I work for a company providing servers and software to the client. We provide the servers, manage the OS and install and support the application. These servers sit on the customer domain and have their Enterprise AV solution installed.
The customer upgraded from VSE 8.8 to ENS back in 2017 and we have had multiple different issues since then.
Most of these issues have been resolved over time by various McAfee updates, however the most recent issue is a little perplexing.
For about 2 1/2 months now, since upgrading to ENS 10.6.1.1124, I have noted mcshield.exe producing a large amount of IOPS Other (non disk read/writes) activity, which I believe is causing a performance degradation over time that did not exist before this upgrade.
The customer has applied AV exclusions for our software successfully and the disk I/O from mcshield.exe is very small. However the non disk I/O is through the roof, often upwards of 3000 operations per second.
When checking this using Process Monitor, I can see 1000's of QueryOpen (fastio_query_network_open) events by mcshield.exe
I initially believed this was some initial operation by the On Access scanner to determine if the file should be scanned, however the customer ICT dept have advised that they have disabled the OAS and I am still seeing this activity.
So my question is as follows:
If the OAS is disabled, and the files are correctly excluded from scanning, what is mcshield.exe doing with these files?
NB: The issue occurs on what is essentially a file server, files are written and read over network constantly.
@Former Member Please read the Kb article KB89354
Hi Venu, thank you for your reply, but as I mentioned in my original post, the On Access scan is disabled entirely. There is no scanning of files and disk I/O is minimal from mcshield.exe
My query is to find assistance to what mcshield.exe is doing if it's not On Access scanning..
Do you have ENS ATP also installed? The mcshield service is used for some of those activities too.
Hi, no the adaptive threat protection has also been disabled as it was constantly scanning critical application binaries and for some reason the customer decided it would be easier to disable the module than add exclusions.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA