Troubleshoot high CPU by the real-time anti-malware scanner
Technical Articles ID:
KB89354
Last Modified: 2/24/2020
Environment
McAfee Endpoint Security for Linux Threat Prevention 10.x
McAfee Endpoint Security for Mac Threat Prevention 10.x
McAfee Endpoint Security Threat Prevention 10.x
McAfee MOVE Antivirus (AV) Agentless 4.x
McAfee MOVE AV Multi-platform 4.x
McAfee VirusScan Enterprise 8.8.x
McAfee VirusScan Enterprise for Linux 2.x, 1.x
Summary
All McAfee real-time antimalware scanners operate by inserting a component that is used to monitor all disk access requests made by any process running in memory. This component intercepts the file and delivers it to the scan engine returns a decision about whether the file is malicious. If the file is not malicious, it is returned to the process that requested it. If the file is malicious, an action is taken on it. The real-time antimalware scanner CPU usage is proportional to the amount of disk activity that is occurring on the system. If the system is idle, the scanner should be idle. So, a real-time antimalware scanner is expected to compound existing CPU utilization, but is not the driving force behind system resource consumption.
Because McAfee software exists in such a diverse range of environments, it is impossible to provide a default configuration that meets the needed balance between protection and performance in all possible environments. Administrators are expected to tune each instance of the real-time antimalware scanner to the needs of the specific environment.
Tuning is conducted by measuring performance for the default or existing configuration and then modifying the configuration to improve performance and increase security. Sometimes, performance issues can't be alleviated by changing the configuration. In these cases, a conflict might exist between the real-time antimalware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved to alleviate the issues.
To identify the cause of high CPU usage by the McAfee real-time antimalware scanner for Endpoint Security, MOVE AV Agentless/Multi-platform, or VirusScan Enterprise, use the diagnostic procedure in this article. Only general remediation steps are provided.
NOTE: High CPU utilization is the most common performance symptom that users experience. But, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability issue that might occur. In the following steps, the article directs configuration changes while monitoring how each change affects CPU activity. But, you can substitute these steps for any given performance, system stability, or application stability symptom.
Cause
Use the following diagnostic procedure to identify the component causing the high CPU usage.
Contents
Click to expand the section you want to view:
Verify that the real-time antimalware scanner is part of the issue with the "ZZZ" test, by configuring the real-time antimalware scanner to only deliver files with a .zzz extension to the scan engine. This test eliminates the scan engine from involvement. If this causes CPU utilization to drop significantly, the scan engine is the cause.
For all Endpoint Security platforms, configure the What to Scan setting to ZZZ in the On-Access Scan policy:
On the client:
Click Threat Prevention.
Click Show Advanced.
Click On-Access Scan.
Scroll down to the section Processes Settings.
Find the What to Scan setting.
Click Specified file types only.
Enter a value of ZZZ.
Click Apply.
If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
In ePolicy Orchestrator:
NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. To modify policy assignment, use the Modify Policy on a Single System function from the System Tree's Action menu.
Open Policy Catalog and select the On-Access Scan policy.
Click Show Advanced.
Scroll down to the section Processes Settings.
Find the What to Scan setting.
Click Specified file types only.
Enter a value of ZZZ.
Click Save.
If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
For MOVE AV Agentless/Multi-platform, set the File Types to Scan to ZZZ in the On-Access Scan policy:
NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
In ePolicy Orchestrator, open Policy Catalog.
Click the On-Access Scan policy.
Click Show Advanced.
Scroll down to File Types to Scan.
Click Following only.
Click Add.
Enter a value of ZZZ.
Click OK.
Remove any other extensions already listed.
Save the policy.
Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Or, on Agentless SVMs, use the cmdagent -c -efunction from /opt/McAfee/agent/bin/ in the console, or in Multi-platform SVMs, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise, set the What to scan property to ZZZ in the On-Access Scan module:
On the client:
Right-click On-Access Scan and select Properties.
Click All Processes.
Click the Scan Items tab.
For the What to scan property, click Specified File Types Only.
Click Specified.
Enter a value of ZZZ.
Click Add.
Click OK.
Click Apply.
Repeat these steps for High Risk processes and Low Risk processes if they are enabled.
NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
In ePolicy Orchestrator:
NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
Open Policy Catalog and select the On-Access Scan Default Processes Policy.
Click the Scan Items tab.
For the File Types to Scan property, click Specified File Types Only.
Enter a value of ZZZ.
Click Save.
Repeat these steps for High Risk processes and Low Risk processes if they are enabled.
NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Or, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise for Linux, set the What to Scan property to ZZZ in the On-Access Scanning policy:
NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu to modify policy assignment.
In ePolicy Orchestrator, open Policy Catalog.
Click the On-Access Scanning Policy.
Click the Detections tab.
Change the What to Scan setting to Specified file types.
Enter a value of ZZZ.
Click Save.
Use an Agent wake-up call with the forced policy option to enforce the policy on the system. Or, use the cmdagent -c -efunction from /opt/McAfee/agent/bin/in the console.
If the ZZZ test does not alleviate the high CPU utilization, the scan engine is efficiently scanning all files that are sent to it. The next step is to determine exactly which subcomponent of the real-time antimalware scanner is causing the symptom. To investigate, disable the features of the product, one at a time. Between each, replicate the high CPU event and observe whether the high CPU utilization is alleviated.
For all Endpoint Security platforms:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after each. Otherwise, continue to the next step.
Scan Boot Sectors
Scan Processes on enable
Scan Trusted installers (if there is an application installation involved)
ScriptScan
Scan on Network Drives
Scan when writing to disk
Scan when reading from disk
Find unknown unwanted programs and trojans
Find unknown macro threats
Scan inside archives
Decode MIME encoded files
Detect unwanted programs
Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each. Otherwise, continue to the next step.
Disable Exploit Prevention. If the high CPU utilization drops, re-enable Exploit Prevention and then disable each signature and Application Protection Rule and test after each.
For MOVE AV Agentless/Multi-platform:
Disable Scan files when writing to disk and test. If the high CPU utilization does not drop, continue to the next step.
Disable Scan files when reading from disk and test. If the high CPU utilization does not drop, continue to the next step.
Disable Scan files on network mounted volumes and test.
For VirusScan Enterprise:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
Scan Boot Sectors
Scan Processes on enable
Scan Trusted installers (if there is an application installation involved)
ScriptScan
Scan on Network Drives
Scan when writing to disk
Scan when reading from disk
Find unknown unwanted programs and trojans
Find unknown macro threats
Scan inside archives
Decode MIME encoded files
Detect unwanted programs
Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each. Otherwise, continue to the next step.
Disable On-Delivery Email Scanner. If the high CPU utilization drops, disable all subcomponents of the On-Delivery Email Scanner and test after each.
For VirusScan Enterprise for Linux:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each.
Scan files when writing to disk
Scan files when reading from disk
Scan files on network mounted volumes
Find unknown program viruses
Find unknown macro viruses
Find potentially unwanted programs
Find joke programs
Scan inside multiple-file archives
Decode MIME encoded files
After you have identified the problematic component, it is often helpful to review the logs for that component. The logs frequently identify the cause of the issue. For example, the VirusScan Enterprise log for On-Access Scan might be saturated with scan time-out messages from specific directories. These messages might even all be associated with the same third-party application.
Most McAfee product logs for Windows systems are located under %programdata%\McAfee\. MOVE AV Multi-platform logs are located in the installation directory for the product at c:\program files (x86)\McAfee\MOVE AV Server. McAfee logs from Mac and Linux systems are more easily viewed by collecting a Minimum Escalation Requirements (MER) file from the particular system. Review the following articles for instructions to collect a MER file:
KB88197 - How to collect the Minimum Escalation Requirements file for Endpoint Security for Linux Threat Prevention KB87626 - How to collect Minimum Escalation Requirements for Endpoint Protection for Mac, Endpoint Security for Mac, and VirusScan for Mac KB80097 - How to generate the MOVE AV Antivirus Agentless MER file KB67272 - How to generate the VirusScan Enterprise for Linux MER file
It can be helpful to identify which program is causing the most disk activity, which results in the most scan activity. Usually, the scan process (such as McShield.exe, Nails, or oasmanager) is the top resource consumer and the application prompting the disk activity is the second highest CPU consumer. But, not all cases are that straightforward. If further clarification is needed, reintroduce the high CPU state and then begin shutting down third-party applications. After you identify the problematic application, attempt to progressively disable subcomponents of that application where appropriate.
If none of the above progressive disablement has shown a drop in the CPU utilization, uninstall the McAfee real-time antimalware scanning software and then check the state of the CPU utilization.
Solution
The results of the previous data collection steps should indicate what is causing the issue and indicate a method of tuning the configuration to bypass the problematic component.
Create exclusions:
If the ZZZ test alleviated the issue, there is a clear need to exclude a directory, file type, or process from the On-Access Scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each, to obtain a set of recommended exclusions for antimalware software. Exclusions are a list of directories that should not be scanned and a list of running processes that should not trigger a scan when requesting disk activity. Exclude the directories and, if the antimalware product is Endpoint Security or VirusScan Enterprise, add the processes to the Low Risk processes profile and disable Scan on Read, Scan on Write, or both, as needed.
If that does not completely alleviate the issue, review the scan logs for scan time-out events. If there is a consistent pattern, that might indicate you need more exclusions.
Process Monitor, a tool from the Microsoft Sysinternals suite, can also help if further tuning is needed. Review KB50981 for details. The active scan process for VirusScan Enterprise and MOVE AV Agentless/Multi-platform is McShield.exe. The active scan process for Endpoint Security is enstp.exe.
If disabling one of the other components alleviated the issue, such as ScriptScan, Access Protection, or Exploit Prevention, create exclusions for the affected component. Some of these components exclude directory paths, while others exclude processes running in memory. Review the appropriate section of the Product Guide for your product version for details. In these cases, product logs usually reveal the source of the resource issue.
Conflicts with third-party applications:
If uninstalling the McAfee antimalware system alleviated the issue, and if the source of the conflict can be identified by uninstalling a third-party application, there is a conflict between that application and the McAfee software that must be resolved. Frequently, these types of issues are already known. Make sure that both your McAfee software and the third-party product are up to date with the latest updates or hotfixes. Also, review the Known Issues article for the affected McAfee product. If the issue is already documented, there might be a workaround. If that does not resolve the issue, review KB73182 for application conflict investigation. For Endpoint Security, the data collection procedure described in KB86691 can be helpful in providing detailed information about McAfee products to the third party.
Related Information
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
