articles. The dates are subject to change as McAfee increases the scope of the patch release to deliver additional fixes to customer reported issues, and issues discovered during the extensive internal certification cycle. This certification process includes standard test procedures, lab testing, McAfee production rollouts, as well as limited customer deployments. When the scope of the patch release changes, McAfee does its best to update the website with the new dates.

Why are ExtraDAT files sent to suppress detections not shown in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections will not appear in the About window because they are only intended to correct a false positive.

NOTE: ExtraDAT files that are sent to add signatures to the daily DAT file (to detect particular threats) will appear in the About window.


Are there any articles that help a new user to get started?
Yes. A VSE tips article is available to give new users an overview of the key areas of the product. For details, see KB75857.

Back to Contents

 

What environments does VSE 8.x support?
See KnowledgeBase article KB51111.


When will VSE support Microsoft Office 2013?
Full support for Microsoft Office 2013 is provided with VSE 8.8 Patch 4, which is available from the McAfee Downloads site using a valid Grant Number.

To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

For instructions on downloading, see: KB56057.
 

Can I install VSE onto a tablet that has Windows 8 installed?
Yes; however, the VSE OAS can be resource intensive for tablet hardware.
NOTE: The only version of Windows 8 not supported is Windows 8 RT.

When will there be a 64-bit version?
VSE has been a 64-bit product since version 8.5i. Version 8.0i had 64-bit drivers, but processes ran in 32-bit compatibility mode.


What makes VSE a 64-bit product?
VirusScan installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path, other binaries such as drivers are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to the \program files folder. Nevertheless, the product supports x64 natively.


What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so VirusScan loads the appropriate 32-bit scanner for those programs. For example, the McAfee email scan feature and Microsoft Outlook 2007.


Why should I install the McAfee (ePO) Agent on laptops that rarely connect to the network?
The ePO Agent provides policy enforcement. After you have installed the agent and it has received your policy, configured at the ePO server, whether the laptop is on the network or off the network, the policy you defined is going to be enforced at the policy enforcement interval you defined. This helps ensures that your company settings for your McAfee products are in place no matter where the user roams.


Why is nVidia listed in the Known Issues?
Some issues have been reported in the past and still surface now and then, where a problem with the product - usually a high CPU utilization from a McAfee process - has been narrowed down to a module belonging to the nVidia video software injecting itself into our process(es) and then causing a thread to "runaway", a condition where a thread is using all available CPU. The solution to these issues has been to update the nVidia software. Also check for nVidia issues as described in KnowledgeBase articles KB52367and KB70299.


Can I use VSE 8.x to block access to USB devices?
No. Blocking access to USB devices is not supported with VSE 8.x. Although it is theoretically possible to block most USB devices using VSE Access Protection, there are too many potential issues for this to be supported. To efficiently block USB devices, use McAfee Data Loss Prevention. A basic solution can be found in the Microsoft Knowledge Base article 823732 at http://support.microsoft.com/kb/823732.


Are there any compatibility issues with VSE 8.x and the Microsoft Volume Shadow Copy Service (VSS)?
There are currently no known issues between the Microsoft VSS and VSE 8.x.
NOTE: VSS captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. See: http://msdn.microsoft.com/library/aa384649(VS.85).aspx


Why is Windows Defender removed automatically when I install VSE?
With the release of Windows 8/ Windows Server 2012 operating systems and later, VSE no longer requires to uninstall Windows Defender. VSE 8.8 Patch 3 and later will support Window 8 and Windows Server 2012.


Can I install two different anti-virus products on a single system?
No. Having two On-Access scanners can lead several problems. The most common is a performance issue because two On-Access scanners will scan the same file. For a list of products that you can remove if you have VSE 8.8 or 8.7i installed, see KB72251.


What exclusions are required when VSE is installed on VMware Horizon?
Exclusions are normally provided by the third-party software vendor not the AV vendor.
Refer to the VMware article 2052489 for how to configure antivirus exclusions for VMware Horizon Mirage 3.x and 4. For details, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2052489

Back to Contents

 

Why should I upgrade from VSE 8.7i to 8.8?
To see what's new and what's improved in VSE 8.8, see PD22973. To see the known issues, see KB70393.


How do I download VSE 8.8?

• For details about downloading McAfee products, security updates, patches, or hotfixes, see KB56057.
• A training video about how to obtain the installation files for VSE is available here: TU30279.

How do I install VSE locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run SetupVSE.exe, then complete the installation wizard. A training video about how to install VSE as a standalone installation in unmanaged environments is available here: TU30278.

NOTE: SetupVSE.exe supports many of the MSI command line options as well as product specific options. For a complete list of options, see PD22944.


Is a restart required after installing a VSE patch?
No. Patch installations never force a restart. Even when a restart is ideally required, this is suppressed by the installer to minimize inconvenience. The product will function as expected without the reboot. However, to ensure older drivers are removed from memory and to have a clean computing environment, McAfee recommends that you restart patched systems at your earliest convenience.
 

How do I install VSE via ePolicy Orchestrator?
Add the installation package to your repository, then create/modify a Deployment Task (see your ePO 4.6 or ePO 4.5 documentation for instructions).

NOTE: The Deployment Task allows for command line options to be specified too. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see PD22944.


Is it necessary to preinstall a McAfee Agent when VirusScan Enterprise is not managed by ePolicy Orchestrator?
It is not necessary to preinstall the McAfee Agent prior to installing VSE. This is because the McAfee Agent has two modes of operation: Agent and Updater, where the Updater is a subset of the Agent. If no agent is present when installing VSE, VSE will install an Updater.


Why does the product install to the Program Files (x86) folder?
VirusScan installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to a "x64" subfolder from the installation path, other binaries such as drivers are installed to their appropriate places in the Windows file system. The product installation does not adhere to the guidelines of installing 64-bit files to "\program files", nevertheless the product supports x64 natively.


What products are removed when you install VSE 8.x?
See KnowledgeBase articles KB72251 on products that can be removed when VSE 8.x is installed and KB72497 on the non-removal of SaaS Endpoint Protection during a VSE 8.8 installation.


Why does VSE 8.8 'About' window not show AntiSpyware is installed?
From VSE 8.8 the AntiSpyware Enterprise module is no longer separate from VSE. It has been fully integrated into the product. You can enable or disable anti-spyware features using the standard methods. You can do this locally, via the VSE Console, or centrally managed through ePolicy Orchestrator (ePO). See also KnowledgeBase article KB70860 which deals with VSE add-on modules stop functioning after upgrading from VSE 8.7i to 8.8.


Why are there not any DAT files in the installation package?
VSE no longer ships with DAT or signature files included. This allows upgrade deployments to have smaller deployment packages, and the DATs of the prior version will be used when the newer version installs (applicable to VSE 8.5i and later). For details about DAT-less packages and how to include DATs in the installation package, see KB68449.


How does DAT update affect the new cache?
As a rule, anti-virus clean file scan cache information is purged when signature update occurs to allow for files to be re-scanned using the new signatures. VSE 8.8 behaves the same way, but it will purge only data that is unsafe to keep in the cache. In other words, the system may still benefit somewhat from the
cache after a DAT update has occurred.


Why do ExtraDAT files sent to suppress detections not appear in About VirusScan Enterprise?
ExtraDAT files that are sent to suppress detections do not appear in the About window because they are only intended to correct a false positive.

NOTE: ExtraDAT files that are sent to add signatures to the daily DAT file to detect particular threats do appear in the About window.


What happens if a restart does not occur after installation?
A restart is not required to begin taking advantage of VSE functionality. However, a restart is recommended to ensure a cleaner Windows environment.


What are the Trusted Installers?
From VSE 8.8 the On-Access Scanner allows you to configure whether to scan Trusted Installers. When not selected (trust the Trusted Installers), the following applies:

• Any MSI product that is being installed by the Msiexec.exe process, and is signed by McAfee or Microsoft, and does not include a merge template as part of the command line, is whitelisted.
• I/O by a Vista and newer TrustedInstaller.exe process that is signed by Microsoft and running under the well known TrustedInstaller service account SID, is whitelisted.
• I/O on any version of Windows from Update.exe that is appropriately signed by Microsoft, is whitelisted.

What does not work until restart occurs?
If making use of the network drive scanning feature, and if scanning DFS shares hosted on remote systems, a reboot is necessary to fully enable that configuration.


