It's under orchestration, and I am aware of the fact that ePO periodically overwrites my config and restarts OAS. However, in this particular case, MFEConsole on the endpoint consistently reported that OAS was NOT active at the time (I even restarted MFEConsole to make sure) yet there was mcshield.exe pegged on one core.
I just repeated the process described above (restarted MFEConsole, unlocked the admin i/f on it, and unchecked the On-Access Scan and Access Protection checkboxes under "Threat Prevention" ). McShield is still eating up a full core and continues to eat it (it's not winding down).
Stack trace of busy thread (via Process Explorer):
According to Process Monitor, it's recursively scanning my filesystem (millions of files), despite my not having kicked off a manual scan *AND* OAS being disabled. I'd be tempted to think that the fact of my resizing the partition just before mcshield.exe went bananas might have been misinterpreted as insertion of a removable drive and that there is a policy to scan removable drives upon insertion -- though I see no evidence of such an option/policy in MFEConsole.
The solution was (for now) to add the volume(s) in question to the excluded directory lists for now and mcschield.exe quieted down. ePO will eventually overwrite my exclusions.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.