cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 1
‎05-17-2022 01:40 AM

Optimizing ENS On Access Scan

Hello All,

This write up is an extremely simplified guide on how we can use basic configuration options available to troubleshoot and optimize OAS (On Access Scan) in ENS.

For a complete outlook on ENS OAS and its working please refer here:

https://docs.trellix.com/bundle/endpoint-security-10.7.x-product-guide-windows/page/GUID-5A870D4E-FF...

Firstly, On access scan is all about scan on 2 specific actions performed on disk, namely Read and Write.

Any process that runs on your machine is subject to On Access Scan when it performs any of the above 2 actions on the disk unless the process is excluded.

There are 2 ways to configure OAS process settings:

  • Use Standard settings for all processes
  • Configure different settings for High Risk and Low Risk processes

Here is a KBA that is going to talk in depth of what is scanning profile, how the exclusions for processes:

https://kc.mcafee.com/corporate/index?page=content&id=KB88595

You will find below very simple and easy steps to isolate and/or troubleshoot OAS related issues, especially performance issues!

Typical issues faced with OAS:

  1. How do I confirm if OAS is running fine on my machine?
    EICAR test! More details in the below KBA:
    https://kc.mcafee.com/corporate/index?page=content&id=KB59742 
  2. OAS is consuming High CPU, what should I do?

The process that takes care of OAS is mcshield.exe. When this process consumes HIGH CPU for a longer duration, It is first very important to check if this is indeed OAS consuming high CPU or if it is ODS.

So, please look for any running scans on the endpoint and if you do not find any scans running on the machine (You can open the local ENS console and check under "Scan System" button to see if any scans are currently running or  open ODS log file "OnDemandScan_Activity" under C:\ProgramData\McAfee\Endpoint Security\Logs to look for any actively running on demand scan.

Once you have confirmed that there are no active scans, we can be sure that the High CPU usage from mcshield.exe is by OAS.

In order to resolve High CPU usage by OAS, we need to understand what is causing it. On Access Scanner consumes more resources only when the machine is running an application/program that is requesting more resources or is performing a lot of activities that demands us to use the scanner more!

Trellix has provided a very useful tool called McAfee profiler that hooks on to our scanner process, looks around for what is being scanned by us and gives you a very simplified report of what process and file activities are being scanned by us.

Link to download tool: https://support.mcafee.com/webcenter/portal/supportportal/pages_tools/toolsMcAfeeProfiler

More details on the tool: https://kc.mcafee.com/corporate/index?page=content&id=KB69683

Steps to follow here:

  • Install and Launch Profiler tool when issue is seen.
  • Please capture 5 to 10 minutes of events depending on the duration of the High CPU consumption.
  • Once capture is done, please look into the "Top Processes" and "Top Files" that were consuming resources.
  • Please note down the list of processes consuming High CPU and add them to your OAS policy as Low risk process provided the process is trusted by you.
  • Also look for folders that has the post read and write activity and add those to be excluded under files and folder exclusions in both Standard and High Risk process tab in OAS policy.

As a best practice, collect a list of commonly used applications in your organization and get their respective vendor recommendations for exclusions and ensure those exclusions are added to your OAS policies as needed. To help you with some well-known vendor recommendations, please find our master KBA on the same:

https://kc.mcafee.com/corporate/index?page=content&id=KB66909

Declaring processes as low risk will ensure that the Reads and Writes they perform on the disk is being excluded by OAS from scanning, thereby reducing CPU utilization from our end.

More On Access Scan related best practices can be found here:

https://kc.mcafee.com/corporate/index?page=content&id=KB88205#onaccess

Sincerely hope this helps! Happy Troubleshooting!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC