- For all Endpoint Security platforms, configure the What to Scan setting to ZZZ in the On-Access Scan policy:
- On the Endpoint Security client, perform the steps below:
- Click Threat Prevention.
- Click Show Advanced.
- Click On-Access Scan.
- Scroll down to the section Processes Settings.
- Find the What to Scan setting.
- Click Specified file types only.
- Enter a value of ZZZ.
- Click Apply.
- If the option below is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
Configure different settings for High Risk and Low Risk processes
- In ePolicy Orchestrator (ePO):
- Open Policy Catalog and select the On-Access Scan policy.
- Click Show Advanced.
- Scroll down to the section Processes Settings.
- Find the What to Scan setting.
- Click Specified file types only.
- Enter a value of ZZZ.
- Click Save.
- If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
- On the Endpoint Security client, perform the steps below:
- For MOVE AV Agentless/Multi-platform, set the File Types to Scan to ZZZ in the On-Access Scan policy:
- In ePO, open Policy Catalog.
- Click the On-Access Scan policy.
- Click Show Advanced.
- Scroll down to File Types to Scan.
- Click Following only.
- Click Add.
- Enter a value of ZZZ.
- Click OK.
- Remove any other extensions already listed.
- Save the policy.
- Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, on Agentless SVMs, use the
cmdagent -c -e function from/opt/McAfee/agent/bin/ in the console, or in Multi-platform SVMs, use the Check New Policy button on that system's Agent Status Monitor.
- For VirusScan Enterprise, set the What to scan property to ZZZ in the On-Access Scan module:
- On the VirusScan Enterprise client:
- Right-click On-Access Scan and select Properties.
- Click All Processes.
- Click the Scan Items tab.
- For the What to scan property, click Specified File Types Only.
- Click Specified.
- Enter a value of ZZZ.
- Click Add.
- Click OK.
- Click Apply.
- Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
- In ePO:
- Open Policy Catalog and select the On-Access Scan Default Processes Policy.
- Click the Scan Items tab.
- For the File Types to Scan property, click Specified File Types Only.
- Enter a value of ZZZ.
- Click Save.
- Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
- Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the Check New Policy button on that system's Agent Status Monitor.
- On the VirusScan Enterprise client:
- For VirusScan Enterprise for Linux, set the What to Scan property to ZZZ in the On-Access Scanning policy:
- In ePO, open Policy Catalog.
- Click the On-Access Scanning Policy.
- Click the Detections tab.
- Change the What to Scan setting to Specified file types.
- Enter a value of ZZZ.
- Click Save.
- Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the
cmdagent -c -e function from/opt/McAfee/agent/bin/ in the console.
Troubleshooting high CPU utilization by the real-time antimalware scanner
Technical Articles ID:
KB89354
Last Modified: 4/4/2022
Last Modified: 4/4/2022
Environment
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x
Endpoint Security for Mac Threat Prevention (ENSM Threat Prevention) 10.x
ENS Threat Prevention 10.x
Management for Optimized Virtual Environments (MOVE) AntiVirus Agentless (MOVE AV Agentless)
MOVE AV Multi-platform
VirusScan Enterprise (VSE) 8.8.x
VSE for Linux 2.x, 1.x
Endpoint Security for Mac Threat Prevention (ENSM Threat Prevention) 10.x
ENS Threat Prevention 10.x
Management for Optimized Virtual Environments (MOVE) AntiVirus Agentless (MOVE AV Agentless)
MOVE AV Multi-platform
VirusScan Enterprise (VSE) 8.8.x
VSE for Linux 2.x, 1.x
Summary
All our real-time antimalware scanners operate by inserting a component that's used to monitor all disk access requests made by any process running in memory. This component intercepts the file and delivers it to the scan engine. The scan engine then returns a decision about whether the file is malicious. If the file isn't malicious, it's returned to the process that requested it. If the file is malicious, an action is taken on it. The real-time antimalware scanner CPU utilization is proportional to the amount of disk activity that occurs on the system. If the system is idle, the scanner is idle. So, a real-time antimalware scanner is expected to compound the existing CPU utilization, but isn't the driving force behind system resource consumption.
Because our software exists in a diverse range of environments, it's impossible to provide a default configuration that meets the balance between protection and performance in all possible environments. Administrators are expected to tune each instance of the real-time antimalware scanner to the needs of the specific environment.
Tuning is conducted by measuring performance for the default or existing configuration, and then modifying the configuration to improve performance and increase security. Sometimes, performance issues can't be alleviated by changing the configuration. In these cases, a conflict might exist between the real-time antimalware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved to alleviate the issues.
To identify the cause of high CPU utilization by the real-time antimalware scanner for ENS, MOVE AV Agentless, MOVE AV Multi-platform, or VSE, use the diagnostic procedure in this article. Only general remediation steps are provided.
NOTE: High CPU utilization is the most common performance symptom that users experience. But, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability issue that might occur. In the following steps, the article directs configuration changes while monitoring how each change affects CPU activity. But, you can substitute these steps for any given performance, system stability, or application stability symptom.
Because our software exists in a diverse range of environments, it's impossible to provide a default configuration that meets the balance between protection and performance in all possible environments. Administrators are expected to tune each instance of the real-time antimalware scanner to the needs of the specific environment.
Tuning is conducted by measuring performance for the default or existing configuration, and then modifying the configuration to improve performance and increase security. Sometimes, performance issues can't be alleviated by changing the configuration. In these cases, a conflict might exist between the real-time antimalware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved to alleviate the issues.
To identify the cause of high CPU utilization by the real-time antimalware scanner for ENS, MOVE AV Agentless, MOVE AV Multi-platform, or VSE, use the diagnostic procedure in this article. Only general remediation steps are provided.
NOTE: High CPU utilization is the most common performance symptom that users experience. But, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability issue that might occur. In the following steps, the article directs configuration changes while monitoring how each change affects CPU activity. But, you can substitute these steps for any given performance, system stability, or application stability symptom.
Cause
Use the following diagnostic procedures to identify the component causing the high CPU utilization.
Contents
Click to expand the section you want to view:
Verify that the real-time antimalware scanner is part of the issue with the "ZZZ" test by configuring the real-time antimalware scanner to only deliver files with a .zzz extension to the scan engine. This test eliminates the scan engine from involvement. If this causes CPU utilization to drop significantly, the scan engine is the cause.
If the ZZZ test doesn't alleviate the high CPU utilization, the scan engine efficiently scans all files that are sent to it. The next step is to determine exactly which subcomponent of the real-time antimalware scanner is causing the symptom. To investigate, disable the features of the product one at a time. Between each investigation, replicate the high CPU utilization event and observe whether the high CPU utilization is alleviated.
After you've identified the problematic component, it's often helpful to review the logs for that component. The logs frequently identify the cause of the issue. For example, the VSE log for on-access scan might be saturated with scan time-out messages from specific directories. These messages might even be associated with the same third-party application.
Most product logs for Windows systems are located under%programdata%\McAfee\ . MOVE AV Multi-platform logs are in the installation directory for the product at c:\program files (x86)\McAfee\MOVE AV Server . Logs from Mac and Linux systems are more easily viewed by collecting a Minimum Escalation Requirements (MER) file from the particular system. Review the following articles for instructions to collect a MER file:
It can be helpful to identify the program that's causing the most disk activity, which results in the most scan activity. Usually, the scan process (such as McShield.exe , Nails , or oasmanager ) is the top resource consumer and the application prompting the disk activity is the second highest CPU consumer. But, not all cases are that straightforward. If further clarification is needed, reintroduce the high CPU utilization state and then begin shutting down third-party applications. After you identify the problematic application, try to progressively disable subcomponents of that application where appropriate.
If none of the above progressive disablement shows a drop in the CPU utilization, uninstall the real-time antimalware scanning software and then check the state of the CPU utilization.
Contents
Click to expand the section you want to view:
- For all Endpoint Security platforms:
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after disabling each option. Otherwise, continue to the next step.
- Scan Boot Sectors
- Scan Processes on enable
- Scan Trusted installers (if there’s an application installation involved)
- ScriptScan
- Scan on Network Drives
- Scan when writing to disk
- Scan when reading from disk
- Find unknown unwanted programs and trojans
- Find unknown macro threats
- Scan inside archives
- Decode MIME encoded files
- Detect unwanted programs
- Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each disable action. Otherwise, continue to the next step.
- Disable Exploit Prevention. If the high CPU utilization drops, re-enable Exploit Prevention and then disable each signature and Application Protection Rule and test after each disable action.
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after disabling each option. Otherwise, continue to the next step.
- For MOVE AV Agentless/Multi-platform:
- Disable Scan files when writing to disk and test. If the high CPU utilization doesn't drop, continue to the next step.
