cancel
Showing results for 
Search instead for 
Did you mean: 

See what On Access Scan is actually scanning

Hi Guys,

We are using VSE 8.7 on all of our workstations and lots of the workstations use an intranet site throughout the day but a few of them are having problems with the performance of the site. What we have found is that when the site is running slowly for them the McShield.exe process is taking up a large amount of the CPU on each workstation. Is there any way we can get VSE to log exactly what it is scanning? This doesn't happen all the time so I don't want to have to sit there and watch the "last file scanned" thing for ages whilst the user's try to access the site (also this wouldn't be very accurate as I could easily miss something).

Thanks, Chris

10 Replies
Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: See what On Access Scan is actually scanning

chris128 wrote:

Hi Guys,

We are using VSE 8.7 on all of our workstations and lots of the workstations use an intranet site throughout the day but a few of them are having problems with the performance of the site. What we have found is that when the site is running slowly for them the McShield.exe process is taking up a large amount of the CPU on each workstation. Is there any way we can get VSE to log exactly what it is scanning? This doesn't happen all the time so I don't want to have to sit there and watch the "last file scanned" thing for ages whilst the user's try to access the site (also this wouldn't be very accurate as I could easily miss something).

Thanks, Chris

Hi Chris,

It sounds like you need to analyze the differences between those who do not see the problem and those who do, correct?

A couple of questions:

  1. Are these systems (having problems) 32 bit or 64 bit Windows?
  2. Is .Net Framework v2.0 installed?
  3. Have you White Listed or changed the White Listing of your intranet site

McAfee has a tool for helping with this analysis.

Profiler requires .Net Framework 2.0 to be installed and works on 32 bit Windows (XP and above).

Hopefully this tool can help isolate what is happening on both the good and badly behaving systems.

Let us know if this helps.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
woodsjw
Level 7
Report Inappropriate Content
Message 3 of 11

Re: See what On Access Scan is actually scanning

Check out VirusScan Profiler:

What is McAfee VirusScan Profiler? 
McAfee VirusScan Profiler provides administrators the ability to  see how McAfee processes are affecting their systems and ultimately  performance.

McAfee VirusScan Profiler gathers statistics from  systems and shows how on-access scan is affecting the CPU. McAfee Profiler  captures top processes and files that are accessed by on-access scan. Based on  the data collected, an administrator can decide if they want to exclude a  process or a file for scanning to lessen the impact on the system.

To download the McAfee VirusScan  Profiler:

  1. Go to  http://mer.mcafee.com/enduser/downloadmcprofiler.aspx.
  2. Accept the license agreement, and then click  Download.

Ron beat me to it!

Message was edited by: woodsjw on 10/22/10 8:23:25 AM GMT-08:00
sgrimmel
Level 11
Report Inappropriate Content
Message 4 of 11

Re: See what On Access Scan is actually scanning

See also KnowledgeBase article KB69683 with a link to the documentation.

HTH

Re: See what On Access Scan is actually scanning

Thanks for the replies guys, I ran the Profiler and got the user to try doing something on the website that goes slow (sure enough McShield started taking up around 70% of the CPU again). However, looking at the profiler log all I can see is that it scans the following, all in the temporary internet files folder:

FileRead/Write CountPercentage
trident[1].js517%
dxr[3].axd413%
dxr[4].axd413%
salescontracts[1].htm310%
scriptresource[1].axd310%

The thing is though, I can't just exclude the temporary internet files folder because obviously that is one of the most likely locations for a virus to originate from, so any ideas how we can avoid this? I'm going to run the profiler on some of the workstations that do not have this problem and see what sort of stats they report but not sure how that is going to help either way really..

Thanks

Chris

Mal09
Level 12
Report Inappropriate Content
Message 6 of 11

Re: See what On Access Scan is actually scanning

I suspect it's actually an issue with Scriptscan with that website - not the actual On-Demand scanner. From memory, profiler won't seperate out what is being scanned.

Have a look at whitelisting the website

https://kc.mcafee.com/corporate/index?page=content&id=KB65382

Re: See what On Access Scan is actually scanning

Thanks that sounds like it will help and even if it doesn't sort out this problem I'm sure its worth doing for our internal websites. Will give it a go and let you know the results thanks

Re: See what On Access Scan is actually scanning

Adding the site to the ExcludedURLs registry key seems to have made a big improvement thanks! We have now rolled this out to all of our workstations via group policy (if anyone wants the group policy ADM file I made for controlling this setting just let me know).

JoeMace
Level 8
Report Inappropriate Content
Message 9 of 11

Re: See what On Access Scan is actually scanning

@chris128

 

Would you mind giving me some pointers please?

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: See what On Access Scan is actually scanning

Hi all, whilst profiler is very handy to do a basic analysis of what the scanner is doing, the following KB will help assess potential exclusions what the scanner is touching - bare in mind, this will also show you already excluded paths!

https://kc.mcafee.com/corporate/index?page=content&id=KB50981

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community