How do you remove the product?
VSE can generally be removed through Windows Add/Remove programs. However, if this fails, then manually remove the product as follows:

• VSE 8.8, see KB71179.
• VSE 8.7i, see KB59996.
• VSE 8.x using msiexec.exe, see KB52648.
• AntiSpyware Enterprise 8.x, see KB58443.
• VSE 8.5i, see KB50602. (Retained for legacy products that have failed to upgrade and need manual removal instructions)

Is my product version supported?
For End of Life and End of Support information see McAfee Product & Technology Support Lifecycle and KnowledgeBase article KB51111.


If I have VSE 87 Patch 5 (RTW), do I require the reposted (revised) VSE 8.7 Patch 5? 
No. However, you do require VSE 8.7 Patch 5 Hotfix 643440, which is available on the McAfee product download page on the Hotfix tab.


If I have the reposted VSE 8.7 Patch 5, do I require Hotfix 643440?
No.


How do I distinguish from reposted VSE 8.7 Patch 5 and the original VSE 8.7 Patch 5 release? 
The revised patch also includes the code for VSE 8.7 Patch 5 Hotfix 643440, and it creates the appropriate registry value to indicate the presence of that hotfix. The registry value is found in HKLM\Software\McAfee\DesktopProtection
and it reports 643440 to ePO via property collection. This is listed in the Fixes field for each node that has it as well as indicating Patch 5 is installed. The original VSE 8.7 Patch 5 would not report that the hotfix was present.


What is the difference between having VSE 8.7 Patch 5 (RTW) with Hotfix 643440 and installing the reposted VSE 8.7 Patch 5?
None.

Back to Contents 
 

What are the best practices on how to configure the On-Demand Scanner? 
For configuring on-demand scan file scan threads for best performance, see the 8.8 Best Practices Guide.
For client tasks, see the 8.7i Best Practices Guide.


Why is McShield using CPU during On-Demand Scan?
One of the improvements made for memory reduction was for the On-Access Scanner (mcshield.exe) to use the instance of the DAT files and Engine already loaded in memory. As a result, when an On-Demand Scan is launched, you will see it using the McShield.exe process. It does not mean that the On-Demand Scanner (ODS) and On-Access Scanner (OAS) are scanning the same file.


Does the On-Access Scanner scan items being scanned by the On-Demand Scanner?
The VSE OAS scans every file access on Read or Write cycles when a file is accessed by another process. However, when the ODS Scan32.exe scans files, it does not trigger further scanning by the OAS. This is because there is an established trust between OAS and ODS. Therefore, when ODS is scanning files, an exclusion is automatically applied to the files being scanned by ODS scan32.exe. If another process tries to access these files, OAS scans them as normal.


How does an incremental On-Demand Scan work?
Incremental scanning only occurs under the following circumstances:

• If an ODS was unable to complete within the time specified.
  
  NOTE: By default, no time limit is assigned to an On-Demand Scan task. 
   
• If an ODS was interrupted because of a shutdown notification.

How does the On-Demand Scanner know when to resume a scan?
Incremental scanning only occurs if the scan could not complete within an explicitly specified time (default is no time limit) or if the task was interrupted because of a shutdown notification. Under either of these circumstances, Vse will initiate an incremental scan starting with the last file that was scanned.

Example:

1. The ODS task starts at the Start time configured above.
2. The scan stops when it reaches the allotted time, configured under Stop the task if it runs for, and records what the last file was that it successfully scanned.
3. When the schedule for this ODS task repeats, the task continues from where it was interrupted previously.  
   
   For how to determine which files were last scanned, see KB78969.

 
What can I do to improve performance?
For configuring Performance Improvements, see the 8.8 Best Practices Guide,
For On-Access default processes policies/process settings, see the 8.7i Best Practices Guide.

 
How do I limit CPU and memory usage of McShield.exe?
For configuring performance improvements, see the 8.8 Best Practices Guide, 
For client tasks, see the 8.7i Best Practices Guide,


How do I configure VSE 8.8 cache persistence?
For cache persistence, see KB71905 for best practices.


How do I investigate performance issues?
There are a number of approaches, and the following information is intended to allow you to follow the steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. These steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. More tools are listed in KB72766.

• Task Manager
  Press CTRL+SHIFT+ESC to open Task Manager. Sort by the CPU column to see what process or processes are using CPU. Note that the number is a percentage of all available processors or cores, so 25 percent on a four-CPU system would mean a process is pegging one of the cores, which is usually indicative of a problem. You can investigate further after the offending process or processes have been identified.
   
• Performance Monitor
  You can use Performance Monitor (PerfMon) to convey specifics of how much CPU is being used and for how long, giving you an idea of how the system or users are being impacted. Use PerfMon to monitor the performance object's Process, Processor, and Memory, capturing all counters and instances. McAfee advises that you use a sampling rate of 1 second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything because this allows the capture to run for longer periods of time without creating an unwieldy log file.
   
• McAfee Profiler
  McAfee released the McAfee Profiler for VirusScan to give visibility into what the product is doing, such as what files are being scanned. The tool provides a mechanism for generating reports to add understanding to the data that is collected.
  NOTE: You might be able to create exclusions and/or leverage the Hi/Low/Default scanning profiles to create a configuration that improves performance. For more details about this tool, see KB69683.
   
• Windows Performance Monitoring Tool (XPerf)
  In Microsoft Vista and newer operating systems, Microsoft has provided a powerful tool that can give very detailed information about a performance problem, including the API that is being called the most. Vendors can use this information typically at an engineering/development level where symbols files for source code are accessible, This helps understand more clearly what code paths are being exercised. You can also use this tool on Windows XP or Windows 2003 but not to the same level of detail.

McAfee advises you to work with McAfee Technical Support if your performance issues have not been addressed after following these steps.


Why is Access Protection / Buffer Overflow Protection still enabled when disabling the On-Access Scanner?
One of the architectural changes with this release was to separate Access Protection (AP)/Buffer Overflow Protection (BOP) from the status of the On-Access scanner. In earlier versions of VSE all three would be disabled if you disabled the On-Access Scanner. Separating the disable function allows for Zero Day Protection features (AP and BOP) to remain enabled should the real-time scanner fail.


Can I change the Account used by the McAfee McShield service?
While this is technically possible, McAfee recommended that you do not do this. By default, the McShield service runs as the System Account, which ensures it has access to any local resources and for any remote scanning. If network drive scanning is enabled, the process impersonates the requestor. No other account can be elevated to the same permissions that a local System Account can. Using any other account incurs the risk of not having access to some part of the registry, files etc in order to perform a successful clean operation.


Are exclusions required for Hyper-V systems on a computer that is running Windows server?
Yes. Microsoft have a list of recommended exclusions that are outlined in KB78364.

NOTE: VSE exclusion is one of the most important features to understand and implement. See KB66909 to obtain all the essential information that any new or existing user might want to know before deploying VSE to their production environment, including:

• Understanding VSE Exclusions
• Understanding High-Risk, Low-Risk, and Default processes configuration and usage
• Understanding Exclusions in Low-Risk processes
• Why some processes should be added to low-risk exclusions
• How to use wildcards when creating exclusions in VSE
• How to create Low-Risk and High-Risk process exclusions in VSE
• How to use the EICAR antimalware test file with McAfee products

Back to Contents 
 

How does Access Protection (AP) work?
Access Protection (AP) is a behavior blocking feature, also known as Zero Day Protection, with capability of blocking Ports, Files / Folders, and the Windows Registry. Each of these features has an associated kernel-level driver to filter the respective activity, and compares actions against a list of rules. Any action found to be in breach of a rule is acted upon. The action taken in response depends on what has been configured for the appropriate rule.

McAfee provides a number of helpful standard rules. Those we believe are essential are enabled by default. You can define your own rules as required.


How does Buffer Overflow Protection (BOP) work?
Buffer Overflow Protection (BOP) monitors (see KB58007) and Application Program Interfaces, checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but will stop code execution that occurs from that overrun. This is a common exploit method, used by malware against vulnerable applications, to gain access to data or the system and/or to further propagate itself.

Protection is accomplished by having kernel-level hooks (also known as "kernel patching" of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is not supported on 64-bit platforms as its kernel cannot be "patched". This BOP feature can be made redundant if Data Execution Prevention (DEP) is in place.


Are there conflicts between the Windows Data Execution Prevention (DEP) and BOP?
No. For a detailed explanation of DEP and BOP, see KB58554.


How does the On-Access Scanner work?
A file system filter driver monitors all file activity and determines, based on configuration, whether a file object that is being accessed requires scanning. If so, the On-Access Scanner service (McShield.exe) processes the file object further to determine if exclusions are applicable. If they are not, the OAS service performs a scan and reports the results back to the filter driver. McShield.exe loads the McAfee Engine and DAT files into memory to facilitate scanning and actions taken on infected files.


What happens to file attributes when VSE accesses files for scanning using the On-Access Scanner (OAS) and On-Demand Scanner (ODS)?
OAS or ODS access to files does not change any file attributes when scanning files. File attributes are only changed when OAS or ODS detects a virus and removes the malicious code from a file. 
 

How does VSE OAS or ODS handle archive file scanning?
VSE scans each file in an archive. However, because there is no function for re-packing the archive, it is opened each time a file in the archive is scanned. Because archives cannot be re-packed, no actions can be taken on individual files within them. Therefore, if an infected file is detected within an archive, the entire archive is treated as an infected file.

IMPORTANT:  If you choose not to delete (partially) infected archive files, extracted copies of infected files contained in an archive will be cleaned or deleted on extraction


Why has the 'Protected by Windows File Protection' option (that was under 'What not to scan' in VSE 8.7) been removed from VSE 8.8?
Due to advanced Rootkit functionality it is important that VSE scans these directories even if they have been flagged as protected.


Why are files with a .CSV extension included in the default list of file types scanned by the VSE On-Access Scanner?
Though these files only contain passive text data, McAfee includes detection for files with a .CSV extension because malicious binary data can be included in such files to exploit potential Buffer Overflows in the program that processes the data.


Does the On-Access scanner have Rootkit detection abilities?
No, Rootkit detection is only available using the VSE On-Demand Scanner. For additional information on Rootkits, see:

• http://blogs.mcafee.com/mcafee-labs/a-new-rootkid-on-the-block
• http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2012.pdf
   

When running an On-Demand scan, does VSE include a pause functionality when the CPU utilization spikes?
No. Due to its design it does not need to. For a detailed explanation and assistance when running an On-Demand scan, see the following articles:

• Understanding the VSE On-Demand Scan system resource utilization, see KB55145.
• Best Practices for On-Demand Scans in VSE 8.8, see KB74059.

How does the On-Demand Scanner (ODS) work?
On-Demand Scanning (ODS) in this release has been improved over prior versions by moving from single threaded scanning to multi-threaded scanning. This allows VSE 8.8 to complete scan tasks in a much shorter time. The file system is walked and file names are added to a scanning pool, from which an available scanning thread is retrieved and acted on. If a file is modified or written to disk after the scan had progressed past that part of the file system, it will not be scanned until next time the ODS is run. Multi-threaded scanning applies to the file system only. Available scanning threads may come from the McShield.exe process, you will therefore see McShield.exe as active when ODS runs instead of the expected Scan32 or Scan64 process. The configured settings for the ODS are still in effect for those threads however.


How does the ODS behave during a scan when a DAT update occurs?
When either the DAT or Engine are being updated, the scan pauses for a brief period of time, reloads the new Engine and DAT, and resumes scanning.


What happens if you schedule an ODS and log off?
Tasks that are scheduled to run will invoke with System Account privilege, or using the credentials specified when creating the task. The launching of the task is handled by the McAfee Framework service, FrameworkService.exe. As a service, this process runs continually, even when nobody is logged onto the system - thus it can invoke tasks at their appointed times.
 

What authentication is used between manual and scheduled scan tasks?
VSE allows manual as well as scheduled tasks to be run. When such tasks have been configured without explicitly supplying specific credentials, VSE will use the following accounts:

• NT Authority / System account (for scheduled tasks, when no user is logged on)
• Logged on user account (for manual tasks) 

What are the differences between 'Scan all local drives' versus 'Scan all fixed drives' options?
The Scan all local drives option scans all drives connected to your computer. This includes hard drives, CDs, and other removable media. The Scan all fixed drives option scans non-removable media only. 

NOTES:

• The Windows operating system establishes which drives are local, mapped, fixed, or removable. 
• iSCSI drives are generally detected as local to Windows, even when they are not.
• Some USB connected drives are detected as local fixed drives due manufacturer tagging.  
   

