4 Replies Latest reply on Mar 17, 2010 8:30 AM by rmetzger

    High CPU during Updates

      Does everyone else just "deal with" the high CPU usage during virus pattern updates?  I've resorted to scheduling updates to happen at 7 PM across my company, but when I'm working on my computer during this time I often think my computer has "hung" for a minute until I remember it is 7 PM.

       

      Running VirusScan 8.7i  8.7.0.570

        • 1. Re: High CPU during Updates
          rmetzger

          Scissor wrote:

           

          Does everyone else just "deal with" the high CPU usage during virus pattern updates?  I've resorted to scheduling updates to happen at 7 PM across my company, but when I'm working on my computer during this time I often think my computer has "hung" for a minute until I remember it is 7 PM.

           

          Running VirusScan 8.7i  8.7.0.570

          Based on your description, you may be experiencing 2 different  problems: 1) mcscript_inuse.exe CPU issue, 2) McShield CPU issues and  crash.

           

          1) Try: https://kc.mcafee.com/corporate/index?page=content&id=kb53690

          Lowering the working thread priority helps relinquish CPU  cycles to other processes during updates.

           

          2) Try: https://kc.mcafee.com/corporate/index?page=content&id=KB60651&pmv=print

          By  turning off Scan Processes On Enable, you may help with the seemingly  random McShield CPU spikes. Based on McAfee statements, "This setting is  intended for environments where security is more important than  performance." As long as you have installed Patch 1 (VSE v8.7i) or  later, this setting is suppose to be off by default, but may still be  On.

           

          Here is a .reg file documenting the possible changes:

          REGEDIT4

           

          ;; Starting with VSE v8.5i, self-protection features are enabled.

          ;; By default, VSE blocks registry changes to itself.

          ;;

          ;; You will need to temporarily disable some of the McAfee

          ;; self-protection features.

          ;;

          ;; From the VirusScan Console

          ;;    Access Protection > Properties

          ;;        Uncheck 'Prevent McAfee services from being stopped'

          ;;        Common Standard Protection

          ;;            Uncheck (unBlock) 'Prevent modification of

          ;;                McAfee files and settings'

          ;;            Uncheck (unBlock) 'Prevent modification of

          ;;                McAfee Common Management Agent'

          ;;

          ;; Now try to import this registry file or make needed changes.

          ;;

          ;; Then re-enable the McAfee self-protection features.

          ;;

          ;; From the VirusScan Console

          ;;    Access Protection > Properties

          ;;        Check 'Prevent McAfee services from being stopped'

          ;;        Common Standard Protection

          ;;            Check (Block) 'Prevent modification of

          ;;                McAfee files and settings'

          ;;            Check (Block) 'Prevent modification of

          ;;                McAfee Common Management Agent'

          ;;

          ;; Now, restart the system.

          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          ;; REGEDIT4

          ;;

          ;; LowerWorkingThreadPriority

          ;; SetProcessPriority

          ;; NoUpdaterUI

          ;;

          ;; see http://forums.mcafeehelp.com/showthread.php?t=221578

          ;;  'McScript.exe eating CPU cycles for several mins'

          ;;  1. Restart the system to activate.

          ;; Solution 1 - Create a registry key LowerWorkingThreadPriority as a

          ;; DWORD and set the value to 1.

          ;;  'CPU usage spikes during policy enforcement and a DAT update'

          ;; Solution:

          ;;   A noticeable performance improvement is found when using McAfee Agent 4.0

          ;;   and ePolicy Orchestrator 4.0 server because ePO 4.0 compiles the policy

          ;;   before sending it to the agent.

          ;;

          ;; Workaround:

          ;; Solution 1 - "LowerWorkingThreadPriority"

          ;; 1. Click Start, Run, type regedit, then click OK.

          ;; 2. Navigate to and select the following registry key:

          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

          ;; 3. In the right-hand pane, right-click a blank space and select New, DWORD

          ;;    Value.

          ;; 4. For the name, type LowerWorkingThreadPriority and press ENTER.

          ;; 5. Right-click LowerWorkingThreadPriority and and select Modify.

          ;; 6. In the Value data field type 1, then click OK.

          ;; 7. Click Registry, Exit.

          ;; 8. Restart the McAfee Framework Service.

          ;;

          ;;  Only implement Solution 2 if the previous solution is not sufficient to

          ;;  reduce the CPU usage sufficiently during a policy enforcement and update.

          ;;  Solution 2 - Disable the NoUpdateUI via the registry to reduce the CPU

          ;;  usage:

          ;; 1. Click Start, Run, type regedit, then click OK.

          ;; 2. Navigate to the following registry location:

          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

          ;; 3. Right-click on NoUpdaterUI and select Modify.

          ;; 4. In the Value Data field change the value to 1, then click OK.

          ;; 5. Click Registry, Exit.

          ;; 6. Restart your computer.

          ;;

          ;; see https://kc.mcafee.com/corporate/index?page=content&id=KB53690&pmv=print

          ;; Policy Enforcement Interferes with Real-Time Application

          ;;

          ;; Corporate KnowledgeBase ID:            KB66971

          ;; Published:            October 15, 2009

          ;;

          ;; Environment

          ;; Summary

          ;; CPU spikes that occur during a policy enforcement may interfere with the

          ;; performance of real-time applications. When no other applications are

          ;; being utilized on the client, McAfee Agent 4.5 utilizes the available CPU

          ;; to complete its activity, in this case policy enforcement. This is normal

          ;; and expected. If other applications are being utilized during the policy

          ;; enforcment, or if they start during a policy enforcement, McAfee Agent 4.5

          ;; will yield the CPU to the higher priority process. However, there can be

          ;; momentary spikes in CPU during this time.

          ;;

          ;; Policy enforcement is a CPU intensive function, as is running most real-

          ;; time applications. McAfee Agent 4.5 has improved performance during

          ;; policy enforcement, and in many cases interference with other applications

          ;; is not noticed at the end point. While performance has improved, some

          ;; degradation may be noticed depending on the nature of the application.

          ;; Because of this, voice degradation might be noticed when using products

          ;; such as Voice over IP software. In situations where interference does

          ;; occur, the default policy interval of five minutes might not be ideal.

          ;;

          ;; Solution

          ;; McAfee is investigating this issue. As a temporary measure, implement the

          ;; workaround shown below.

          ;;

          ;; Workaround

          ;; CAUTION: This article contains information about opening or modifying the

          ;; registry.

          ;;

          ;;    * The following information is intended for System Administrators.

          ;;      Registry modifications are irreversible and could cause system failure

          ;;      if done incorrectly.

          ;;    * Before proceeding, McAfee strongly recommends backing up your registry

          ;;      and understanding the restore process. For more information,

          ;;      see: http://support.microsoft.com/kb/256986

          ;;    * Do not run a .REG file that is not confirmed to be a genuine registry

          ;;      import file.

          ;;

          ;;    1. Increase the length of the policy enforcement interval. The default

          ;;       is five minutes. Increasing the length of time might make

          ;;       noticeable interference less frequent.

          ;;    2. Implement a lower thread and lower process priority for McAfee Agent

          ;;       functions on clients:

          ;;       [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

          ;;    3. Under the Framework registry key, do the following:

          ;;           * Change the SetProcessPriority DWord value to 1.

          ;;             This lowers the process priority.

          ;;           * Change the LowerWorkingThreadPriority DWord value to 1.

          ;;             This lowers the worker thread priority to below normal.

           

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

              "LowerWorkingThreadPriority"=dword:00000001

          ;;  "LowerWorkingThreadPriority"=-

              "SetProcessPriority"=dword:00000001

          ;;  "SetProcessPriority"=-

           

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]

          ;;  "NoUpdaterUI"=dword:00000001

              "NoUpdaterUI"=-

          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ;;  ScanProcessesOnEnable

          ;;

          ;;  see https://kc.mcafee.com/corporate/index?page=content&id=kb60651

          ;;

          ;;  Should be Off under normal conditions. Having it on can cause

          ;;  additional stress to the system, causing McShield.exe to what

          ;;  appears to be random high use of the CPU. It should be On only for

          ;;  PCs where Security is paramount and performance is not even

          ;;  considered.

          ;;

          ;;  See VSE8.7i Patch 1

          ;;  2. Issue: With the improved functionality of the on-access scanner

          ;;     memory scan, lower and middle ranged systems may see a

          ;;     performance impact at startup and after a successful AutoUpdate

          ;;     of the engine or DATs.

