cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Pagefile.sys scanned?

Jump to solution

Hello,

 

We have a customer seeing mcshield scan "pagefile.sys" which might have some impact on performance.

Has anyone seen this behaviour on a server?

According below article it is not necessary but doesn't exclude the fact what ENS does when the file is being used.
If "pagefile" indeed is used by OS during workhours for virtual memory (read/write) - shouldn't the Read scanner also kick in and scan this file via OAS in theory?

https://kc.mcafee.com/corporate/index?page=content&id=KB82021

 

 

Regards.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Pagefile.sys scanned?

Jump to solution

Hi @th3stinger,

Very interesting Question! Thank you for posting this! Pagefile.sys can be scanned by OAS if it was being backed up as a file. I would like to share an interesting excerpt from one of my Service Request where we had malware detection from Pagefile.sys.

This detection came up when VSS tried to backup pagefile.sys (not recommended by MS). We have seen this behavior (detection under pagefile.sys). So if you ever come across such a situation, you can be assured that such detections do not happen from within pagefile.sys but from a backup or copy of it that has been taken to a physical location usually a VSS directory or similar!

Unless and otherwise such explicit actions are taken, we do not scan pagefile.sys directly. To confirm what process and files are being scanned by us causing performance issues, please use McAfee profiler tool which can be downloaded using your Service Portal Account: https://support.mcafee.com/profiler

As @chealey said, I am just as curious to know what is happening here based on logs and I would love to see a Service Request on this and please feel free to tag me in it or DM me so that I can work closely on the same!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

4 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Pagefile.sys scanned?

Jump to solution

Hi @th3stinger 

May I ask what makes you believe the file is being scanned by us? How have you determined this?

The reason I ask is because we don't scan pagefile.sys. So I would be very surprised to hear this is happening.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: Pagefile.sys scanned?

Jump to solution
Im also suprised because this is the first time we hear about this.
But nevertheless, nothing is impossible which is why I pop the question and possibility.

I will investigate this furthur and see if we can get more data.
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Pagefile.sys scanned?

Jump to solution

🙂 absolutely!

Please do feel free to follow up with more info/ data. I'd be very interested in investigating this. What I suspect is - potentially someone has reviewed the activities of mcshield.exe in procmon. You will likely see mcshield.exe accessing pagefile.sys in procmon and the reason for this is that mcshield will touch everything that triggers a read/ write action. This does not however mean that mcshield is scanning it. Pagefile.sys is exlcuded (hardcoded) from scanning so mcshield will still "touch" it, see it's excluded and will release it again without actually having done anything with it. Hope that makes sense and might help explain the behaviour you are seeing 🙂

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Pagefile.sys scanned?

Jump to solution

Hi @th3stinger,

Very interesting Question! Thank you for posting this! Pagefile.sys can be scanned by OAS if it was being backed up as a file. I would like to share an interesting excerpt from one of my Service Request where we had malware detection from Pagefile.sys.

This detection came up when VSS tried to backup pagefile.sys (not recommended by MS). We have seen this behavior (detection under pagefile.sys). So if you ever come across such a situation, you can be assured that such detections do not happen from within pagefile.sys but from a backup or copy of it that has been taken to a physical location usually a VSS directory or similar!

Unless and otherwise such explicit actions are taken, we do not scan pagefile.sys directly. To confirm what process and files are being scanned by us causing performance issues, please use McAfee profiler tool which can be downloaded using your Service Portal Account: https://support.mcafee.com/profiler

As @chealey said, I am just as curious to know what is happening here based on logs and I would love to see a Service Request on this and please feel free to tag me in it or DM me so that I can work closely on the same!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community