6 Replies Latest reply: Oct 15, 2010 7:53 AM by RichardJC RSS

    High CPU Usage On Demand Scan VSE 8.7i P2

      Hello,

      Our weekly scheduled On-Demand scan is configured to use 30% System Utilization (ePO task default) under the performance tab of a task's properties.  Our users are complaining of slow and unresponsive systems during the scheduled scan.  We are seeing instances of 'scan32.exe' taking up to 77% CPU usage during this scan time.  How can scan32.exe take more CPU usage than the task it configured for?

       

      Richard J.C.
      x1 4.0 ePO Patch 5/Build 1298
      x1 3.0.2 ePO
      McAfee Agent 3.5.5.438 & 4.0.0.1494
      VSE 8.0.0.1009 Patch 14, 1000 Units and shrinking
      VSE 8.7 Patch 2,  200 Units and growing

        • 1. Re: High CPU Usage On Demand Scan VSE 8.7i P2
          rmetzger

          RichardJC wrote:

           

          Hello,

          Our weekly scheduled On-Demand scan is configured to use 30% System Utilization (ePO task default) under the performance tab of a task's properties.  Our users are complaining of slow and unresponsive systems during the scheduled scan.  We are seeing instances of 'scan32.exe' taking up to 77% CPU usage during this scan time.  How can scan32.exe take more CPU usage than the task it configured for?

           

          Richard J.C.
          VSE 8.0.0.1009 Patch 14, 1000 Units and shrinking
          VSE 8.7 Patch 2,  200 Units and growing

           

          from:

          McAfee VirusScan Enterprise 8.7i Product Guide

           

          How system utilization works


          System utilization is determined when an on-demand scan starts. CPU and IO samples are taken
          over the first 30 seconds, then the scan is performed based on the utilization level you specified.
          The system utilization you specify does not apply to encrypted files. The decryption is done by
          LSASS.EXE, not by the Scan32 process. Scanning encrypted files is CPU intensive, therefore
          even if the system limit on the scanning thread is low, it is still scanning files fast enough that
          LSASS.EXE must keep busy to supply the decrypted data.

          So, if you are scanning an encrypted file, LSASS is in control and throttling is not able to be enforced.

           

          Then see:

          https://kc.mcafee.com/corporate/index?page=content&id=KB55145&actp=search&search id=1267482657403

          Understanding On-Demand Scan system  resource utilization

           

           

                      
          Corporate KnowledgeBase ID: KB55145
          Published: September 08, 2009

           

          Environment

          For details of all supported operating systems, see KB51109

          Summary

          With McAfee VirusScan Enterprise (VSE) 8.5i and VSE 8.7i, an  On-Demand Scan (ODS) may use larger amounts of system resources than  expected.
          NOTE: The total  system utilization is a combination of CPU utilization and I/O  throughput - it cannot be determined by CPU utilization alone.
          The Threshold value specified for the scan task is  only enforced during scanning; the threshold value does not apply to  the initial estimation phase of the scan, when VSE determines the amount  of system resources available, and can subsequently limit itself to the  value specified.
          The value obtained during the estimation phase becomes the baseline  for the System utilization setting in the task  properties. The On-Demand Scanner then checks its system utilization  periodically to ensure it is at the baseline threshold. However, if the  the scanner is unable to reach the desired threshold after multiple  attempts, it assumes that other resource-intensive work has commenced on  the system and will lower its threshold target. The scanner will lower  this target further if the target continues to be unattainable. The ODS  system utilization will increase its system utilization up to the  originally determined baseline if able to do so. This behavior continues  until the scan task is complete, or the allotted time for the scan task  is reached.
          NOTE: Throttling  the System utilization of the On-Demand Scan will  result in longer scan times.

          And from the release notes:

          New scan deferral options improve local control of on-demand scans, including  the ability to defer scans when using battery power or during presentations. One  option can be configured to allow end users to defer scheduled on-demand scans  for the increment of time you specify. You can specify hourly increments up to  twenty-four hours, or forever.

          This may allow you to have end-users defer scanning to a better time.

