4 Replies Latest reply on Jun 29, 2010 6:11 AM by akl71

    Adding mcscript_inuse.exe to low risk process.

        Hello,

       

           I am running a EPOo 4.5 / AV 8.7i for our AV solution. I have a few users who have had issues with the DAT updates slowing the PC's down etc.. I have read a few articles on changing registry / adding processes to the low risk process under on access scanner.. I have completed the registry settings and can add 2 of the 3 processes to the LRP - the 2 that I can add are the Frameworkservices.exe and naprdmgr.exe.. I cannot add the mcscript_inuse.exe.. It is not listed to add etc.. How do I add this?

       

            Thanks,

        • 1. Re: Adding mcscript_inuse.exe to low risk process.
          rmetzger

          JTsobey wrote:

           

            Hello,

           

               I am running a EPOo 4.5 / AV 8.7i for our AV solution. I have a few users who have had issues with the DAT updates slowing the PC's down etc.. I have read a few articles on changing registry / adding processes to the low risk process under on access scanner.. I have completed the registry settings and can add 2 of the 3 processes to the LRP - the 2 that I can add are the Frameworkservices.exe and naprdmgr.exe.. I cannot add the mcscript_inuse.exe.. It is not listed to add etc.. How do I add this?

           

                Thanks,

          Hi JT,

           

          Can you specify exactly what you have tried: ie. what registry entry changes, what versions of VSE v8.7i (patches, hotfixes, etc.), what the specifications of the machines experiencing slow downs . . .

           

          I have found these registry changes have made the greatest impact on performance overall. During updates, LowerWorkingThreadPriority and SetProcessPriority have the greatest affect on performance.

           

          According to William Warren:

          ;;  3. Utilize the Low Risk On-Access Scanner profile, placing McAfee
          ;;     processes into it (mcscript_inuse.exe, naprdmgr.exe,
          ;;     frameworkservice.exe), with scanning disabled (understand this
          ;;     is a temporary measure)

          changing the processes (mcscript_inuse.exe, naprdmgr.exe, and frameworkservice.exe) to the Low Risk Process list in OAS, is A Temporary Measure.

           

          Further, he states:

          ;;  4. Perhaps the most significant change for relief, lower the
          ;;     priority of our On-Access Scanner from its default "High"
          ;;     to "Normal"

          So, I would expect that the registry entries listed below could be tried first before changing to High/Low Risk Process model with temporary changes that would need to be backed out of when new patches are found to correct the issues you state.

           

          Are you using VSE v8.7i with Patch 3 yet?

           

          Anyway, these are the registry entry changes I make to my systems which seem to help with most performance related issues.

          rmetzger RegistryChanges.reg:

           

