Knowledge Center

LDAP queries increase when scanning Information Rights Management-protected files after updating to the 5800 Scan Engine
Technical Articles ID:   KB87172
Last Modified:  11/11/2016


McAfee VirusScan Enterprise (VSE) 8.x
McAfee Anti-Malware Scan Engine 5.8.00 (5800)


Lightweight Directory Access Protocol (LDAP) queries increase when scanning Information Rights Management (IRM) protected files after updating to the 5800 Scan Engine.


The function of querying Active Directory is an artifact of the Alert Manager product. The Alert Manager product has reached End of Life (EOL); however, there is still code within VSE that retains some of Alert Manager's functionality.

In an Active Directory environment, the Alert Manager Server would be located using an LDAP query. When the Active Directory Object for the Alert Manager server was found, the Alert would be sent to that server.

When the 5800 Scan Engine sees the IRM-protected file, it sends an alert through MFEANN.exe, which works in conjunction with Alert Manager. Previous Scan Engine versions found nothing.

This is an expected behavior that results from detection enhancements implemented with the 5800 Scan Engine.


This issue is resolved in VirusScan Enterprise 8.8.0 Update 9, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.


CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. In the VSE Console, disable Access Protection.
  2. Press Windows+R, type regedit, and click OK.
  3. Navigate to:

    64-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert Client\VSE]
    32-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\Alert Client\VSE]

  4. Select the No Active Dir value.

    If the No Active Dir key is not present, create a new DWORD value name (called No Active Dir) by right-clicking New, DWORD(32-bit) value.
  5. Double-click the No Active Dir value and change the value to 1.
  6. In the VSE Console, enable Access Protection.


In an ePolicy Orchestrator (ePO) managed environment, disable the Active Directory Lookup settings in the Alert Manager Policy.
  1. Log on to the ePO console.
  2. Click Menu, Policy Catalog.
  3. From the Product drop-down menu, select VirusScan Enterprise 8.8.
  4. From the Category drop-down menu, select Alert Policies.
  5. Click your policy.
  6. At the top, select either Workstation or Server from the drop-down list.
  7. Select Do not use Active Directory Lookup and click Save.

Rate this document


This article is available in the following languages:

English United States

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.