How to troubleshoot high CPU usage by the McAfee real-time anti-malware scanner for Endpoint Security, MOVE Antivirus Agentless/Multi-platform, or VirusScan Enterprise
Technical Articles ID:
KB89354
Last Modified: 10/25/2017
Rated:
Environment
McAfee Endpoint Security for Linux Threat Prevention 10.x
McAfee Endpoint Security for Mac Threat Prevention 10.x
McAfee Endpoint Security Threat Prevention 10.x
McAfee MOVE Antivirus (AV) Agentless 4.x, 3.x
McAfee MOVE AV Multi-platform 4.x, 3.x
McAfee VirusScan Enterprise 8.8.x
McAfee VirusScan Enterprise for Linux 2.x, 1.x
Summary
All McAfee real-time anti-malware scanners operate by inserting a component that is used to monitor all disk access requests made by any process running in memory. This component intercepts the file and delivers it to the scan engine, which returns a decision about whether the file is malicious. If the file is not malicious, it is returned to the process that requested it. If the file is malicious, an action is taken on it. The real-time anti-malware scanner CPU usage will be proportional to the amount of disk activity that is occurring on the system. If the system is idle, the scanner should be idle. Therefore, it is expected that a real-time anti-malware scanner should compound existing CPU utilization, but it should never be the driving force behind system resource consumption.
Because McAfee software exists in such a diverse range of environments, it is impossible to provide a default configuration that meets the necessary balance between protection and performance in all possible environments. It is expected that administrators will tune each instance of the real-time anti-malware scanner to the needs of the specific environment.
Tuning is conducted by measuring performance for the default or existing configuration and then modifying the configuration to improve performance and increase security. In some cases, performance issues cannot be alleviated by changing the configuration. In these cases, a conflict may exist between the real-time anti-malware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved in order to alleviate the issues.
Use the diagnostic procedure in this article to identify the cause of high CPU usage by the McAfee real-time anti-malware scanner for Endpoint Security, MOVE AV Agentless/Multi-platform, or VirusScan Enterprise. Only general remediation steps are provided.
NOTE: While high CPU utilization is the most common performance symptom experienced by users, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability related issue that may occur. In the following steps, the article will direct configuration changes while monitoring how each change affects CPU activity. However, this can be substituted for any given performance, system stability, or application stability related symptom.
Cause
Use the following diagnostic procedure to identify the component causing the high CPU usage.
Identify the component in McAfee software involved in the resource usage issue:
Verify that the real-time anti-malware scanner is part of the issue with the "ZZZ" test, by configuring the real-time anti-malware scanner to only deliver files with a .zzz extension to the scan engine. This will eliminate the scan engine from involvement. If this causes CPU utilization to drop significantly, then the scan engine is the cause.
- For all Endpoint Security platforms, configure the What to Scan setting to ZZZ in the On-Access Scan policy:
- On the client:
- Click Threat Prevention.
- Click Show Advanced.
- Click On-Access Scan.
- Scroll down to the section Processes Settings.
- Find the What to Scan setting.
- Click Specified file types only.
- Enter a value of ZZZ.
- Click Apply.
- If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
NOTE: If using High Risk and Low Risk process scan settings, it may be helpful to test these one at a time.
- In ePolicy Orchestrator:
NOTE: You may choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following modifications. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
- Open Policy Catalog and select the On-Access Scan policy.
- Click Show Advanced.
- Scroll down to the section Processes Settings.
- Find the What to Scan setting.
- Click Specified file types only.
- Enter a value of ZZZ.
- Click Save.
- If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
NOTE: If using High Risk and Low Risk process scan settings, it may be helpful to test these one at a time.
- For MOVE AV Agentless/Multi-platform 4.0.x or 4.5.x, set the File Types to Scan to ZZZ in the On-Access Scan policy:
NOTE: You may choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following modifications. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
- In ePolicy Orchestrator, open Policy Catalog.
- Click the On-Access Scan policy.
- Click Show Advanced.
- Scroll down to File Types to Scan.
- Click Following only.
- Click Add.
- Enter a value of ZZZ.
- Click OK.
- Remove any other extensions already listed.
- Save the policy.
- Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Alternatively, on Agentless SVMs, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console, or in Multi-platform SVMs, use the Check New Policy button on that system's Agent Status Monitor.
