Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
15066 Views 6 Replies Latest reply: Oct 15, 2010 7:52 AM by RichardJC RSS
RichardJC Newcomer 21 posts since
Jul 8, 2009
Currently Being Moderated

Mar 1, 2010 3:20 PM

High CPU Usage On Demand Scan VSE 8.7i P2

Hello,

Our weekly scheduled On-Demand scan is configured to use 30% System Utilization (ePO task default) under the performance tab of a task's properties.  Our users are complaining of slow and unresponsive systems during the scheduled scan.  We are seeing instances of 'scan32.exe' taking up to 77% CPU usage during this scan time.  How can scan32.exe take more CPU usage than the task it configured for?

 

Richard J.C.
x1 4.0 ePO Patch 5/Build 1298
x1 3.0.2 ePO
McAfee Agent 3.5.5.438 & 4.0.0.1494
VSE 8.0.0.1009 Patch 14, 1000 Units and shrinking
VSE 8.7 Patch 2,  200 Units and growing


Richard J.C.
x1 4.0 ePO Patch 7/Build 1363
McAfee Agent 4.0.0.1494
VSE 8.0.0.1009 Patch 14, 100 Units and shrinking
VSE 8.7 Patch 4,  800 Units and growing

  • rmetzger Champion 566 posts since
    Jan 4, 2005
    Currently Being Moderated
    1. Mar 1, 2010 4:59 PM (in response to RichardJC)
    Re: High CPU Usage On Demand Scan VSE 8.7i P2

    RichardJC wrote:

     

    Hello,

    Our weekly scheduled On-Demand scan is configured to use 30% System Utilization (ePO task default) under the performance tab of a task's properties.  Our users are complaining of slow and unresponsive systems during the scheduled scan.  We are seeing instances of 'scan32.exe' taking up to 77% CPU usage during this scan time.  How can scan32.exe take more CPU usage than the task it configured for?

     

    Richard J.C.
    VSE 8.0.0.1009 Patch 14, 1000 Units and shrinking
    VSE 8.7 Patch 2,  200 Units and growing

     

    from:

    McAfee VirusScan Enterprise 8.7i Product Guide

     

    How system utilization works


    System utilization is determined when an on-demand scan starts. CPU and IO samples are taken
    over the first 30 seconds, then the scan is performed based on the utilization level you specified.
    The system utilization you specify does not apply to encrypted files. The decryption is done by
    LSASS.EXE, not by the Scan32 process. Scanning encrypted files is CPU intensive, therefore
    even if the system limit on the scanning thread is low, it is still scanning files fast enough that
    LSASS.EXE must keep busy to supply the decrypted data.

    So, if you are scanning an encrypted file, LSASS is in control and throttling is not able to be enforced.

     

    Then see:

    https://kc.mcafee.com/corporate/index?page=content&id=KB55145&actp=search&search id=1267482657403

    Understanding On-Demand Scan system  resource utilization

     

     

                
    Corporate KnowledgeBase ID: KB55145
    Published: September 08, 2009

     

    Environment

    For details of all supported operating systems, see KB51109

    Summary

    With McAfee VirusScan Enterprise (VSE) 8.5i and VSE 8.7i, an  On-Demand Scan (ODS) may use larger amounts of system resources than  expected.
    NOTE: The total  system utilization is a combination of CPU utilization and I/O  throughput - it cannot be determined by CPU utilization alone.
    The Threshold value specified for the scan task is  only enforced during scanning; the threshold value does not apply to  the initial estimation phase of the scan, when VSE determines the amount  of system resources available, and can subsequently limit itself to the  value specified.
    The value obtained during the estimation phase becomes the baseline  for the System utilization setting in the task  properties. The On-Demand Scanner then checks its system utilization  periodically to ensure it is at the baseline threshold. However, if the  the scanner is unable to reach the desired threshold after multiple  attempts, it assumes that other resource-intensive work has commenced on  the system and will lower its threshold target. The scanner will lower  this target further if the target continues to be unattainable. The ODS  system utilization will increase its system utilization up to the  originally determined baseline if able to do so. This behavior continues  until the scan task is complete, or the allotted time for the scan task  is reached.
    NOTE: Throttling  the System utilization of the On-Demand Scan will  result in longer scan times.

    And from the release notes:

    New scan deferral options improve local control of on-demand scans, including  the ability to defer scans when using battery power or during presentations. One  option can be configured to allow end users to defer scheduled on-demand scans  for the increment of time you specify. You can specify hourly increments up to  twenty-four hours, or forever.

    This may allow you to have end-users defer scanning to a better time.

     

    And finally:

    https://kc.mcafee.com/corporate/index?page=content&id=KB51604&actp=search&search id=1267482657403

    On-Demand Scan seems to hang when scanning  cookies on Windows Vista

               
    Corporate KnowledgeBase ID:   KB51604
    Published:   January 07, 2010

     

    Environment

    Microsoft Windows Vista
    Microsoft Windows 7

    Problem

    During an On-Demand cookie scan on Windows Vista, the On-Demand  Scan (ODS) task can appear to hang or become unresponsive.

    Cause

    Windows Vista stores cookies in a different directory  structure than previous versions of Windows. Because there are many  folders and subfolders under c:\user\all users,  scanning all cookies on the system may take an unexpectedly long time.
    NOTE: By default the directory structure for c:\users\all  users is hidden. Typing the path in Windows Explorer allows  access to it however.

     

    Solution

    The apparent delay is expected behavior when scanning this  directory structure. The On-Demand Scan task will finish when the cookie  scan has completed.
    Currently, CPU throttling settings apply only to file scanning.  They do not apply to cookie, registry, and memory scans.  As a result, a  full On-Demand Scan can consume a large quantity of system resources.
    NOTE: A Feature Modification Request (FMR) has  been logged to extend CPU throttling capabilities to these areas in a  future version of VirusScan Enterprise.

    I hope this is helpful.

    Ron Metzger

  • rmetzger Champion 566 posts since
    Jan 4, 2005
    Currently Being Moderated
    3. Mar 18, 2010 1:34 PM (in response to RichardJC)
    Re: High CPU Usage On Demand Scan VSE 8.7i P2

    RichardJC wrote:

     

    Hi Ron,

    Thanks for the reply.  Sorry I took a while to respond I was tied up with other issues.  Your information was very helpful for me to better understand what is going on.  However I have now done a more in-depth sampling of a dozen PCs.  We've taken a large number performance metrics and analyzed them.  I've even had Microsoft Premier support specialist analize the data with me.  Our data confirms lsass.exe isn't part of this issue.  We're seeing numbers like 99.99% maximum and 60% avg for the scan32.exe process and CPU usage. 

     

    I understand the delay.

     

    According to the release notes (.pdf) for Patch 2 (and also in Patch 3):

     

    5. The on-demand scanner now uses Windows Priority Control setting for the scan process. This lets the
    operating system set the amount of CPU time that the on-demand scanner receives at any point in the scan
    process. The System Utilization setting in the On-Demand Scan Properties maps to Windows Priority Control
    as:
    Utilization Priority
    10% Low
    20%-50% Below Normal
    60%-100% Normal

     

    So, I am not sure what your settings are set to, but check them and try them set to Low and see how it goes. This, according to the other document sited above, will not fix the problem for Registry and Memory scans, as this will cause it to spike to full 99.99% during these scans. If Low seems to work, try again with Below Normal, and test again.

     

    Hope this helps. Let us know what happens.

    Ron Metzger

  • frostbitten Newcomer 19 posts since
    Oct 14, 2010
    Currently Being Moderated
    4. Oct 14, 2010 9:35 PM (in response to rmetzger)
    Re: High CPU Usage On Demand Scan VSE 8.7i P2

    I am having the same issue as the original poster and I can confirm that my CPU Utilization is set to 10% and we have seen Scan32.exe using anywhere from 50-90% CPU.

  • Sridhar Newcomer 3 posts since
    Oct 14, 2010
    Currently Being Moderated
    5. Oct 15, 2010 12:15 AM (in response to frostbitten)
    Re: High CPU Usage On Demand Scan VSE 8.7i P2

    Hi --

     

    We do also the same on ODS weekly scanning its killing users work time.

     

    Mcafee advised to downgrade VSE 8.5 or wait for VSE 8.8 since the VSE 8.7 product (stupid) designed with Windows priority setting

     

    Sridhar

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points