          ;;     Currently the Process on enable option is enabled by default on

          ;;     the shipping version of VirusScan Enterprise 8.7i. McAfee

          ;;     recommends that in a managed environment, disable this option

          ;;     prior to deployment of the Patch, until the impact of memory

          ;;     scanning can be determined for your environment. It is not

          ;;     possible to maintain both the more comprehensive scanning that

          ;;     comes with Patch 1 and later, and the former level of scanning.

          ;;     Therefore, only the more comprehensive scan is used.

          ;;     NOTE FOR CURRENT AND NEW USERS:

          ;;     -- The Patch installation does not modify current settings to

          ;;        disable the Process on enable option.

          ;;     -- The VirusScan 8.7i NAP and extension that are included with

          ;;        the Patch do change the McAfee Default policy, but do not

          ;;        modify the My Default policy, or any custom policy settings

          ;;        that were made prior to the checkin of the new NAP/extension.

          ;;     -- The VirusScan Enterprise 8.7i Repost with Patch now installs

          ;;        with the Process on enable option disabled, unless the

          ;;        Maximum Security option is selected during the installation.

          ;;

              [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration]

              "ScanProcessesOnEnable"=dword:00000000

          ;;  "ScanProcessesOnEnable"=-

           

          Hopefully this is helpful, and post back with any  questions.

           

          Ron Metzger

          • 2. Re: High CPU during Updates

            Hi rmetzger,

             

            Thank you for the reply.  Before I make your suggested changes, I noticed that the referenced KB articles may not apply to me:

             

            KB53690 is for CMA 3.6.x, while I am running McAfee Agent 4.0.0.1494 pointing at ePolicy Orchestrator 4.0.0 build 1333.  The high CPU I notice doesn't happen during policy enforcement -- it really only happens during DAT updates.

             

            KB60651 - I have verified that the policy "Processes on enable" was not checked on my ePo server.  Plus the KB states the issue was resolved in VirusScan 8.7 Patch 1, which I already have installed.

             

            Any comments on the above observations?

             

             

            Message was edited by: Scissor on 3/16/10 10:46:05 AM GMT-08:00
            • 3. Re: High CPU during Updates
              Attila Polinger

              Hi,

               

              which patch version you run?

               

              I recall McAfee changing approach on performance of loading DATs into memory 2 times, across VSE 8.7 patch 1 and 2. Both named "runtime DATs" - I guess - the first and second filename and location of these runtime DATs were different. This suggests a different mechnanism of dealing with runtime DATs. there was also an issue with one of them, which prevented the reload of runtime DAT after a perhaps unsuccessful update.

               

              Please look up KB for "runtime DAT" string, you can find more precise information.

               

              Also we had an issue with VSE Patch 1, scanning its own VSExxxx.TMP file (whatever the meaning of it was). We needed to exclude this file from read scanning, since VSE read from it a lot of times.

              /xxxx means a random number: when you exclude, use VSE*.TMP/.

               

              Attila

              • 4. Re: High CPU during Updates
                rmetzger

                Scissor wrote:

                 

                Hi rmetzger,

                 

                Thank you for the reply.  Before I make your suggested changes, I noticed that the referenced KB articles may not apply to me:

                 

                KB53690 is for CMA 3.6.x, while I am running McAfee Agent 4.0.0.1494 pointing at ePolicy Orchestrator 4.0.0 build 1333.  The high CPU I notice doesn't happen during policy enforcement -- it really only happens during DAT updates.

                 

                KB60651 - I have verified that the policy "Processes on enable" was not checked on my ePo server.  Plus the KB states the issue was resolved in VirusScan 8.7 Patch 1, which I already have installed.

                Careful of what was 'resolved.' If installing VSE v8.7i with Patch 1 already integrated freshly on to a system, it turned this feature off. Otherwise it left the 'Processes On Enable' on (the previous default). By applying this registry entry change you take control of this feature.

                 

                Many people have noted that High CPU usage during updates and policy enforcement, and even when ePO is not in use. Without the exact module that is using the CPU, I can only surmise one potential problem. McScript_InUse.exe or McScript.exe is the commonly noticed to be using a great deal of CPU for an extended period of time During Updates. LowerWorkingThreadPriority helps reduce it's impact. SetProcessPriority is another work-around that McAfee suggested even up through MA 4.5 to help real-time applications have a better chance of acting properly while updates are occuring. It seems to help during this process. I have seen no downside yet, and McAfee does not seem able to address it fully in other ways.

                 

                I hope this helps.

                Ron Metzger