          REGEDIT4
          ;;
          ;; Starting with VSE v8.5i, self-protection features are enabled.
          ;; By default, VSE blocks registry changes to itself.
          ;;
          ;; You will need to temporarily disable some of the McAfee
          ;; self-protection features.
          ;;
          ;; From the VirusScan Console
          ;;    Access Protection > Properties
          ;;        Uncheck 'Prevent McAfee services from being stopped'
          ;;        Common Standard Protection
          ;;            Uncheck (unBlock) 'Prevent modification of
          ;;                McAfee files and settings'
          ;;            Uncheck (unBlock) 'Prevent modification of
          ;;                McAfee Common Management Agent'
          ;;
          ;; Now try to import this registry file or make needed changes.
          ;;
          ;; Then re-enable the McAfee self-protection features.
          ;;
          ;; From the VirusScan Console
          ;;    Access Protection > Properties
          ;;        Check 'Prevent McAfee services from being stopped'
          ;;        Common Standard Protection
          ;;            Check (Block) 'Prevent modification of
          ;;                McAfee files and settings'
          ;;            Check (Block) 'Prevent modification of
          ;;                McAfee Common Management Agent'
          ;;
          ;; Now, restart the system.
          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ;;
          ;; LowerWorkingThreadPriority
          ;; SetProcessPriority
          ;; NoUpdaterUI
          ;;
          ;; see http://forums.mcafeehelp.com/showthread.php?t=221578
          ;;  'McScript.exe eating CPU cycles for several mins'
          ;;  1. Restart the system to activate.
          ;; Solution 1 - Create a registry key LowerWorkingThreadPriority as a
          ;; DWORD and set the value to 1.
          ;;  'CPU usage spikes during policy enforcement and a DAT update'
          ;; Solution:
          ;;   A noticeable performance improvement is found when using McAfee Agent 4.0
          ;;   and ePolicy Orchestrator 4.0 server because ePO 4.0 compiles the policy
          ;;   before sending it to the agent.
          ;;
          ;; Workaround:
          ;; Solution 1 - "LowerWorkingThreadPriority"
          ;; 1. Click Start, Run, type regedit, then click OK.
          ;; 2. Navigate to and select the following registry key:
          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]
          ;; 3. In the right-hand pane, right-click a blank space and select New, DWORD
          ;;    Value.
          ;; 4. For the name, type LowerWorkingThreadPriority and press ENTER.
          ;; 5. Right-click LowerWorkingThreadPriority and and select Modify.
          ;; 6. In the Value data field type 1, then click OK.
          ;; 7. Click Registry, Exit.
          ;; 8. Restart the McAfee Framework Service.
          ;;
          ;;  Only implement Solution 2 if the previous solution is not sufficient to
          ;;  reduce the CPU usage sufficiently during a policy enforcement and update.
          ;;  Solution 2 - Disable the NoUpdateUI via the registry to reduce the CPU
          ;;  usage:
          ;; 1. Click Start, Run, type regedit, then click OK.
          ;; 2. Navigate to the following registry location:
          ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]
          ;; 3. Right-click on NoUpdaterUI and select Modify.
          ;; 4. In the Value Data field change the value to 1, then click OK.
          ;; 5. Click Registry, Exit.
          ;; 6. Restart your computer.
          ;;
          ;; see https://kc.mcafee.com/corporate/index?page=content&id=KB53690&pmv=print
          ;; Policy Enforcement Interferes with Real-Time Application
          ;;
          ;; Corporate KnowledgeBase ID:            KB66971
          ;; Published:            October 15, 2009
          ;;
          ;; Environment
          ;; Summary
          ;; CPU spikes that occur during a policy enforcement may interfere with the
          ;; performance of real-time applications. When no other applications are
          ;; being utilized on the client, McAfee Agent 4.5 utilizes the available CPU
          ;; to complete its activity, in this case policy enforcement. This is normal
          ;; and expected. If other applications are being utilized during the policy
          ;; enforcment, or if they start during a policy enforcement, McAfee Agent 4.5
          ;; will yield the CPU to the higher priority process. However, there can be
          ;; momentary spikes in CPU during this time.
          ;;
          ;; Policy enforcement is a CPU intensive function, as is running most real-
          ;; time applications. McAfee Agent 4.5 has improved performance during
          ;; policy enforcement, and in many cases interference with other applications
          ;; is not noticed at the end point. While performance has improved, some
          ;; degradation may be noticed depending on the nature of the application.
          ;; Because of this, voice degradation might be noticed when using products
          ;; such as Voice over IP software. In situations where interference does
          ;; occur, the default policy interval of five minutes might not be ideal.
          ;;
          ;; Solution
          ;; McAfee is investigating this issue. As a temporary measure, implement the
          ;; workaround shown below.
          ;;
          ;; Workaround
          ;; CAUTION: This article contains information about opening or modifying the
          ;; registry.
          ;;
          ;;    * The following information is intended for System Administrators.
          ;;      Registry modifications are irreversible and could cause system failure
          ;;      if done incorrectly.
          ;;    * Before proceeding, McAfee strongly recommends backing up your registry
          ;;      and understanding the restore process. For more information,
          ;;      see: http://support.microsoft.com/kb/256986
          ;;    * Do not run a .REG file that is not confirmed to be a genuine registry
          ;;      import file.
          ;;
          ;;    1. Increase the length of the policy enforcement interval. The default
          ;;       is five minutes. Increasing the length of time might make
          ;;       noticeable interference less frequent.
          ;;    2. Implement a lower thread and lower process priority for McAfee Agent
          ;;       functions on clients:
          ;;       [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]
          ;;    3. Under the Framework registry key, do the following:
          ;;           * Change the SetProcessPriority DWord value to 1.
          ;;             This lowers the process priority.
          ;;           * Change the LowerWorkingThreadPriority DWord value to 1.
          ;;             This lowers the worker thread priority to below normal.

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]
              "LowerWorkingThreadPriority"=dword:00000001
          ;;  "LowerWorkingThreadPriority"=-
              "SetProcessPriority"=dword:00000001
          ;;  "SetProcessPriority"=-

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]
          ;;  "NoUpdaterUI"=dword:00000001
              "NoUpdaterUI"=-
          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ;;
          ;;  ScanMemoryOfNewProcesses
          ;;
          ;;  see https://kc.mcafee.com/corporate/index?page=content&id=KB60651&pmv=print
          ;;
          ;;  W3WP.Exe shows high CPU usage after installing VirusScan
          ;;  Enterprise 8.5i
          ;;
          ;;  Corporate KnowledgeBase ID:    KB52532
          ;;  Published:            April 10, 2008
          ;;
          ;;  Environment
          ;;    McAfee VirusScan Enterprise 8.5i
          ;;
          ;;  Problem
          ;;    W3WP.exe shows high CPU usage after VirusScan Enterprise 8.5i
          ;;    is installed.
          ;;
          ;;  Cause
          ;;    VirusScan Enterprise 8.5i introduced a change in the way processes
          ;;    are scanned in memory. W3WP.exe spawns multiple child processes.
          ;;    Each child process is scanned prior to execution, potentially
          ;;    introducing a performance issue.
          ;;
          ;;  Solution
          ;;    IMPORTANT: This article contains information about modifying the
          ;;    registry. Before you modify the registry, make sure to back it up
          ;;    and make sure that you understand how to restore the registry if
          ;;    a problem occurs. For information about how to back up, restore,
          ;;    and edit the registry, see the following Microsoft Knowledge Base
          ;;    article: http://support.microsoft.com/kb/256986.
          ;;
          ;;     1. Click Start, Programs, McAfee, VirusScan Console.
          ;;     2. Double-click Access Protection, deselect Enable Access
          ;;        Protection, then click OK.
          ;;     3. Click Start, Run, type regedit and click OK.
          ;;     4. Navigate to the following registry key:
          ;;        [HKEY_LOCAL_MACHINE\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration]
          ;;     5. In the right pane, right-click an empty space and select New,
          ;;        DWORD Value.
          ;;     6. Name the new value ScanMemoryOfNewProcesses and press ENTER.
          ;;     7. Double-click ScanMemoryOfNewProcesses and set the Value data
          ;;        to 0 (zero).
          ;;     8. Click OK and exit the registry editor.
          ;;     9. Click Start, Programs, McAfee, VirusScan Console.
          ;;    10. Double-click Access Protection, select Enable Access
          ;;        Protection., then click OK.
          ;;    11. Restart the system.

