Hi @David_F ,
Can you confirm if there is any On Demand Scan running on the machines when you are seeing this behavior?
If no ODS is running then there is some application which is mostly getting timed out because of repeat I/O. Best option will be to check On Access Scanner log and see if there is any Time out. If not, then when you are seeing the high CPU utilization run the Procmon on the machine. Just capture it for a minute or two and share the output (Procmon Download: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
From Procmon we can easily figure out what is happening during that window.
The logs are found in %Programdata%\Mcafee\EndpointSecurity\Logs
If you do find a scan running, then you'll need to contact your IT department and ask them to change the settings. Judging by the description it sounds like they could have "scan on idle" enabled which would mean the scan will be pausing and re-starting constantly meaning you'll be impacted for longer.
Look at the ODS (On Demand Scan) Log.
ProcMon - it is logging thousands of events per minute. Even with the filter on to mcshield, there is way too much info to post. The last file was 763 mB. How is that useful? And it seems tech support in this post/chain and posts about mcshield simply keeps asking for more and more diagnostic data and never addresses the problem - or even admits there is one. Why do dozens of my colleagues have this same issue? It ain't just my PC. hashtagFrustratedWithMcAfeeCorp
Procmon is not the best way of showing what the scanner is doing. Like you said it gives you thousands of entries per minute. This is because even if you have excluded items mcshield still needs to pick up the file and check if it should be excluded or is in cache already so it can then decide to either scan it or release it again.
To explain what would be expected behaviour so you understand why we were pointing you in the correct direction: We expect to see high CPU during an ODS scan for the process mcshield. There is no way of us restricting this either as the resources are given to this process by Windows. Have you managed to check the On Demand Scan Log to see if a scan was running at the time you are experiencing the issue? You previously shared an extract from the On Access Scan Log.
If no ODS is running then mcshield would display high CPU if an other application is running or the system generally is performing an activity which is high in read/ write activities. Each of these read/ write activities would mean we need to monitor it which therefore results in high CPU if the system is of course busy. If these symptoms are displayed when using a specific application it may be that certain exclusions are needed to ensure firstly that the application can run without being interrupted and secondly so that you don't see the high CPU.
With either of these options you are going to need to reach out and work with your corporate IT dept because they will control the configuration of the product. Of course your findings may help them decide which configuration changes need to be made. Hope this helps somewhat.