cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ENS Threat prevention performance issue

Jump to solution
Hi Team, We have been recently testing the McAfee ENS threat prevention module and noticed a high memory usage (95%) intially during the system startup for 10 minutes on all the machines and then it goes down to 40%. I have also disabled the OAS system startup scan. Please suggest if there is any other options that I can try disabling?
2 Solutions

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENS Threat prevention performance issue

Jump to solution

@Majidkhan If Profiler still shows the process as being scanned, then it is very likely to be accurate and it's possible there is something wrong with your exclusion to make it not function, or there is an issue with your policy enforcement on the system. 
You say that you have "excluded it" from low-risk processes--did you actually put it in the exclusion section? If so, that is likely your problem. When "low-risking" a process, you should not put it as a an exclusion, but instead define it as a low-risk process, and then select disable scan on read/write for low-risk.

Scanning boot sectors is not very resource intensive and does not take much time. It is not likely a factor. However, if you feel you'd like to test with it disabled then you are able to do so as you're troubleshooting for isolation purposes.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ENS Threat prevention performance issue

Jump to solution

If it's safe or not to add exclusions should be discussed with each specific vendor however no, it is not safe to add those exclusions. SVCHOST and Chrome would be considered high risk processes in regards to introducing malware into your environment. Be aware when you add items as low risk processes, you are saying they shouldn't be scanned / scanned less - dependent on your scan settings.

The needed SCCM exclusions can be seen in this Microsoft KB article:
https://support.microsoft.com/en-gb/help/327453/recommended-antivirus-exclusions-for-configuration-m...

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
6 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ENS Threat prevention performance issue

Jump to solution

Have you added any needed scanning exclusions?

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: ENS Threat prevention performance issue

Jump to solution

@Majidkhan As Daveb3d has indicated, after installing AV software, there is very often a tuning period at which you need to implement exclusions and customize your scanning policy in order to avoid excessive scanning of trusted, high I/O processes. 

There are a few ways that you can identify what may need to be excluded:
First, if you know that you have some software that can be I/O intensive (one example being Citrix) then it is likely that it would need to be excluded, and it's also possible that the vendor of that software has vendor recommended exclusions for using their applications with AV software present. We have a consolidated a list of a few "frequent flyer" 3rd party exclusion recommendations, though this is far from comprehensive, in KB66909. We fully defer to the 3rd party recommendations on what they say should be excluded in regards to their software.
Second, once booted, you can use the McAfee Profiler tool to see what is being scanned the most during a captured period. 
Also, especially to identify what is being scanned during boot, you can use ProcMon with boot-logging enabled to view the interaction counts and identify the offending process that caused the high utilization during boot. This way, you could leave scanning enabled, but just ignore the identified, trusted process that causes the performance impact. Information regarding boot-logging ProcMon data collection can be found in KB86691.

Information regarding exclusions and wildcards can be found in KB54812.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ENS Threat prevention performance issue

Jump to solution

Thanks Jess & Dave.

We have the scan exclusions in place, I have ran the profiler tool and doesn't know as why it still shows up the same process which I have already excluded in low risk scan from read/write.

As this is usually seen after booting the machines during the  first10 minutes time frame. Disabling the option scan boot sector will that be helpful.

Please suggest.

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENS Threat prevention performance issue

Jump to solution

@Majidkhan If Profiler still shows the process as being scanned, then it is very likely to be accurate and it's possible there is something wrong with your exclusion to make it not function, or there is an issue with your policy enforcement on the system. 
You say that you have "excluded it" from low-risk processes--did you actually put it in the exclusion section? If so, that is likely your problem. When "low-risking" a process, you should not put it as a an exclusion, but instead define it as a low-risk process, and then select disable scan on read/write for low-risk.

Scanning boot sectors is not very resource intensive and does not take much time. It is not likely a factor. However, if you feel you'd like to test with it disabled then you are able to do so as you're troubleshooting for isolation purposes.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ENS Threat prevention performance issue

Jump to solution

Hi Jess,

I would like to check with you is it safe to place the below default process exclusion in low risk? As I still see the spike in memory going to 96% and then after 15 minutes it gradually reduces to 48%. I ran the profile during the time and noticed the below processes with high read/write count.

Please suggest.

Chrome.exe - Default process risk - Read/write count 491
svchost.exe - Default process risk - Read/write count 166
CcmExec.exe - Default process risk - Read/write count 57

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ENS Threat prevention performance issue

Jump to solution

If it's safe or not to add exclusions should be discussed with each specific vendor however no, it is not safe to add those exclusions. SVCHOST and Chrome would be considered high risk processes in regards to introducing malware into your environment. Be aware when you add items as low risk processes, you are saying they shouldn't be scanned / scanned less - dependent on your scan settings.

The needed SCCM exclusions can be seen in this Microsoft KB article:
https://support.microsoft.com/en-gb/help/327453/recommended-antivirus-exclusions-for-configuration-m...

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator