I work for a company providing servers and software to the client. We provide the servers, manage the OS and install and support the application. These servers sit on the customer domain and have their Enterprise AV solution installed. 

The customer upgraded from VSE 8.8 to ENS back in 2017 and we have had multiple different issues since then.

Most of these issues have been resolved over time by various McAfee updates, however the most recent issue is a little perplexing. 

For about 2 1/2 months now, since upgrading to ENS 10.6.1.1124, I have noted mcshield.exe producing a large amount of IOPS Other (non disk read/writes) activity, which I believe is causing a performance degradation over time that did not exist before this upgrade. 
The customer has applied AV exclusions for our software successfully and the disk I/O from mcshield.exe is very small. However the non disk I/O is through the roof, often upwards of 3000 operations per second. 
When checking this using Process Monitor, I can see 1000's of QueryOpen (fastio_query_network_open) events by mcshield.exe

I initially believed this was some initial operation by the On Access scanner to determine if the file should be scanned, however the customer ICT dept have advised that they have disabled the OAS and I am still seeing this activity.

So my question is as follows:

If the OAS is disabled, and the files are correctly excluded from scanning, what is mcshield.exe doing with these files?
NB: The issue occurs on what is essentially a file server, files are written and read over network constantly.