Knowledge Center

McShield.exe encounters a Timeout when scanning remote files
Technical Articles ID:  KB75882
Last Modified:  9/19/2013


McAfee Anti-Virus Scanning Engine 5.6.00 (5600)
McAfee VirusScan Enterprise 8.8, 8.7i

Microsoft Windows UNC paths, mapped drives, and shares
EMC Celera filers with CAVA Agent
Network Drive Scanning (enabled)



Background information:
When scanning a remote file with VirusScan Enterprise, the real-time or On-Access Scanner (mcshield.exe) impersonates the access token of the original requestor for the file object. The access token is required so it can read necessary information about the remote file object to facilitate scanning the file object.


Frequent scanner timeouts when accessing remote files.


The Mcshield.exe process cannot obtain access to the file object, which leads to the scan request eventually reaching its timeout limits.

McAfee Engineering has confirmed this behavior stems from a function of the Scan Engine, the DAT content is simply leveraging it, which in turn leads to the symptom. This engine function does not inherit the access token already acquired by McShield's scan thread, nor does it request one. Consequently, the Engine function fails to access the remote file object and the McShield scan thread will eventually time out.


McAfee confirms this issue is due to a design limitation with the current releases of the Anti-Virus Scanning Engine, and plans to solve the problem in the 5.7.00 (5700) scan engine release. This article will be updated when the 5700 is posted to the McAfee Download Site. 

As a temporary yet fully supported interim measure, implement the workaround below.


Modify the McShield service to run as a specific account rather than the local System account. For example, for EMC CAVA environments where the CAVA Agent is the process responsible for accessing the remote file object, set McShield to use those same credentials.

NOTE: To undo the following changes, follow the same steps but on the Log On tab, select Local System account.

  1. Disable Access Protection.
  2. Open the VirusScan Console.
  3. Right-click Access Protection and select disable.
  4. Open a command prompt window as an Administrator, and then type the following command and press ENTER:

  5. Right-click on McAfee McShield and select Properties.
  6. Click the Log On tab and select This account.
  7. Provide the credential information for an account that has access to both local and remote files, and then click OK.
  8. Restart the McAfee McShield service or restart your computer. 
IMPORTANT: The account used to run McShield includes the permission to Act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Configure the Windows Security Policy Settings to achieve this by adding the account to the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment


Rate this document

Did this article resolve your issue?

Please provide any comments below


This article is available in the following languages:

English United States

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.