cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VSE ODS and OAS high CPU utilization.

Hi Mcafee experts,

We have one dedicated ePO to manage all servers with VSE and we have another one for ENS . The issue we are seeing is on the VSE side. High CPU utilization during OAS and ODS scan.

Since we can't use mcafee profiler, we have been using Procmon to determine what VSE is scanning. Unless we are doing something wrong, we were not able to contained the CPU issue.

Any recommendation would be appreciated. We are in business critical stage.

6 Replies
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: VSE ODS and OAS high CPU utilization.

@User16096767

High CPU during ODS is expected behavior and is by design in order to get scans completed as quickly as possible and lessen the window at which the system is at higher duress due to full system scanning alongside the continuous On-Access Scanning. Windows process prioritization will provide the scanner with all of the available resources for this reason, until a process with higher priority requests use where it will temporarily hand it off to the requesting process before handing it back to the scanner. For this reason, we advise that your ODS be scheduled at a non-peak business hour, or on weekends, in order to limit the impact to the end user.

The first configuration change that can assist in making significant changes to scan duration and performance is disabling scanning of archives during ODS. This is considered to be a very minor to non-existent security risk because all files inside an archive are scanned when the archive is opened or extracted, making scanning these files redundant, because OAS will scan the archive if it is accessed or opened at any time and scanning them during an ODS can take some time. This extended time to scan the large archive files prevents Microsoft's priority allocation for resources from handing the processing power to other processes that request it until the entire archive is scanned or the default 45 second timeout is reached. If there is a large number of archives on a system, this scenario is more frequent and can create significant impact to performance and scan duration. This is a likely contributor to why you see the period of time where utilization is peaking to 100% even with "Below Normal" set.
The second change is to change system utilization from "Below Normal" to "Low" in order to set us at the lowest priority for resource allocation. Please keep in mind that this will not eliminate increased CPU consumption by ODS, but can increase the frequency and speed at which resources are handed off to other processes via priority leveling of the OS.

We recommend that you look towards these config changes to assist in lessening the impact of the ODS. However, as described, high CPU during ODS is expected by design, and there is not much that can be done to make a dramatic difference in scanning. Please review the following articles that go further in depth in regards to these concepts:
https://kc.mcafee.com/corporate/index?page=content&id=KB55145
https://kc.mcafee.com/corporate/index?page=content&id=KB85299

You can also review the best practices documentation for optimum ODS configuration: https://kc.mcafee.com/corporate/index?page=content&id=KB74059

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Venu
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: VSE ODS and OAS high CPU utilization.

Hi @User16096767

As mentioned by @vnaidu high CPU during an ODS task is expected behaviour and can't be changed. If you are still seeing high CPU when you aren't running an ODS task then you can use procmon to see what mcshield is doing. I don't know if you are aware of this KB: https://kc.mcafee.com/corporate/index?page=content&id=KB50981

One crutial test you can do is the "zzz" test - this will help determine if setting exclusions will help you or not: https://kc.mcafee.com/corporate/index?page=content&id=KB67648

One thing you may have not configured is low and high risk processes. Generally certain applications require scanning to be disabled, so .exe files need to be defined as a low risk process - not as a default exclusion. By setting them as a default exclusion you are merely excluded the file and not the process - https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Another thing that causes high CPU is archive scanning. If this is enabled, you will see a performance impact.

If this issue is business impacting, please do call in to support so a remote session can be started and the issue investigated.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Bramk
Level 9
Report Inappropriate Content
Message 4 of 7

Re: VSE ODS and OAS high CPU utilization.

I recognize it, we had similar performance issues on the older hardware in the company.. especially on slow disk IO/non-SSD equiped devices. With tuning in policies and  settings it improved a bit but for some devices not enough what helped there was adjusting maxthreads used. Not as a default for all machines, but only on the the machines with extreme slow performance during On Demand Scan. This can be found in the VSE Best pratices guide https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22940/en_US/...

page 30, 31

32 bit OS - [HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection\Tasks]

64 bit OS - [HKEY_LOCAL_MACHINE\Software\Wow6432Node\McAfee\DesktopProtection\Tasks]

"dwMaxThreadsLow"=dword:00000001

"dwMaxThreadsNormal"=dword:00000001

"dwMaxThreadsBelowNormal"=dword:00000001

Re: VSE ODS and OAS high CPU utilization.

What option should I select?

 

1- Confiugre one scanning policy for all processes or

2-Configure different scanning policies for high-risk, low risk, and default prcesses 

McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: VSE ODS and OAS high CPU utilization.

As simple as the question may seem, this can be drawn out into a conversation that lasts for hours.  I will attempt to simplify the details.

 

Do you want the scanner to behave the same no matter which process is causing the disk read/write activity?  If yes, then use one scan policy for all processes.  This means that if we make an exclusion for say test.exe,  this specific file will not be scanned any time ANY process running on the system accesses the file.

Do you want to configure the scanner to behave differently depending on the process performing the disk read/write activity?  If yes, then configure different scan policies for Default/Low/High-Risk.  This gives us the ability to configure the On-Access Scanner to perform scans based on the list of processes defined within the Low/High-risk processes policies.  As an example, if I no longer wish to scan the disk write activity caused by explorer.exe, I can:

--Enable the option to use Default/Low/High-risk process policies
--Check that Explorer.exe is listed as a defined process within the High-risk processes policy
--Disable scan on write within the High-risk processes policy

Please understand that this is just an example, and not something that should actually be implemented specifically for Explorer.exe (too risky), but it serves to define the differences in the policy configurations.  In doing so, we also have to keep in mind that this would disable scan on write for ALL processes listed within the high-risk processes policy.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?



Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: VSE ODS and OAS high CPU utilization.

OAS or ODS High CPU utilization; I usually confirm VSE version / Windows OS compatibility. If the compatibility is inline, I then move on to confirming Windows OS recommended exclusions. If the exclusions are inline, I move on to reviewing VSE configuration as to what/when/how items are being scaned.

Supported platforms, environments, and operating systems, for VirusScan Enterprise
https://kc.mcafee.com/corporate/index?page=content&id=KB51111
Microsoft Anti-Virus Exclusion List
https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list....
Best practices for VirusScan Enterprise
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22940/en_US/...

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator