My first post here, hoping to get some insight on this...
We have all corporate machines running McAfee VirusScan Enterprise and HIPS.
From what I've been told (I'm reasonably new at this company), VirusScan runs a full check on Fridays.
We had about 5-6 people on the Friday just gone (11th March) complaining about how slow their computers are running, only to find that disk and CPU utilisation by McAfee was excessively high.
My question is: Is this normal and can anything be done to reduce the resource usage? Or is this a widespread issue and is there maybe a patch being developed for this?
Please note: The computer that provided the screenshot is a very high power machine and the memory usage of the application below it (LogRhythm Console) is normal - this does not affect the PC's usual running capabilities. Other machines that have consistently average RAM utilisation were still experiencing this issue.
The machine of the screenshot provided was running the following versions:
HIPS build number: 188.8.131.5263
Agent version: 184.108.40.2068
VirusScan Enterprise version: 220.127.116.115
All computers are managed centrally via the ePolicy Orchestrator, so they will all be running the same versions, as far as I'm aware.
I hope this is sufficient information for anyone to respond.
Many thanks in advance for any help.
I've just found another thread dating back to 2012 and they were still having this issue back then, on Patch 1 or 2... We are on Patch 6 and still experiencing this issue.
Regarding the ProTip document that you linked, system utilisation is already set to 'Low' and the other options aren't viable for us, as virus protection and computer and data integrity is paramount for us. (Wouldn't be very good if a zip folder containing malicious code, macros or viruses was skipped by McAfee and then ended up compromising our security, would it)
Is it possible that there was some form of .dat definition update on the day that this happened, which caused it to require more computer power to scan and update?
Hello Anthony, In answer to your first question is no this is not the normal. Here are a few things to keep in mind. If your managing via ePO, what time of day did they experience it? Staggered, 5pm or another time
Can you share what kind of shooting you might have attempted. For the purposes of shooting on client, disable access protection and measure, re-enable and disable on access scanner and measure. What were your results?
In a very similar setup except I have Patch 7 for Mcafee 8.8 (18.104.22.1688) I was getting this exact same thing. I noticed MACOMPATSVC.EXE getting blocked right before it happened via the AP rule seen below. Once I added this to the exception it went away. I tired called Mcafee support and have a case but they have not responded to it since 3/15 after daily status update inquiries. Mcafee support seems to have taken a break recently. Check your AP logs on those machines to see if something that should be happening for Mcafee is being blocked by Mcafee.
|3/14/2016||8:54:02 AM||Blocked by Access Protection rule||NT AUTHORITY\SYSTEM||C:\PROGRAM FILES\MCAFEE\AGENT\X86\MACOMPATSVC.EXE||HKLM\SOFTWARE\WOW6432NODE\MCAFEE\SYSTEMCORE\VSCORE\ON ACCESS SCANNER\MCSHIELD\CONFIGURATION\DEFAULT\||Common Standard Protectionrevent modification of McAfee files and settings||Action blocked : Write|