           

          And finally:

          https://kc.mcafee.com/corporate/index?page=content&id=KB51604&actp=search&search id=1267482657403

          On-Demand Scan seems to hang when scanning  cookies on Windows Vista

                     
          Corporate KnowledgeBase ID:   KB51604
          Published:   January 07, 2010

           

          Environment

          Microsoft Windows Vista
          Microsoft Windows 7

          Problem

          During an On-Demand cookie scan on Windows Vista, the On-Demand  Scan (ODS) task can appear to hang or become unresponsive.

          Cause

          Windows Vista stores cookies in a different directory  structure than previous versions of Windows. Because there are many  folders and subfolders under c:\user\all users,  scanning all cookies on the system may take an unexpectedly long time.
          NOTE: By default the directory structure for c:\users\all  users is hidden. Typing the path in Windows Explorer allows  access to it however.

           

          Solution

          The apparent delay is expected behavior when scanning this  directory structure. The On-Demand Scan task will finish when the cookie  scan has completed.
          Currently, CPU throttling settings apply only to file scanning.  They do not apply to cookie, registry, and memory scans.  As a result, a  full On-Demand Scan can consume a large quantity of system resources.
          NOTE: A Feature Modification Request (FMR) has  been logged to extend CPU throttling capabilities to these areas in a  future version of VirusScan Enterprise.

          I hope this is helpful.

          Ron Metzger

          • 2. Re: High CPU Usage On Demand Scan VSE 8.7i P2

            Hi Ron,

            Thanks for the reply.  Sorry I took a while to respond I was tied up with other issues.  Your information was very helpful for me to better understand what is going on.  However I have now done a more in-depth sampling of a dozen PCs.  We've taken a large number performance metrics and analyzed them.  I've even had Microsoft Premier support specialist analize the data with me.  Our data confirms lsass.exe isn't part of this issue.  We're seeing numbers like 99.99% maximum and 60% avg for the scan32.exe process and CPU usage. 

            • 3. Re: High CPU Usage On Demand Scan VSE 8.7i P2
              rmetzger

              RichardJC wrote:

               

              Hi Ron,

              Thanks for the reply.  Sorry I took a while to respond I was tied up with other issues.  Your information was very helpful for me to better understand what is going on.  However I have now done a more in-depth sampling of a dozen PCs.  We've taken a large number performance metrics and analyzed them.  I've even had Microsoft Premier support specialist analize the data with me.  Our data confirms lsass.exe isn't part of this issue.  We're seeing numbers like 99.99% maximum and 60% avg for the scan32.exe process and CPU usage. 

               

              I understand the delay.

               

              According to the release notes (.pdf) for Patch 2 (and also in Patch 3):

               

              5. The on-demand scanner now uses Windows Priority Control setting for the scan process. This lets the
              operating system set the amount of CPU time that the on-demand scanner receives at any point in the scan
              process. The System Utilization setting in the On-Demand Scan Properties maps to Windows Priority Control
              as:
              Utilization Priority
              10% Low
              20%-50% Below Normal
              60%-100% Normal

               

              So, I am not sure what your settings are set to, but check them and try them set to Low and see how it goes. This, according to the other document sited above, will not fix the problem for Registry and Memory scans, as this will cause it to spike to full 99.99% during these scans. If Low seems to work, try again with Below Normal, and test again.

               

              Hope this helps. Let us know what happens.

              Ron Metzger

              • 4. Re: High CPU Usage On Demand Scan VSE 8.7i P2

                I am having the same issue as the original poster and I can confirm that my CPU Utilization is set to 10% and we have seen Scan32.exe using anywhere from 50-90% CPU.

                • 5. Re: High CPU Usage On Demand Scan VSE 8.7i P2
                  Sridhar

                  Hi --

                   

                  We do also the same on ODS weekly scanning its killing users work time.

                   

                  Mcafee advised to downgrade VSE 8.5 or wait for VSE 8.8 since the VSE 8.7 product (stupid) designed with Windows priority setting

                   

                  Sridhar

                  • 6. Re: High CPU Usage On Demand Scan VSE 8.7i P2

                    We've analyzed this issue to the best of our abilities and cannot do anything to improve the situation.  We are currently setting our scan priority to the lowest priority setting and are advising our users it is something they have to live with.  The 'savy' users have figured out they can reboot their PC to kill the scan task and if they are local admins they can stop the scan.  Hopefully the next version of VSE will improve this issue.

                     

                     

                    Message was edited by: RichardJC on 10/15/10 7:53:47 AM GMT-05:00