- For MOVE AV Agentless/Multi-platform 3.6.x, set the File Types to Scan to ZZZ in the On-Access Scan policy:
NOTE: You may choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following modifications. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
- For Agentless:
- In ePolicy Orchestrator, open Policy Catalog.
- Click the Scan policy.
- Scroll down to File Types to Scan.
- Click Following only.
- Click Add.
- Enter a value of ZZZ.
- Click OK.
- Remove any other extensions already entered.
- Save the policy.
- Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Alternatively, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console.
- For Multi-platform:
- In ePolicy Orchestrator, open Policy Catalog.
- Select MOVE AV [Multi-Platform] Client 3.6.1 from the Product drop-down menu.
- Click the General policy.
- Click the Scan Items tab.
- Scroll down to File Types to Scan.
- Click Following only.
- Click Add.
- Enter a value of ZZZ.
- Click OK.
- Remove any other extensions already entered.
- Save the policy.
- Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Alternatively, use the Check New Policy button on that system's Agent Status Monitor.
- For VirusScan Enterprise, set the What to scan property to ZZZ in the On-Access Scan module:
- On the client:
- Right-click On-Access Scan and select Properties.
- Click All Processes.
- Click the Scan Items tab.
- For the What to scan property, click Specified File Types Only.
- Click Specified.
- Enter a value of ZZZ.
- Click Add.
- Click OK.
- Click Apply.
- Repeat these steps for High Risk processes and Low Risk processes if they are enabled.
NOTE: If using High Risk and Low Risk process scan settings, it may be helpful to test these one at a time.
- In ePolicy Orchestrator:
NOTE: You may choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following modifications. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
- Open Policy Catalog and select the On-Access Scan Default Processes Policy.
- Click the Scan Items tab.
- For the File Types to Scan property, click Specified File Types Only.
- Enter a value of ZZZ.
- Click Save.
- Repeat these steps for High Risk processes and Low Risk processes if they are enabled.
NOTE: If using High Risk and Low Risk process scan settings, it may be helpful to test these one at a time.
- Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Alternatively, use the Check New Policy button on that system's Agent Status Monitor.
- For VirusScan Enterprise for Linux, set the What to Scan property to ZZZ in the On-Access Scanning policy:
NOTE: You may choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following modifications. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
- In ePolicy Orchestrator, open Policy Catalog.
- Click the On-Access Scanning Policy.
- Click the Detections tab.
- Change the What to Scan setting to Specified file types.
- Enter a value of ZZZ.
- Click Save.
- Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Alternatively, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console.
Progressively disable components in McAfee software to locate the specific component involved in the resource usage issue:
If the ZZZ test does not alleviate the high CPU utilization, the scan engine is efficiently scanning all the files that are sent to it. The next step is to determine exactly which subcomponent of the real-time anti-malware scanner is causing the symptom. To investigate, disable the various features of the product, one at a time. Between each, replicate the high CPU event and observe whether the high CPU utilization is alleviated.
- For all Endpoint Security platforms:
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after each. Otherwise, continue to the next step.
- Scan Boot Sectors
- Scan Processes on enable
- Scan Trusted installers (if there is an application installation involved)
- ScriptScan
- Scan on Network Drives
- Scan when writing to disk
- Scan when reading from disk
- Find unknown unwanted programs and trojans
- Find unknown macro threats
- Scan inside archives
- Decode MIME encoded files
- Detect unwanted programs
- Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each. Otherwise, continue to the next step.
- Disable Exploit Prevention. If the high CPU utilization drops, re-enable Exploit Prevention and then disable each signature and Application Protection Rule and test after each.
- For MOVE AV Agentless/Multi-platform 3.6.x and 4.x:
- Disable Scan files when writing to disk and test. If the high CPU utilization does not drop, continue to the next step.
- Disable Scan files when reading from disk and test. If the high CPU utilization does not drop, continue to the next step.
- Disable Scan files on network mounted volumes and test.
- For VirusScan Enterprise:
- Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
- Scan Boot Sectors
- Scan Processes on enable
- Scan Trusted installers (if there is an application installation involved)
- ScriptScan
- Scan on Network Drives
- Scan when writing to disk
- Scan when reading from disk
- Find unknown unwanted programs and trojans
- Find unknown macro threats
- Scan inside archives
- Decode MIME encoded files
- Detect unwanted programs
- Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each. Otherwise, continue to the next step.
