1 Reply Latest reply on Mar 1, 2010 12:59 PM by rmetzger

    Mcshield.exe 100% CPU at startup

      We have recently upgraded (installed new ePO server and copied policies ect over to match) to ePO 4.5. Since then alot of users have been complaining about slowness issues.

       

      I've investigated and it seems Mcafee is utilising all of the CPU. For about 5-10 mins while starting the pc is crawling,  then during scheduled updates it peaks for another 5 minutes.   Also the Mcafee agent has changed its picture and now running 87i (8.7.0.570) Virusscan Enterprise + AntiSpyware.

       

      Any ideas what could be causing this slowness?

       

      Cheers!

        • 1. Re: Mcshield.exe 100% CPU at startup
          rmetzger

          Micka wrote:

           

          I've investigated and it seems Mcafee is utilising all of the CPU. For about 5-10 mins while starting the pc is crawling,  then during scheduled updates it peaks for another 5 minutes.   Also the Mcafee agent has changed its picture and now running 87i (8.7.0.570) Virusscan Enterprise + AntiSpyware

           

          Hi Micka,

           

          Try these registry entry changes listed below.

           

          In order to make these changes, you will need to temporarily disable some of the McAfee self-protection features.

           

          From  the VirusScan Console

          Access  Protection > Properties

          Uncheck 'Prevent McAfee services from being stopped'

          Common Standard Protection

          Uncheck (unBlock) 'Prevent modification of McAfee  files and settings'

          Uncheck (unBlock) 'Prevent  modification of McAfee Common Management Agent'

          Run the registry changes below.

          REGEDIT4

           

          ;; see http://forums.mcafeehelp.com/showthread.php?t=221578

          ;;  'McScript.exe eating CPU cycles for several mins'

          ;;  1. Restart the system to activate.

          ;; Solution 1 - Create a registry key LowerWorkingThreadPriority as a

          ;; DWORD and set the value to 1.

          ;;  'CPU usage spikes during policy enforcement and a DAT update'

          ;; Solution:

          ;;   A noticeable performance improvement is found when using McAfee Agent 4.0

          ;;   and ePolicy Orchestrator 4.0 server because ePO 4.0 compiles the policy

          ;;   before sending it to the agent.

          ;;

          ;; Workaround:

          ;; Solution 1 - "LowerWorkingThreadPriority"

          ;; 1. Click Start, Run, type regedit, then click OK.

          ;; 2. Navigate to and select the following registry key:

          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

          ;; 3. In the right-hand pane, right-click a blank space and select New, DWORD

          ;;    Value.

          ;; 4. For the name, type LowerWorkingThreadPriority and press ENTER.

          ;; 5. Right-click LowerWorkingThreadPriority and and select Modify.

          ;; 6. In the Value data field type 1, then click OK.

          ;; 7. Click Registry, Exit.

          ;; 8. Restart the McAfee Framework Service.

          ;;

          ;;  Only implement Solution 2 if the previous solution is not sufficient to

          ;;  reduce the CPU usage sufficiently during a policy enforcement and update.

          ;;  Solution 2 - Disable the NoUpdateUI via the registry to reduce the CPU

          ;;  usage:

          ;; 1. Click Start, Run, type regedit, then click OK.

          ;; 2. Navigate to the following registry location:

          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

          ;; 3. Right-click on NoUpdaterUI and select Modify.

          ;; 4. In the Value Data field change the value to 1, then click OK.

          ;; 5. Click Registry, Exit.

          ;; 6. Restart your computer.

          ;;

          ;; see https://kc.mcafee.com/corporate/index?page=content&id=KB53690&pmv=print

          ;; Policy Enforcement Interferes with Real-Time Application

          ;;

          ;; Corporate KnowledgeBase ID:            KB66971

          ;; Published:            October 15, 2009

          ;;

          ;; Environment

          ;; Summary

          ;; CPU spikes that occur during a policy enforcement may interfere with the

          ;; performance of real-time applications. When no other applications are

          ;; being utilized on the client, McAfee Agent 4.5 utilizes the available CPU

          ;; to complete its activity, in this case policy enforcement. This is normal

          ;; and expected. If other applications are being utilized during the policy

          ;; enforcment, or if they start during a policy enforcement, McAfee Agent 4.5

          ;; will yield the CPU to the higher priority process. However, there can be

          ;; momentary spikes in CPU during this time.

          ;;

          ;; Policy enforcement is a CPU intensive function, as is running most real-

          ;; time applications. McAfee Agent 4.5 has improved performance during

          ;; policy enforcement, and in many cases interference with other applications

          ;; is not noticed at the end point. While performance has improved, some

          ;; degradation may be noticed depending on the nature of the application.

          ;; Because of this, voice degradation might be noticed when using products

          ;; such as Voice over IP software. In situations where interference does

          ;; occur, the default policy interval of five minutes might not be ideal.

          ;;

          ;; Solution

          ;; McAfee is investigating this issue. As a temporary measure, implement the

          ;; workaround shown below.

          ;;

          ;; Workaround

          ;; CAUTION: This article contains information about opening or modifying the

          ;; registry.

          ;;

          ;;    * The following information is intended for System Administrators.

          ;;      Registry modifications are irreversible and could cause system failure

          ;;      if done incorrectly.

          ;;    * Before proceeding, McAfee strongly recommends backing up your registry

          ;;      and understanding the restore process. For more information,

          ;;      see: http://support.microsoft.com/kb/256986

          ;;    * Do not run a .REG file that is not confirmed to be a genuine registry

          ;;      import file.

          ;;

          ;;    1. Increase the length of the policy enforcement interval. The default

          ;;       is five minutes. Increasing the length of time might make

          ;;       noticeable interference less frequent.

          ;;    2. Implement a lower thread and lower process priority for McAfee Agent

          ;;       functions on clients:

          ;;       [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

          ;;    3. Under the Framework registry key, do the following:

          ;;           * Change the SetProcessPriority DWord value to 1.

          ;;             This lowers the process priority.

          ;;           * Change the LowerWorkingThreadPriority DWord value to 1.

          ;;             This lowers the worker thread priority to below normal.

           

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

              "LowerWorkingThreadPriority"=dword:00000001

          ;;  "LowerWorkingThreadPriority"=-

              "SetProcessPriority"=dword:00000001

          ;;  "SetProcessPriority"=-

           

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

          ;;  "NoUpdaterUI"=dword:00000001

              "NoUpdaterUI"=-

           

          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          ;;  see https://kc.mcafee.com/corporate/index?page=content&id=kb60651

          ;;

          ;;  ScanProcessesOnEnable;

          ;;  Should be Off under normal conditions. Having it on can cause

          ;;  additional stress to the system, causing McShield.exe to what appears

          ;;  to be random high use of the CPU. It should be On only for PCs where

          ;;  Security is paramount and performance is not even considered.

          ;;

              [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration]

              "ScanProcessesOnEnable"=dword:00000000

              "ScanMemoryOfNewProcesses"=dword:00000000

          Then re-enable the McAfee self-protection features.

           

          From  the VirusScan Console

          Access  Protection > Properties

          Check 'Prevent McAfee services from being stopped'

          Common Standard Protection

          Check (Block) 'Prevent modification of McAfee  files and settings'

          Check (Block) 'Prevent  modification of McAfee Common Management Agent'

          Now, restart the system.

           

          Let us know if this helps.

          Ron Metzger