Why does performance drop when ODS runs?
When ODS has been configured to run at a below normal or low thread priority, and if the performance of the system is still being impacted, it will be due to a) scanning of archives, or b) a corrupted file locking up the scanner.


How does the On-Demand Scanner throttle mechanism work?
An On-Demand Scan (ODS) can be set to run at a certain priority which corresponds to thread priority. Windows is a multi-tasking operating system. This is accomplished by giving processes, or rather their threads, a small amount of CPU time in which they can perform their desired tasks. Windows uses a scheduling algorithm to determine which thread is given CPU time. For the ODS threads, you can influence the priority for which it is given CPU time using the "System utilization" setting on the Performance tab when creating the On-Demand Scan task. The behavior of the ODS was introduced in VSE 8.7i, Patch 1.

NOTE: This mechanism does not apply to scanning archive files. If your scan task is set to include Archive files, there may be noticeable periods of time where CPU time is used largely by the On-Demand Scan.
 

Can the ScriptScan feature exclude scripts by site?
The ScriptScan feature has been able to exclude scripts from VSE 8.5i (with Patch 8 and Hotfix HF472021), from VSE 8.7i white listing of URLs was added. See KB65382.

NOTES:

• If using ScriptScan causes a significant negative performance impact, you can disable it locally using VirusScan Console or in managed solutions using policies in ePolicy Orchestrator.
• There is a significant security risk in disabling ScriptScan. Applications like Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system, allowing them to execute before the On-Access scanner can prevent this. The On-Access Scanner can stop the payload of attacks via this medium but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.

How does the shared cache work?  
The clean file scan cache is a list that tracks the results of files that have been scanned and were found to be clean. The list is stored in non-page pool memory and used by the McAfee file system filter driver. Files in the cache are not scanned. Files are added to the cache after they have been scanned and were found to be clean. Files are re-scanned if they are no longer in the cache or have been modified since they were scanned. The scan cache size can grow to a maximum of 12 MB. In previous versions of VSE the maximum size was 2 MB.


How does the persistent cache work? 
The clean file scan cache can be saved on shutdown (this is enabled by default) using the setting Enable saving scan data across reboots, so that the system benefits from the cached information on startup. The data is written to the system registry hive, allowing the McAfee file system filter driver to read this information early in the boot process. Note that a limitation has been identified with Windows 2000 systems using this feature.


What is a RunTime DAT?
VSE 8.7i Patch 1introduced the RunTime DAT file as a performance enhancement. The RunTime DAT determines how DAT files are loaded into memory and are maintained on disk.

The RunTime DAT file (MFERunTime.DAT) file is created by the Scanning Engine when it initializes. MFERunTime.DAT contains signature information taken from the regular DAT files obtained from McAfee's update site. By stripping out a large number of similar signatures during the DAT loading process and placing them in a separate file, the Engine can employ a more efficient search algorithm. Testing has shown a scanning performance improvement of at least 20% on Windows systems. The use of this file also allows faster Scanning Engine initialization times.


What is the benefit of the RunTime DAT?
RunTime DATs provide significant memory usage and scanning performance improvements and deal with issues such as:

• High memory usage of scanner processes
• Scanner processes taking a long time to start or initialize
   

What is required to enable this RunTime DAT improvement?
Install VSE 8.7i Patch 1 or later.


Is this new MFERunTime.DAT secure?
Yes. This file contains validation mechanisms to allow corruption and deliberate modification of the file to be detected.
 

Can this MFERunTime.DAT file be removed?
No. This file is purposefully placed in the same location as the other DAT files.

The McShield service runs as System - why does McAfee recommend not to change this?
Although technically possible, McAfee recommends that you do not do this because, by default, the McShield service runs as System to ensure it has access to any local resources and to allow remote scanning. If network drive scanning is enabled, the process impersonates the requestor. However, if another account is necessary, then the account used to run McShield must include the permission to act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. You can configure the Windows Security Policy Settings to achieve this by adding the account (you are attempting to use) to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. For more information, see KB75882.
 

Why are performance counters only available for VSE 8.7, and not included with VSE 8.8?
For VSE 8.8 installations, the McAfee Profiler should be used instead. Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Back to Contents