How to improve performance with Endpoint Security 10.x

Use this article to improve performance and solve problems that can occur after you install Endpoint Security 10.x. The article is updated as more information is gathered about performance issues. So, check here first for assistance if you experience performance symptoms.



Topics in this article:

• McShield.exe - high CPU usage from McShield might not be the problem
  • On-access scanner - uses CPU only when needed
  • On-demand scanner - scanning when idle is expected to use all CPU
• Exclusions - not the most efficient way to improve performance
• Profile Scanning to improve performance
• Whitelisting files via the GetClean tool
• Scan Avoidance - most efficient way to improve performance
• Adaptive Threat Protection - another performance enhancing option

McShield.exe
McShield.exe is the process in Endpoint Security that performs scans of files when they are accessed (on-access scanning) and when specified (on-demand scanning). It is easy to confuse which feature is contributing to the performance symptom if you look only at this process and its CPU consumption. 

To determine whether the on-demand scanner is contributing to a performance symptom for McShield.exe, inspect the OnDemandScan_Activity.log. If the symptom coincides with activity from the OnDemandScan_Activity.log, it is likely that the on-demand scanner is involved. If not, it is likely that the on-access scanner is involved. Next, follow up on improving performance for the on-access scanner, the on-demand scanner, or both, in the sections below.

NOTE: The OnDemandScan_Activity.log is at %ProgramData%\McAfee\Endpoint Security\Logs.

Back to topics

On-access scanner
The on-access scanner is the real-time scanner, and it uses CPU only when other running processes access files on disk. A Read Scan occurs before a file is read, a Write Scan occurs after a file is written to disk. CPU usage occurs proportional to the amount of file activity that is occurring for Reads or Writes.

If you believe that the on-access scanner is using excessive CPU, contact Technical Support to investigate the behavior further. There are several approaches to take that can improve performance for the on-access scanner, whether it be for Read scanning or Write scanning. 

Back to topics

On-demand scanner
The on-demand scanner runs only when you click Scan Now from the Endpoint Security console, or as a scheduled task (configured from the Endpoint Security Console or through ePolicy Orchestrator policy). The on-demand scanner uses CPU only when it has been invoked via these methods.

If you use Scan when idle as the scheduling option of a task, the on-demand scanner runs when an idle state has been detected. That means the on-demand scanner uses as much CPU as it can when the system is idle. If you have Task Manager open and you see McShield.exe use high CPU after about one minute, that is because it is performing an on-demand scan as configured. (It takes one minute to confirm the idle conditions.) There is no capability in the product to reduce the amount of CPU an on-demand scan uses. But, using high CPU does not impact performance when no other processes require CPU. 

The best practice to avoid impacting other processes is to set the System utilization option to Low or Below Normal (Below Normal is the most efficient setting). These settings use thread priority to make sure that higher priority threads are given CPU cycles when needed. Configure System utilization under each configured on-demand scan task, in the Performance section. You can set the System utilization for Full Scan, Quick Scan, and Rt-Click Scan policies from the Endpoint Security Threat Prevention policy page in the My Default policy for the on-demand scan.
 
Also, avoid scanning archive files because these files do not pose an immediate threat to the environment. Contents of archives are scanned when extracted.

Back to topics

Exclusions are not the most efficient way to improve performance
When a file is accessed, there are multiple decision points in the scanning logic or scan workflow. The earlier a decision can be made to avoid scanning the file and its contents, the better the performance gain. Exclusions are processed at the end of the scan workflow, which makes them the least effective way to improve performance. (This fact is also true for VirusScan Enterprise.)

Exclusions are a simple means to improve performance because the options for excluding files are flexible and you can configure any number of them. But, if you have many exclusions or many unique files that require the exclusion, the scan workflow timing and effort to process exclusions can hinder performance. The best practice is to use exclusions as a means to improve scan performance when:

• A quick and simple solution is needed
• You do not have an excessive number of exclusions already
• You do not have an extensive number of unique files being accessed that require the exclusion

NOTE: If you are considering excluding a folder, especially if you are also excluding its sub folders, a better option is to use Profile Scanning with the exclusion to significantly improve security. Profile Scanning is explained below. This option is better than creating a full folder exclusion.

Back to topics

Using Profile Scanning to improve performance
Background:
The on-access scanner is equipped with three scanning profiles, named Standard, High Risk, and Low Risk. By default only the Standard profile is used. This fact means that the configuration for Standard is applied to all processes. That is, when a process accesses a file on disk, the Standard configuration is used for determining whether a scan should occur. The preceding section on exclusions also applies here because exclusions are defined for each scanning profile.

To enable the additional scanning profiles, select Configure different settings for High Risk and Low Risk processes under Processes Settings. This selection gives you more flexibility in controlling what is scanned or not scanned, because you define exclusions by profile. If you want exclusions to apply only to certain processes rather than all processes, add exclusions to a High Risk or Low Risk profile and indicate the processes that you want defined for that profile.

Example: Suppose MyApp.exe is the only process writing tens of thousands of temporary files to the C:\Windows\Temp folder. Also, suppose that you know those files do not need to be scanned because you know MyApp.exe behavior, but you do not want to exclude \Windows\Temp for all processes.

To use the option Configure different settings for High Risk and Low Risk processes, you define **\Windows\Temp\* as a pattern exclusion in the Low Risk profile, and you define MyApp.exe as a process to use the Low Risk profile. Now, all other processes that access \Windows\Temp have their activities scanned, but the activities of MyApp.exe are excluded from scanning because it resides in the Low Risk profile with the exclusion.
 
The method from the example can be taken a step further, and this step is where you can improve performance using Profile Scanning. For the processes you define to use the Low Risk profile, instead of just exclusions you can set Do not scan when reading from or writing to disk. This setting avoids scanning file activity generated by MyApp.exe and any other processes in that profile, and is a decision point reached much earlier in the scan workflow. This fact is why this method yields significant performance improvement compared to exclusions.

You can define the SYSTEM process as a Low Risk process, if needed. This definition is applicable when the file read/write on disk is occurring from a different system.

Back to topics

Whitelisting files via the GetClean tool
Use the McAfee tool named GetClean (see the GetClean Product Guide, KB91942) to improve scanning performance. This tool provides either samples or file information to McAfee and is used to update our Global Threat Intelligence (GTI) Cloud. After the Cloud is updated, when a scan occurs and a GTI lookup is performed, the response of "known good" can often be returned faster than a scan completes. This fact negates the need to further inspect the file.

GetClean is also used to obtain certificate information of digitally signed files. Periodically, the McAfee team receiving this data reviews submitted data for possible inclusion in our Trust DATs (used by Endpoint Security only). When we have designated a digital signature as Trusted via the DATs, it allows for all systems worldwide to take advantage of this information as part of the Scan Avoidance technology that is built into the scanner and explained below.

Back to topics

Using Scan Avoidance as the most efficient way to improve performance
This feature of the scanner is described in detail in the Community at: https://community.mcafee.com/docs/DOC-8131. This feature takes advantage of our Trust framework to help recognize when a scan is not needed. This mechanism provides the greatest performance increase because it not only indicates whether a scan is needed early in the scan workflow. It also has longer term relevance because cached Trusted + Clean results survive a DAT update while Clean results alone will not. The use of the GetClean utility feeds into content improvements that apply to scan avoidance.

Back to topics

Adaptive Threat Protection (ATP)
ATP users can yield performance improvements when the acting process and file objects are digitally signed by a trusted vendor and certificate. An object that is trusted avoids more decision making from ATP. For example, it avoids a reputation lookup from the cloud and checking the scanner's trust disposition toward the object. Endpoint Security 10.5.3 added the ability to manually import the certificates of a third-party application as a trusted process through ePolicy Orchestrator. Previous to Endpoint Security 10.5.3, these certificates had to be reported back to ePolicy Orchestrator and then trusted, there was no option to manually add them.

Back to topics