7 Replies Latest reply on Feb 15, 2010 1:56 PM by Warlock

    McShield service started

      hi

      We have ePO4 SP4 with mcafee 8.7.0i SP1 and every day between 17-20 McShield service starts and it seems to start scan.
      At this time our WIN2000 SP4 server and XP/WIN2000 workstations are extremely slow.
      I cannot understand, the full scan service is configured only sundays.
      Howto stop it?


      Event Type: Information
      Event Source: McLogEvent
      Event Category: None
      Event ID: 5000
      Date: 13.09.2009
      Time: 17:45:44
      User: NT AUTHORITY\SYSTEM
      Computer: SERVER12
      Description:
      McShield service started.
      Engine version : 5301.4018
      DAT version : 5739.0000

      Number of signatures in EXTRA.DAT : None
      Names of threats that EXTRA.DAT can detect : None


      Event Type: Information
      Event Source: McLogEvent
      Event Category: None
      Event ID: 257
      Date: 13.09.2009
      Time: 17:45:45
      User: NT AUTHORITY\SYSTEM
      Computer: SERVER12
      Description:
      The scan of C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\2009091217415134300000EEC.txml has taken too long to complete and is being canceled. Scan engine version used is 5301.4018 DAT version 5739.0000.
        • 1. Re: McShield service started

          Hey CCCC

           

          Did you get an answer to this as yet? I am having the exact same issue on our Citirx environment though. We are on ePO 4.0 SP4 with 8.5i clients

           

          Cheers

          • 2. Re: McShield service started

            Hi cccc,

             

            Some things to look at:

             

            • Have you checked the client tasks on the individual machine?
              It may have a non-inheritant task set for scanning defined?

             

            • Why is the McShield service not running all the time?
              It is possible that when the service starts it sees the Scan task as missed as the service had not been running and will start the scan.
              Check your Scan task to see what is defined to do when the task is missed.

             

            Hope this helps.

            • 3. Re: McShield service started

              17:00 is the default time for DAT and Engine updates to run. It's expected to see a delay while CPU spikes for up to a minute depending on system ressources available. I suggest you move the update to an off-peak time.

              Let me know if you must run DAT+Engine updates at these times and I will suggest some workarounds.

              • 4. Re: McShield service started
                ZeusMaster

                the event you are seeing there, is the on access scanner timing out when scanning a working file.

                 

                Set up some exclusions not to scan the working directories on the McAfee Agent.

                 

                *:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\**

                • 5. Re: McShield service started

                  C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\ is already excluded at On-Access Default Processes Policies on Read.

                   

                  Should I exclude on Write as well?

                   

                   


                   

                   

                  on 2/15/10 3:44:19 AM CST
                  • 6. Re: McShield service started
                    ZeusMaster

                    i would say yes to exclude on write as the file is constantly being updated as the agent performs functions.

                    • 7. Re: McShield service started

                      Not so sure if that is going to resolve the issue as I have an **\McAfee\* exclusion for read and write and still having the problem.

                       

                      My understanding of the above exclusion is this:

                      1. On all drives
                      2. In all folders
                      3. In all profiles

                       

                      Where the McAfee folder exists exclude it from a scan.

                       

                      My thoughts are starting to lean towards another area that is not kept with McAfee however it does use a Network Associates folder so maybe my thoughts would be is to set that folder as an exclusion as well.  What say you?