- Disable Scan files when reading from disk and test. If the high CPU utilization doesn't drop, continue to the next step.
- Disable Scan files on network mounted volumes and test.
- For VirusScan Enterprise:
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
- Scan Boot Sectors
- Scan Processes on enable
- Scan Trusted installers (if there’s an application installation involved)
- ScriptScan
- Scan on Network Drives
- Scan when writing to disk
- Scan when reading from disk
- Find unknown unwanted programs and trojans
- Find unknown macro threats
- Scan inside archives
- Decode MIME encoded files
- Detect unwanted programs
- Disable Access Protection. If the high CPU utilization drops:
- Re-enable Access Protection.
- Disable blocking and reporting on each of the Access Protection Rules and test after each disable action.
Otherwise, continue to the next step.
- Disable On-Delivery Email Scanner. If the high CPU utilization drops, disable all subcomponents of the On-Delivery Email Scanner and test after each.
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
- For VirusScan Enterprise for Linux:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each.- Scan files when writing to disk
- Scan files when reading from disk
- Scan files on network mounted volumes
- Find unknown program viruses
- Find unknown macro viruses
- Find potentially unwanted programs
- Find joke programs
- Scan inside multiple-file archives
- Decode MIME encoded files
Most product logs for Windows systems are located under
Solution
The results of the previous data collection steps indicate what's causing the issue, and provide a method of tuning the configuration to bypass the problematic component.
Create exclusions:
If the ZZZ test alleviates the issue, there's a clear need to exclude a directory, file type, or process from the on-access scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each to obtain a set of recommended exclusions for antimalware software. Exclusions are a list of folders that aren't scanned, and a list of running processes that don't trigger a scan when requesting disk activity. Exclude the folders and, if the antimalware product is ENS or VSE, add the processes to the Low Risk processes profile. Make sure to either disable Scan on Read, Scan on Write, or both, as needed.
If the ZZZ test alleviates the issue, there's a clear need to exclude a directory, file type, or process from the on-access scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each to obtain a set of recommended exclusions for antimalware software. Exclusions are a list of folders that aren't scanned, and a list of running processes that don't trigger a scan when requesting disk activity. Exclude the folders and, if the antimalware product is ENS or VSE, add the processes to the Low Risk processes profile. Make sure to either disable Scan on Read, Scan on Write, or both, as needed.
When the above doesn't completely alleviate the issue, review the scan logs for scan time-out events. If there's a consistent pattern, it might indicate that you need more exclusions.
Process Monitor, a tool from the Microsoft Sysinternals suite, can also help if further tuning is needed. The active scan process for VSE and MOVE AV Agentless or Multi-platform is McShield.exe . The active scan process for ENS is enstp.exe . Both on-access scan and on-demand scan use these processes.
If disabling one of the other components, such as ScriptScan, Access Protection, or Exploit Prevention, alleviates the issue, create exclusions for the affected component. Some of these components exclude directory paths, while others exclude processes running in memory. Review the appropriate section of the Product Guide for your product version for details. In these cases, product logs usually reveal the source of the resource issue.
Conflicts with third-party applications:
A conflict between that application and our software must be resolved if any of the criteria below is met:
A conflict between that application and our software must be resolved if any of the criteria below is met:
- Uninstalling the antimalware product alleviates the issue.
- The source of the conflict can be identified by uninstalling a third-party application.
Often, these types of issues are already known. Make sure that both our software and the third-party product are up to date with the latest updates or hotfixes. Also, review the Known Issues article for the affected product. If the issue is already documented, there might be a workaround. If that doesn't resolve the issue, for application conflict investigation, see KB73182 - Support statement for compatibility issues between our products and third-party applications. For ENSy, there's a data collection procedure that can be helpful in providing detailed information about our products. For instructions, see KB86691 - Minimum data collection steps for Endpoint Security issues.
Related Information
For product documents, go to the Product Documentation portal.
Affected Products
Diagnostic Data Collection
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.8.x
MOVE Antivirus Multi-platform 4.7.x
Troubleshooting
VirusScan Enterprise 8.8 (EOL)
VirusScan Enterprise for Linux 1.9.x (EOL)
VirusScan Enterprise for Linux 2.0.x (EOL)
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.8.x
MOVE Antivirus Multi-platform 4.7.x
Troubleshooting
VirusScan Enterprise 8.8 (EOL)
VirusScan Enterprise for Linux 1.9.x (EOL)
VirusScan Enterprise for Linux 2.0.x (EOL)
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified