Troubleshoot high CPU by the real-time antimalware scanner

Technical Articles ID: KB89354
Last Modified: 8/27/2021

Environment

McAfee Endpoint Security for Linux Threat Prevention 10.x
McAfee Endpoint Security for Mac Threat Prevention 10.x
McAfee Endpoint Security Threat Prevention 10.x
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MOVE AntiVirus Agentless (MOVE AV Agentless)
McAfee MOVE AntiVirus Multi-Platform (MOVE AV Multi-Platform)
McAfee VirusScan Enterprise 8.8.x
McAfee VirusScan Enterprise for Linux 2.x, 1.x

Summary

All McAfee real-time antimalware scanners operate by inserting a component that is used to monitor all disk access requests made by any process running in memory. This component intercepts the file and delivers it to the scan engine. The scan engine then returns a decision about whether the file is malicious. If the file isn’t malicious, it’s returned to the process that requested it. If the file is malicious, an action is taken on it. The real-time antimalware scanner CPU use is proportional to the amount of disk activity that occurs on the system. If the system is idle, the scanner is idle. So, a real-time antimalware scanner is expected to compound existing CPU utilization, but isn’t the driving force behind system resource consumption.

Because McAfee Enterprise software exists in a diverse range of environments, it’s impossible to provide a default configuration that meets the needed balance between protection and performance in all possible environments. Administrators are expected to tune each instance of the real-time antimalware scanner to the needs of the specific environment.

Tuning is conducted by measuring performance for the default or existing configuration, and then modifying the configuration to improve performance and increase security. Sometimes, performance issues can't be alleviated by changing the configuration. In these cases, a conflict might exist between the real-time antimalware scanner and either a third-party program or the system itself. Conflicts of this type must be resolved to alleviate the issues.

To identify the cause of high CPU use by the McAfee Enterprise real-time antimalware scanner for Endpoint Security, MOVE AV Agentless, MOVE AVMulti-platform, or VirusScan Enterprise, use the diagnostic procedure in this article. Only general remediation steps are provided.

NOTE: High CPU utilization is the most common performance symptom that users experience. But, the troubleshooting covered by this article is relevant to any performance, system stability, or application stability issue that might occur. In the following steps, the article directs configuration changes while monitoring how each change affects CPU activity. But, you can substitute these steps for any given performance, system stability, or application stability symptom.

Cause

Use the following diagnostic procedures to identify the component causing the high CPU use.

Contents
Click to expand the section you want to view:

Identify the component in McAfee Enterprise software involved in the resource use issue

Verify that the real-time antimalware scanner is part of the issue with the "ZZZ" test by configuring the real-time antimalware scanner to only deliver files with a .zzz extension to the scan engine. This test eliminates the scan engine from involvement. If this causes CPU utilization to drop significantly, the scan engine is the cause.

For all Endpoint Security platforms, configure the What to Scan setting to ZZZ in the On-Access Scan policy:
- On the Endpoint Security client:
  1. Click Threat Prevention.
  2. Click Show Advanced.
  3. Click On-Access Scan.
  4. Scroll down to the section Processes Settings.
  5. Find the What to Scan setting.
  6. Click Specified file types only.
  7. Enter a value of ZZZ.
  8. Click Apply.
  9. If the option below is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
    
    Configure different settings for High Risk and Low Risk processes
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
- In ePolicy Orchestrator:
  
  NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. To modify policy assignment, use the Modify Policy on a Single System function from the System Tree's Action menu.
  1. Open Policy Catalog and select the On-Access Scan policy.
  2. Click Show Advanced.
  3. Scroll down to the section Processes Settings.
  4. Find the What to Scan setting.
  5. Click Specified file types only.
  6. Enter a value of ZZZ.
  7. Click Save.
  8. If Configure different settings for High Risk and Low Risk processes is enabled, click the High Risk and Low Risk tabs of the Process Types section and repeat the above steps.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
For MOVE AV Agentless/Multi-platform, set the File Types to Scan to ZZZ in the On-Access Scan policy:

NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu and the modify policy assignment.
1. In ePolicy Orchestrator, open Policy Catalog.
2. Click the On-Access Scan policy.
3. Click Show Advanced.
4. Scroll down to File Types to Scan.
5. Click Following only.
6. Click Add.
7. Enter a value of ZZZ.
8. Click OK.
9. Remove any other extensions already listed.
10. Save the policy.
11. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, on Agentless SVMs, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console, or in Multi-platform SVMs, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise, set the What to scan property to ZZZ in the On-Access Scan module:
- On the VirusScan Enterprise client:
  1. Right-click On-Access Scan and select Properties.
  2. Click All Processes.
  3. Click the Scan Items tab.
  4. For the What to scan property, click Specified File Types Only.
  5. Click Specified.
  6. Enter a value of ZZZ.
  7. Click Add.
  8. Click OK.
  9. Click Apply.
  10. Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
- In ePolicy Orchestrator:
  
  NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu, and modify the policy assignment.
  1. Open Policy Catalog and select the On-Access Scan Default Processes Policy.
  2. Click the Scan Items tab.
  3. For the File Types to Scan property, click Specified File Types Only.
  4. Enter a value of ZZZ.
  5. Click Save.
  6. Repeat these steps for High Risk processes and Low Risk processes if they’re enabled.
    
    NOTE: If using High Risk and Low Risk process scan settings, it might be helpful to test these settings one at a time.
  7. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the Check New Policy button on that system's Agent Status Monitor.
For VirusScan Enterprise for Linux, set the What to Scan property to ZZZ in the On-Access Scanning policy:

NOTE: You can choose to set a unique policy for this test and assign it only to test systems. Copy either the production policy or the McAfee Default policy and make the following changes. Use the Modify Policy on a Single System function from the System Tree's Action menu, and modify the policy assignment.
1. In ePolicy Orchestrator, open Policy Catalog.
2. Click the On-Access Scanning Policy.
3. Click the Detections tab.
4. Change the What to Scan setting to Specified file types.
5. Enter a value of ZZZ.
6. Click Save.
7. Use an Agent wake-up call with the forced policy option, and enforce the policy on the system. Or, use the cmdagent -c -e function from /opt/McAfee/agent/bin/ in the console.

Progressively disable components in McAfee Enterprise software to locate the specific component involved in the resource use issue

If the ZZZ test doesn’t alleviate the high CPU utilization, the scan engine is efficiently scanning all files that are sent to it. The next step is to determine exactly which subcomponent of the real-time antimalware scanner is causing the symptom. To investigate, disable the features of the product, one at a time. Between each, replicate the high CPU event and observe whether the high CPU utilization is alleviated.

For all Endpoint Security platforms:
1. Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following options and test after each. Otherwise, continue to the next step.
  - Scan Boot Sectors
  - Scan Processes on enable
  - Scan Trusted installers (if there’s an application installation involved)
  - ScriptScan
  - Scan on Network Drives
  - Scan when writing to disk
  - Scan when reading from disk
  - Find unknown unwanted programs and trojans
  - Find unknown macro threats
  - Scan inside archives
  - Decode MIME encoded files
  - Detect unwanted programs
2. Disable Access Protection. If the high CPU utilization drops, re-enable Access Protection and then disable blocking and reporting on each of the Access Protection Rules and test after each. Otherwise, continue to the next step.
3. Disable Exploit Prevention. If the high CPU utilization drops, re-enable Exploit Prevention and then disable each signature and Application Protection Rule and test after each.
For MOVE AV Agentless/Multi-platform:
1. Disable Scan files when writing to disk and test. If the high CPU utilization doesn’t drop, continue to the next step.
2. Disable Scan files when reading from disk and test. If the high CPU utilization doesn’t drop, continue to the next step.
3. Disable Scan files on network mounted volumes and test.
For VirusScan Enterprise:
1. Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each. Otherwise, continue to the next step.
  - Scan Boot Sectors
  - Scan Processes on enable
  - Scan Trusted installers (if there’s an application installation involved)
  - ScriptScan
  - Scan on Network Drives
  - Scan when writing to disk
  - Scan when reading from disk
  - Find unknown unwanted programs and trojans
  - Find unknown macro threats
  - Scan inside archives
  - Decode MIME encoded files
  - Detect unwanted programs
2. Disable Access Protection. If the high CPU utilization drops:
  1. Re-enable Access Protection.
  2. Disable blocking and reporting on each of the Access Protection Rules and test after each.
    
    Otherwise, continue to the next step.
3. Disable On-Delivery Email Scanner. If the high CPU utilization drops, disable all subcomponents of the On-Delivery Email Scanner and test after each.
For VirusScan Enterprise for Linux:
Disable On-Access Scan. If the high CPU utilization drops, re-enable On-Access Scan and then disable the following components and test after each.
- Scan files when writing to disk
- Scan files when reading from disk
- Scan files on network mounted volumes
- Find unknown program viruses
- Find unknown macro viruses
- Find potentially unwanted programs
- Find joke programs
- Scan inside multiple-file archives
- Decode MIME encoded files

Review the logs for the problematic component

After you’ve identified the problematic component, it’s often helpful to review the logs for that component. The logs frequently identify the cause of the issue. For example, the VirusScan Enterprise log for On-Access Scan might be saturated with scan time-out messages from specific directories. These messages might even all be associated with the same third-party application.

Most McAfee Enterprise product logs for Windows systems are located under %programdata%\McAfee\. MOVE AV Multi-platform logs are located in the installation directory for the product at c:\program files (x86)\McAfee\MOVE AV Server. McAfee Enterprise logs from Mac and Linux systems are more easily viewed by collecting a Minimum Escalation Requirements (MER) file from the particular system. Review the following articles for instructions to collect a MER file:

Identify third-party applications involved in the issue

It can be helpful to identify which program is causing the most disk activity, which results in the most scan activity. Usually, the scan process (such as McShield.exe, Nails, or oasmanager) is the top resource consumer and the application prompting the disk activity is the second highest CPU consumer. But, not all cases are that straightforward. If further clarification is needed, reintroduce the high CPU state and then begin shutting down third-party applications. After you identify the problematic application, attempt to progressively disable subcomponents of that application where appropriate.

Uninstall McAfee Enterprise software

If none of the above progressive disablement has shown a drop in the CPU utilization, uninstall the McAfee real-time antimalware scanning software and then check the state of the CPU utilization.

Solution

The results of the previous data collection steps indicate what is causing the issue, and provide a method of tuning the configuration to bypass the problematic component.

Create exclusions:
If the ZZZ test alleviated the issue, there’s a clear need to exclude a directory, file type, or process from the On-Access Scan component. Begin by cataloging all trusted third-party applications on the system. Contact the vendor for each, to obtain a set of recommended exclusions for antimalware software. Exclusions are a list of folders that aren't scanned, and a list of running processes that don’t trigger a scan when requesting disk activity. Exclude the folders and, if the antimalware product is Endpoint Security or VirusScan Enterprise, add the processes to the Low Risk processes profile. Make sure to either disable Scan on Read, Scan on Write, or both, as needed.

When the above doesn’t completely alleviate the issue, review the scan logs for scan time-out events. If there’s a consistent pattern, that might indicate you need more exclusions.

Process Monitor, a tool from the Microsoft Sysinternals suite, can also help if further tuning is needed. The active scan process for VirusScan Enterprise and MOVE AV Agentless/Multi-platform is McShield.exe. The active scan process for Endpoint Security is enstp.exe.

If disabling one of the other components alleviated the issue, such as ScriptScan, Access Protection, or Exploit Prevention, create exclusions for the affected component. Some of these components exclude directory paths, while others exclude processes running in memory. Review the appropriate section of the Product Guide for your product version for details. In these cases, product logs usually reveal the source of the resource issue.

Conflicts with third-party applications:
A conflict between that application and the McAfee Enterprise software must be resolved if:

Uninstalling the McAfee Enterprise antimalware product alleviated the issue.
Or
The source of the conflict can be identified by uninstalling a third-party application

Frequently, these types of issues are already known. Make sure that both your McAfee Enterprise software and the third-party product are up to date with the latest updates or hotfixes. Also, review the Known Issues article for the affected McAfee product. If the issue is already documented, there might be a workaround. If that doesn’t resolve the issue, for application conflict investigation, see: KB73182 - McAfee support statement for compatibility issues between McAfee Enterprise products and third-party applications. For Endpoint Security, there’s a data collection procedure that can be helpful in providing detailed information about McAfee Enterprise products. For instructions, see: KB86691 - Minimum data collection steps for Endpoint Security issues.

Related Information

For product documents, go to the Enterprise Product Documentation portal.

Affected Products

Diagnostic Data Collection
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.8.x
MOVE Antivirus Multi-platform 4.7.x
MOVE Antivirus Multi-platform 4.6.x
Troubleshooting
VirusScan Enterprise 8.8
VirusScan Enterprise for Linux 2.0.x
VirusScan Enterprise for Linux 1.9.x

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Troubleshoot high CPU by the real-time antimalware scanner

Environment

Summary

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Troubleshoot high CPU by the real-time antimalware scanner

Environment

Summary

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title