- Disable On-Delivery Email Scanner. If the high CPU utilization drops, disable all of the subcomponents of the On-Delivery Email Scanner and test after each.
- For VirusScan Enterprise for Linux:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each.
- Scan files when writing to disk
- Scan files when reading from disk
- Scan files on network mounted volumes
- Find unknown program viruses
- Find unknown macro viruses
- Find potentially unwanted programs
- Find joke programs
- Scan inside multiple-file archives
- Decode MIME encoded files
Review the logs for the problematic component:
After you have identified the problematic component, it is often helpful to review the logs for that component. The logs will frequently identify the cause of the issue. For example, the VirusScan Enterprise log for On-Access Scan might be saturated with scan time-out messages from specific directories. These may even all be associated with the same third-party application.
Most McAfee product logs for Windows systems are located under %programdata%\McAfee\. MOVE AV Multi-platform logs are located in the installation directory for the product at c:\program files (x86)\McAfee\MOVE AV Server. McAfee logs from Mac and Linux systems are more easily viewed by collecting a Minimum Escalation Requirements (MER) file from the particular system. Please review the following articles for instructions to collect a MER file:
KB88197 - How to collect the Minimum Escalation Requirements file for Endpoint Security for Linux Threat Prevention
KB87626 - How to collect Minimum Escalation Requirements for Endpoint Protection for Mac, Endpoint Security for Mac, and VirusScan for Mac
KB80097 - How to generate the MOVE AV AntiVirus Agentless MER file
KB67272 - How to generate the VirusScan Enterprise for Linux MER file
Identify third-party applications involved in the issue:
It can be very helpful to identify which program is causing the most disk activity, thereby resulting in the most scan activity. Usually, the scan process (such as McShield.exe, Nails, or oasmanager) will be the top resource consumer and the application prompting all the disk activity will be the second highest CPU consumer. However, not all cases are that straightforward. If further clarification is needed, reintroduce the high CPU state and then begin shutting down third-party applications. After you identify the problematic application, attempt to progressively disable subcomponents of that application where appropriate.
Uninstall McAfee software:
If none of the above progressive disablement has demonstrated a drop in the CPU utilization, uninstall the McAfee real-time anti-malware scanning software and then check the state of the CPU utilization.
Solution
The results of the previous data collection steps should indicate what is causing the issue and indicate a method of tuning the configuration to bypass the problematic component.
Create exclusions:
If the ZZZ test alleviated the issue, there is a clear need to exclude a directory, file type, or process from the On-Access Scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each, to obtain a set of recommended exclusions for anti-malware software. This will be a list of directories that should not be scanned and a list of running processes that should not trigger a scan when requesting disk activity. Exclude the directories and, if the anti-malware product is Endpoint Security or VirusScan Enterprise, add the processes to the Low Risk processes profile and disable Scan on Read, Scan on Write, or both, as necessary.
If that does not completely alleviate the issue, review the scan logs for scan time-out events. If there is a consistent pattern, that may indicate additional required exclusions.
Process Monitor, a tool from the Microsoft SysInternals suite, can also help if further tuning is required. Please review KB50981 for details. The active scan process for VirusScan Enterprise and MOVE AV Agentless/Multi-platform is McShield.exe. The active scan process for Endpoint Security is enstp.exe.
If disabling one of the other components alleviated the issue, such as ScriptScan, Access Protection, or Exploit Prevention, create exclusions for the affected component. Some of these components exclude directory paths, while others exclude processes running in memory. Review the appropriate section of the Product Guide for your product version for details. In these cases, product logs will usually reveal the source of the resource issue.
Conflicts with third-party applications:
If uninstalling the McAfee anti-malware system alleviated the issue, and if the source of the conflict can be identified by uninstalling a third-party application, there is a conflict between that application and the McAfee software that must be resolved. Frequently, these types of issues are already known. Ensure that both your McAfee software and the third-party product are completely up-to-date with the latest patches or hotfixes. Also, review the Known Issues article for the affected McAfee product. If the issue is already documented, there may be a workaround. If that does not resolve the issue, review KB73182 for application conflict investigation. For Endpoint Security, the data collection procedure described in KB86691 can be helpful in providing detailed information about McAfee products to the third party.
|
