We have a customer seeing mcshield scan "pagefile.sys" which might have some impact on performance.
Has anyone seen this behaviour on a server?
According below article it is not necessary but doesn't exclude the fact what ENS does when the file is being used.
If "pagefile" indeed is used by OS during workhours for virtual memory (read/write) - shouldn't the Read scanner also kick in and scan this file via OAS in theory?
May I ask what makes you believe the file is being scanned by us? How have you determined this?
The reason I ask is because we don't scan pagefile.sys. So I would be very surprised to hear this is happening.
Please do feel free to follow up with more info/ data. I'd be very interested in investigating this. What I suspect is - potentially someone has reviewed the activities of mcshield.exe in procmon. You will likely see mcshield.exe accessing pagefile.sys in procmon and the reason for this is that mcshield will touch everything that triggers a read/ write action. This does not however mean that mcshield is scanning it. Pagefile.sys is exlcuded (hardcoded) from scanning so mcshield will still "touch" it, see it's excluded and will release it again without actually having done anything with it. Hope that makes sense and might help explain the behaviour you are seeing 🙂
Very interesting Question! Thank you for posting this! Pagefile.sys can be scanned by OAS if it was being backed up as a file. I would like to share an interesting excerpt from one of my Service Request where we had malware detection from Pagefile.sys.
This detection came up when VSS tried to backup pagefile.sys (not recommended by MS). We have seen this behavior (detection under pagefile.sys). So if you ever come across such a situation, you can be assured that such detections do not happen from within pagefile.sys but from a backup or copy of it that has been taken to a physical location usually a VSS directory or similar!
Unless and otherwise such explicit actions are taken, we do not scan pagefile.sys directly. To confirm what process and files are being scanned by us causing performance issues, please use McAfee profiler tool which can be downloaded using your Service Portal Account: https://support.mcafee.com/profiler
As @chealey said, I am just as curious to know what is happening here based on logs and I would love to see a Service Request on this and please feel free to tag me in it or DM me so that I can work closely on the same!