Troubleshooting high CPU utilization by the real-time antimalware scanner

Technical Articles ID: KB89354
Last Modified: 4/4/2022

Environment

Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x
Endpoint Security for Mac Threat Prevention (ENSM Threat Prevention) 10.x
ENS Threat Prevention 10.x
Management for Optimized Virtual Environments (MOVE) AntiVirus Agentless (MOVE AV Agentless)
MOVE AV Multi-platform
VirusScan Enterprise (VSE) 8.8.x
VSE for Linux 2.x, 1.x

Summary

All our real-time antimalware scanners operate by inserting a component that's used to monitor all disk access requests made by any process running in memory. This component intercepts the file and delivers it to the scan engine. The scan engine then returns a decision about whether the file is malicious. If the file isn't malicious, it's returned to the process that requested it. If the file is malicious, an action is taken on it. The real-time antimalware scanner CPU utilization is proportional to the amount of disk activity that occurs on the system. If the system is idle, the scanner is idle. So, a real-time antimalware scanner is expected to compound the existing CPU utilization, but isn't the driving force behind system resource consumption.

Because our software exists in a diverse range of environments, it's impossible to provide a default configuration that meets the balance between protection and performance in all possible environments. Administrators are expected to tune each instance of the real-time antimalware scanner to the needs of the specific environment.

Tuning is conducted by measuring performance for the default or existing configuration, and then modifying the configuration to improve performance and increase security. Sometimes, performance issues can't be alleviated by changing the configuration. In these cases, a conflict might exist between the real-time antimalware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved to alleviate the issues.

To identify the cause of high CPU utilization by the real-time antimalware scanner for ENS, MOVE AV Agentless, MOVE AV Multi-platform, or VSE, use the diagnostic procedure in this article. Only general remediation steps are provided.

NOTE: High CPU utilization is the most common performance symptom that users experience. But, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability issue that might occur. In the following steps, the article directs configuration changes while monitoring how each change affects CPU activity. But, you can substitute these steps for any given performance, system stability, or application stability symptom.

Cause

Use the following diagnostic procedures to identify the component causing the high CPU utilization.

Contents
Click to expand the section you want to view:

Identify the component in the software involved in the resource use issue

Verify that the real-time antimalware scanner is part of the issue with the "ZZZ" test by configuring the real-time antimalware scanner to only deliver files with a .zzz extension to the scan engine. This test eliminates the scan engine from involvement. If this causes CPU utilization to drop significantly, the scan engine is the cause.

For all Endpoint Security platforms, configure the What to Scan setting to ZZZ in the On-Access Scan policy:
- On the Endpoint Security client, perform the steps below:
  1. Click Threat Prevention.
  2. Click Show Advanced.
  3. Click On-Access Scan.
  4. Scroll down to the section Processes Settings.
  5. Find the What to Scan setting.
  6. Click Specified file types only.
  7. Enter a value of ZZZ.
  8. Click Apply.
  9. If the option below is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
    
    Configure different settings for High Risk and Low Risk processes
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
- In ePolicy Orchestrator (ePO):
  
  NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the Default policy and make the following changes. To modify the policy assignment, use the Modify Policy on a Single System function from the System Tree's Action menu.
  1. Open Policy Catalog and select the On-Access Scan policy.
  2. Click Show Advanced.
  3. Scroll down to the section Processes Settings.
  4. Find the What to Scan setting.
  5. Click Specified file types only.
  6. Enter a value of ZZZ.
  7. Click Save.
  8. If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
For MOVE AV Agentless/Multi-platform, set the File Types to Scan to ZZZ in the On-Access Scan policy:

NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu and the modify policy assignment.
1. In ePO, open Policy Catalog.
2. Click the On-Access Scan policy.
3. Click Show Advanced.
4. Scroll down to File Types to Scan.
5. Click Following only.
6. Click Add.
7. Enter a value of ZZZ.
8. Click OK.
9. Remove any other extensions already listed.
10. Save the policy.
11. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, on Agentless SVMs, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console, or in Multi-platform SVMs, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise, set the What to scan property to ZZZ in the On-Access Scan module:
- On the VirusScan Enterprise client:
  1. Right-click On-Access Scan and select Properties.
  2. Click All Processes.
  3. Click the Scan Items tab.
  4. For the What to scan property, click Specified File Types Only.
  5. Click Specified.
  6. Enter a value of ZZZ.
  7. Click Add.
  8. Click OK.
  9. Click Apply.
  10. Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
- In ePO:
  
  NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu, and modify the policy assignment.
  1. Open Policy Catalog and select the On-Access Scan Default Processes Policy.
  2. Click the Scan Items tab.
  3. For the File Types to Scan property, click Specified File Types Only.
  4. Enter a value of ZZZ.
  5. Click Save.
  6. Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
  7. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise for Linux, set the What to Scan property to ZZZ in the On-Access Scanning policy:

NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu, and modify the policy assignment.
1. In ePO, open Policy Catalog.
2. Click the On-Access Scanning Policy.
3. Click the Detections tab.
4. Change the What to Scan setting to Specified file types.
5. Enter a value of ZZZ.
6. Click Save.
7. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console.

Progressively disable components in the software to locate the specific component involved in the resource use issue

If the ZZZ test doesn't alleviate the high CPU utilization, the scan engine efficiently scans all files that are sent to it. The next step is to determine exactly which subcomponent of the real-time antimalware scanner is causing the symptom. To investigate, disable the features of the product one at a time. Between each investigation, replicate the high CPU utilization event and observe whether the high CPU utilization is alleviated.

For all Endpoint Security platforms:
1. Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after disabling each option. Otherwise, continue to the next step.
  - Scan Boot Sectors
  - Scan Processes on enable
  - Scan Trusted installers (if there’s an application installation involved)
  - ScriptScan
  - Scan on Network Drives
  - Scan when writing to disk
  - Scan when reading from disk
  - Find unknown unwanted programs and trojans
  - Find unknown macro threats
  - Scan inside archives
  - Decode MIME encoded files
  - Detect unwanted programs
2. Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each disable action. Otherwise, continue to the next step.
3. Disable Exploit Prevention. If the high CPU utilization drops, re-enable Exploit Prevention and then disable each signature and Application Protection Rule and test after each disable action.
For MOVE AV Agentless/Multi-platform:
1. Disable Scan files when writing to disk and test. If the high CPU utilization doesn't drop, continue to the next step.
2. Disable Scan files when reading from disk and test. If the high CPU utilization doesn't drop, continue to the next step.
3. Disable Scan files on network mounted volumes and test.
For VirusScan Enterprise:
1. Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
  - Scan Boot Sectors
  - Scan Processes on enable
  - Scan Trusted installers (if there’s an application installation involved)
  - ScriptScan
  - Scan on Network Drives
  - Scan when writing to disk
  - Scan when reading from disk
  - Find unknown unwanted programs and trojans
  - Find unknown macro threats
  - Scan inside archives
  - Decode MIME encoded files
  - Detect unwanted programs
2. Disable Access Protection. If the high CPU utilization drops:
  1. Re-enable Access Protection.
  2. Disable blocking and reporting on each of the Access Protection Rules and test after each disable action.
    
    Otherwise, continue to the next step.
3. Disable On-Delivery Email Scanner. If the high CPU utilization drops, disable all subcomponents of the On-Delivery Email Scanner and test after each.
For VirusScan Enterprise for Linux:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each.
- Scan files when writing to disk
- Scan files when reading from disk
- Scan files on network mounted volumes
- Find unknown program viruses
- Find unknown macro viruses
- Find potentially unwanted programs
- Find joke programs
- Scan inside multiple-file archives
- Decode MIME encoded files

Review the logs for the problematic component

After you've identified the problematic component, it's often helpful to review the logs for that component. The logs frequently identify the cause of the issue. For example, the VSE log for on-access scan might be saturated with scan time-out messages from specific directories. These messages might even be associated with the same third-party application.

Most product logs for Windows systems are located under %programdata%\McAfee\. MOVE AV Multi-platform logs are in the installation directory for the product at c:\program files (x86)\McAfee\MOVE AV Server. Logs from Mac and Linux systems are more easily viewed by collecting a Minimum Escalation Requirements (MER) file from the particular system. Review the following articles for instructions to collect a MER file:

Identify third-party applications involved in the issue

It can be helpful to identify the program that's causing the most disk activity, which results in the most scan activity. Usually, the scan process (such as McShield.exe, Nails, or oasmanager) is the top resource consumer and the application prompting the disk activity is the second highest CPU consumer. But, not all cases are that straightforward. If further clarification is needed, reintroduce the high CPU utilization state and then begin shutting down third-party applications. After you identify the problematic application, try to progressively disable subcomponents of that application where appropriate.

Uninstall the software

If none of the above progressive disablement shows a drop in the CPU utilization, uninstall the real-time antimalware scanning software and then check the state of the CPU utilization.

Solution

The results of the previous data collection steps indicate what's causing the issue, and provide a method of tuning the configuration to bypass the problematic component.

Create exclusions:
If the ZZZ test alleviates the issue, there's a clear need to exclude a directory, file type, or process from the on-access scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each to obtain a set of recommended exclusions for antimalware software. Exclusions are a list of folders that aren't scanned, and a list of running processes that don't trigger a scan when requesting disk activity. Exclude the folders and, if the antimalware product is ENS or VSE, add the processes to the Low Risk processes profile. Make sure to either disable Scan on Read, Scan on Write, or both, as needed.

When the above doesn't completely alleviate the issue, review the scan logs for scan time-out events. If there's a consistent pattern, it might indicate that you need more exclusions.

Process Monitor, a tool from the Microsoft Sysinternals suite, can also help if further tuning is needed. The active scan process for VSE and MOVE AV Agentless or Multi-platform is McShield.exe. The active scan process for ENS is enstp.exe. Both on-access scan and on-demand scan use these processes.

If disabling one of the other components, such as ScriptScan, Access Protection, or Exploit Prevention, alleviates the issue, create exclusions for the affected component. Some of these components exclude directory paths, while others exclude processes running in memory. Review the appropriate section of the Product Guide for your product version for details. In these cases, product logs usually reveal the source of the resource issue.

Conflicts with third-party applications:
A conflict between that application and our software must be resolved if any of the criteria below is met:

Uninstalling the antimalware product alleviates the issue.
The source of the conflict can be identified by uninstalling a third-party application.

Often, these types of issues are already known. Make sure that both our software and the third-party product are up to date with the latest updates or hotfixes. Also, review the Known Issues article for the affected product. If the issue is already documented, there might be a workaround. If that doesn't resolve the issue, for application conflict investigation, see KB73182 - Support statement for compatibility issues between our products and third-party applications. For ENSy, there's a data collection procedure that can be helpful in providing detailed information about our products. For instructions, see KB86691 - Minimum data collection steps for Endpoint Security issues.

Related Information

For product documents, go to the Product Documentation portal.

Affected Products

Diagnostic Data Collection
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.8.x
MOVE Antivirus Multi-platform 4.7.x
Troubleshooting
VirusScan Enterprise 8.8 (EOL)
VirusScan Enterprise for Linux 1.9.x (EOL)
VirusScan Enterprise for Linux 2.0.x (EOL)

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Knowledge Center

Troubleshooting high CPU utilization by the real-time antimalware scanner

Environment

Summary

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Troubleshooting high CPU utilization by the real-time antimalware scanner

Environment

Summary

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title