Use this article to improve performance and solve problems that can occur after you install Endpoint Security 10.x. The article is updated as more information is gathered about performance issues. So, check here first for assistance if you experience performance symptoms.



Topics in this article:

• McShield.exe - high CPU use from McShield might not be the problem
  • On-access scanner - uses CPU only when needed
  • On-demand scanner - scanning when idle can use all CPU
• Exclusions - not the most efficient way to improve performance
• Profile Scanning to improve performance
• Allowing files via the GetClean tool
• Scan Avoidance - most efficient way to improve performance
• Adaptive Threat Protection - another performance enhancing option

McShield.exe
The McShield.exe process in Endpoint Security is the process that performs scans of files. When files are scanned as they are accessed, it is on-access scanning. When files are scanned as they are specified, it is on-demand scanning. It is easy to confuse which feature is contributing to the performance symptom if you look only at this process and its CPU consumption. 

To determine whether the on-demand scanner is contributing to a performance symptom for McShield.exe, inspect the OnDemandScan_Activity.log. If the symptom coincides with activity from the OnDemandScan_Activity.log, it is likely that the on-demand scanner is involved. If not, it is likely that the on-access scanner is involved. Next, follow up on improving performance for the on-access scanner, the on-demand scanner, or both, in the sections below.

NOTE: The OnDemandScan_Activity.log is at %ProgramData%\McAfee\Endpoint Security\Logs.

Back to topics

On-access scanner
The on-access scanner is the real-time scanner, and it uses CPU only when other running processes access files on disk. A Read Scan occurs before a file is read, a Write Scan occurs after a file is written to disk. CPU use occurs proportional to the amount of file activity that is occurring for Reads or Writes.

If you believe that the on-access scanner is using excessive CPU, contact Technical Support to investigate the behavior further. Several approaches can improve performance for the on-access scanner, whether it be for Read scanning or Write scanning. 

Back to topics

On-demand scanner
The on-demand scanner runs only when you click Scan Now from the Endpoint Security console, or as a scheduled task (configured from the Endpoint Security Console or through ePolicy Orchestrator policy). The on-demand scanner uses CPU only when it has been invoked via these methods. The on-demand scan can use over 90% of available CPU when run.

If you use Scan when idle as the scheduling option of a task, the on-demand scanner runs when an idle state has been detected. It takes Endpoint Security one minute to detect the idle state. With Endpoint Security 10.6.1 and earlier, the on-demand scanner uses as much CPU as it can when the system is idle. Endpoint Security 10.7 allows for throttling of the CPU during an on-demand scan.

The best practice to avoid impacting other processes is to set the System utilization option to Low or Below Normal (Below Normal is the most efficient setting). These settings use thread priority to make sure that higher priority threads are given CPU cycles when needed. Configure System utilization under each configured on-demand scan task, in the Performance section. You can set the System utilization for Full Scan, Quick Scan, and Rt-Click Scan policies. These on-demand scan settings are in the Endpoint Security Threat Prevention policy page in the My Default policy.
 
Also, avoid scanning archive files because these files do not pose an immediate threat to the environment. Contents of archives are scanned when extracted.

Back to topics

Exclusions are not the most efficient way to improve performance
When a file is accessed, there are multiple decision points in the scanning logic or scan workflow. The earlier a decision can be made to avoid scanning the file and its contents, the better the performance gain. Exclusions are processed at the end of the scan workflow, which makes them the least effective way to improve performance. (This fact is also true for VirusScan Enterprise.)

Exclusions are a simple means to improve performance because the options for excluding files are flexible and you can configure any number of them. But, if you have many exclusions or many unique files that require the exclusion, the scan workflow timing and effort to process exclusions can hinder performance. The best practice is to use exclusions as a means to improve scan performance when:

• A quick and simple solution is needed
• You do not have an excessive number of exclusions already
• You do not have an extensive number of unique files being accessed that require the exclusion

NOTE: If you are considering excluding a folder, especially if you are also excluding its sub folders, a better option is to use Profile Scanning with the exclusion to significantly improve security. Profile Scanning is explained below. This option is better than creating a full folder exclusion.

Back to topics

Using Profile Scanning to improve performance
Background:
The on-access scanner is equipped with three scanning profiles, named Standard, High Risk, and Low Risk. By default only the Standard profile is used. This fact means that the configuration for Standard is applied to all processes. That is, when a process accesses a file on disk, the Standard configuration is used for determining whether a scan should occur. The preceding section on exclusions also applies here because exclusions are defined for each scanning profile.

To enable the additional scanning profiles, select Configure different settings for High Risk and Low Risk processes under Processes Settings. This selection gives you more flexibility in controlling what is scanned or not scanned, because you define exclusions by profile. If you want exclusions to apply only to certain processes rather than all processes, add exclusions to a High Risk or Low Risk profile and indicate the processes that you want defined for that profile.

Example: Suppose MyApp.exe is the only process writing tens of thousands of temporary files to the C:\Windows\Temp folder. Also, suppose that you know those files do not need to be scanned because you know MyApp.exe behavior, but you do not want to exclude \Windows\Temp for all processes.

To use the option Configure different settings for High Risk and Low Risk processes, you define **\Windows\Temp\* as a pattern exclusion in the Low Risk profile. Also, you define MyApp.exe as a process to use the Low Risk profile. Now, all other processes that access \Windows\Temp have their activities scanned. But, the activities of MyApp.exe are excluded from scanning because it resides in the Low Risk profile with the exclusion.
 
The method from the example can be taken a step further, and this step is where you can improve performance using Profile Scanning. For the processes that you define to use the Low Risk profile, instead of just exclusions, you can set Do not scan when reading from or writing to disk. This setting avoids scanning file activity generated by MyApp.exe and any other processes in that profile, and is a decision point reached much earlier in the scan workflow. This fact is why this method yields significant performance improvement compared to exclusions.

You can define the SYSTEM process as a Low Risk process, if needed. This definition is applicable when the file read/write on disk is occurring from a different system.

Back to topics

Allowing files via the GetClean tool
Use the McAfee tool named GetClean (see KB91942 - GetClean Product Guide) to improve scanning performance. This tool provides either samples or file information to McAfee and is used to update our Global Threat Intelligence (GTI) Cloud. After the Cloud is updated, when a scan occurs and a GTI lookup is performed, the response of "known good" can often be returned faster than a scan completes. This fact negates the need to further inspect the file.

GetClean is also used to obtain certificate information of digitally signed files. Periodically, the McAfee team receiving this data reviews submitted data for possible inclusion in our Trust DATs (used by Endpoint Security only). When we have designated a digital signature as Trusted via the DATs, it allows for all systems worldwide to take advantage of this information. They take advantage as part of the Scan Avoidance technology that is built into the scanner and explained below.

Back to topics

Using Scan Avoidance as the most efficient way to improve performance
This feature of the scanner is described in detail in the Explanation of AMCore Trust Model document in the Community at: https://community.mcafee.com/docs/DOC-8131. This feature takes advantage of our Trust framework to help recognize when a scan is not needed. This mechanism provides the greatest performance increase because it not only indicates whether a scan is needed early in the scan workflow. It also has longer term relevance because cached Trusted + Clean results survive a DAT update while Clean results alone will not. The use of the GetClean utility feeds into content improvements that apply to scan avoidance.

Back to topics

Adaptive Threat Protection (ATP)
ATP users can yield performance improvements when the acting process and file objects are digitally signed by a trusted vendor and certificate. An object that is trusted avoids more decision making from ATP. For example, it avoids a reputation lookup from the cloud and checking the scanner's trust disposition toward the object. Endpoint Security can manually import the certificates of a third-party application as a trusted process through ePolicy Orchestrator.

Back to topics