Loading...

Knowledge Center


McShield.exe encounters a Timeout when scanning remote files
Technical Articles ID:  KB75882
Last Modified:  09/19/2013
Rated:


Environment

McAfee Anti-Virus Scanning Engine 5.6.00 (5600)
McAfee VirusScan Enterprise 8.8, 8.7i

Microsoft Windows UNC paths, mapped drives, and shares
EMC Celera filers with CAVA Agent
Network Drive Scanning (enabled)

 

Summary

Background information:
When scanning a remote file with VirusScan Enterprise, the real-time or On-Access Scanner (mcshield.exe) impersonates the access token of the original requestor for the file object. The access token is required so it can read necessary information about the remote file object to facilitate scanning the file object.

Problem

Frequent scanner timeouts when accessing remote files.

Cause

The Mcshield.exe process cannot obtain access to the file object, which leads to the scan request eventually reaching its timeout limits.

McAfee Engineering has confirmed this behavior stems from a function of the Scan Engine, the DAT content is simply leveraging it, which in turn leads to the symptom. This engine function does not inherit the access token already acquired by McShield's scan thread, nor does it request one. Consequently, the Engine function fails to access the remote file object and the McShield scan thread will eventually time out.

Solution

McAfee confirms this issue is due to a design limitation with the current releases of the Anti-Virus Scanning Engine, and plans to solve the problem in the 5.7.00 (5700) scan engine release. This article will be updated when the 5700 is posted to the McAfee Download Site. 

As a temporary yet fully supported interim measure, implement the workaround below.

Workaround

Modify the McShield service to run as a specific account rather than the local System account. For example, for EMC CAVA environments where the CAVA Agent is the process responsible for accessing the remote file object, set McShield to use those same credentials.

NOTE: To undo the following changes, follow the same steps but on the Log On tab, select Local System account.

  1. Disable Access Protection.
  2. Open the VirusScan Console.
  3. Right-click Access Protection and select disable.
  4. Open a command prompt window as an Administrator, and then type the following command and press ENTER:

    Services.msc
     
  5. Right-click on McAfee McShield and select Properties.
  6. Click the Log On tab and select This account.
  7. Provide the credential information for an account that has access to both local and remote files, and then click OK.
  8. Restart the McAfee McShield service or restart your computer. 
IMPORTANT: The account used to run McShield includes the permission to Act as part of the operating system (the Local System account already includes this permission). This allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Configure the Windows Security Policy Settings to achieve this by adding the account to the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

NOTES:

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.