              "ScanMemoryOfNewProcesses"=dword:00000000
          ;;  "ScanMemoryOfNewProcesses"=-
          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ;;
          ;;  ScanProcessesOnEnable
          ;;
          ;;  see https://kc.mcafee.com/corporate/index?page=content&id=kb60651
          ;;
          ;;  Should be Off under normal conditions. Having it on can cause
          ;;  additional stress to the system, causing McShield.exe to what
          ;;  appears to be random high use of the CPU. It should be On only for
          ;;  PCs where Security is paramount and performance is not even
          ;;  considered.
          ;;
          ;;  See VSE8.7i Patch 1
          ;;  2. Issue: With the improved functionality of the on-access scanner
          ;;     memory scan, lower and middle ranged systems may see a
          ;;     performance impact at startup and after a successful AutoUpdate
          ;;     of the engine or DATs.
          ;;     Currently the Process on enable option is enabled by default on
          ;;     the shipping version of VirusScan Enterprise 8.7i. McAfee
          ;;     recommends that in a managed environment, disable this option
          ;;     prior to deployment of the Patch, until the impact of memory
          ;;     scanning can be determined for your environment. It is not
          ;;     possible to maintain both the more comprehensive scanning that
          ;;     comes with Patch 1 and later, and the former level of scanning.
          ;;     Therefore, only the more comprehensive scan is used.
          ;;     NOTE FOR CURRENT AND NEW USERS:
          ;;     -- The Patch installation does not modify current settings to
          ;;        disable the Process on enable option.
          ;;     -- The VirusScan 8.7i NAP and extension that are included with
          ;;        the Patch do change the McAfee Default policy, but do not
          ;;        modify the My Default policy, or any custom policy settings
          ;;        that were made prior to the checkin of the new NAP/extension.
          ;;     -- The VirusScan Enterprise 8.7i Repost with Patch now installs
          ;;        with the Process on enable option disabled, unless the
          ;;        Maximum Security option is selected during the installation.
          ;;
              [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration]
              "ScanProcessesOnEnable"=dword:00000000
          ;;  "ScanProcessesOnEnable"=-
          ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ;;
          ;;  RunAtNormalPriority
          ;;
          ;;  see http://community.mcafee.com/message/121528#121528
          ;;  Author: William Warren http://community.mcafee.com/people/wwarren
          ;;          Mar 26, 2010 1:50 PM
          ;;
          ;;  Patch 4 will include resolutions to 2 issues that are relevant to
          ;;  this thread:-
          ;;  1. EngineServer memory usage climbing to excessive levels.
          ;;     A proof-of-concept build has been proven to solve one aspect
          ;;     of the issue, specific to use of EmailScan. We still haven't
          ;;     tracked down lingering reports of high memory usage in
          ;;     EngineServer once our POC code is in place; whatever the
          ;;     condition, it is rare, and it does not appear related to
          ;;     EmailScan.
          ;;
          ;;  2. A fix for an issue with creating the mferuntime.dat file.
          ;;
          ;;  This symptom is the key contributor of why some systems are seen
          ;;  to take 10+ minutes to complete an update.
          ;;
          ;;  Post update, the Engine tries to create a memory mapped file to
          ;;  help reduce memory footprint and improve performance, this file
          ;;  is mferuntime.dat (See article KB65459).
          ;;  https://kc.mcafee.com/corporate/index?page=content&id=KB65459
          ;;
          ;;  What we have found to occur is the creation of the file sometimes
          ;;  encounters sharing violations (one or more of the scanners hasn't
          ;;  released it) and the product enters a loop of retrying to create
          ;;  this file. This file is created based on information from our DAT
          ;;  signatures, and so this data is reread each time the loop repeats.
          ;;  It can be very noticeable to users by way of sluggishness of the
          ;;  system.
          ;;
          ;;  Here's what I know will help alleviate the stress of updates,
          ;;  until these issues are resolved:-
          ;;
          ;;  1. Tweak the Agent thread priority as described in KB53690.
          ;;  https://kc.mcafee.com/corporate/index?page=content&id=KB53690&pmv=print
          ;;     see LowerWorkingThreadPriority above.
          ;;
          ;;  2. Disable scanning of Processes on Enable - this is only intended
          ;;     for environments who abide by the "Maximum Security" setting of
          ;;     the product.
          ;;     https://kc.mcafee.com/corporate/index?page=content&id=kb60651
          ;;     see ScanProcessesOnEnable above.
          ;; 
          ;;  3. Utilize the Low Risk On-Access Scanner profile, placing McAfee
          ;;     processes into it (mcscript_inuse.exe, naprdmgr.exe,
          ;;     frameworkservice.exe), with scanning disabled (understand this
          ;;     is a temporary measure)
          ;;
          ;;  4. Perhaps the most significant change for relief, lower the
          ;;     priority of our On-Access Scanner from its default "High"
          ;;     to "Normal"
          ;;
          ;;     This is done by creating/setting a DWORD registry flag named
          ;;     "RunAtNormalPriority" to 1, under
          ;;  [HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration]
          ;;     and restart the service. (Or Reboot.)
          ;;
          ;;     This change is normally done only under direction by McAfee
          ;;     Support. It does not reduce your security in any way, but
          ;;     it's plausible you could see an increase in scanner timeouts
          ;;     because McShield will be getting equal CPU time as your
          ;;     other Normal thread priority processes instead of a lion's
          ;;     share. And this means if experiencing the mferuntime.dat
          ;;     loop, your system will still be pretty responsive during
          ;;     that time.
          ;;
              [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration]
          ;;
              "RunAtNormalPriority"=dword:00000001
          ;;  "RunAtNormalPriority"=-

          Ron Metzger

          1 of 1 people found this helpful
          • 2. Re: Adding mcscript_inuse.exe to low risk process.

            Hi Ron,

             

               Thanks for your help on this issue. I did a few of the registry entries that were mentioned in the post that you placed.. I then checked the processes that were included in the low risk process filter. The mcscript_inuse.exe.. Is now available..

             

                  Thanks for the help,

            • 3. Re: Adding mcscript_inuse.exe to low risk process.
              rmetzger

              Great! Let us know how things are going.

               

              Have fun.

              Ron Metzger

              • 4. Re: Adding mcscript_inuse.exe to low risk process.
                akl71

                rmetzger schrieb:


                changing the processes (mcscript_inuse.exe, naprdmgr.exe, and frameworkservice.exe) to the Low Risk Process list in OAS, is A Temporary Measure.

                 

                There is a whitepaper where McAfee recommends changing some McAfee processes (frameworkservice.exe, mcscancheck.exe, mcscript_inuse.exe, mcupdate.exe) to low risk classification for better performance.

                https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22663/en_US/McAfee%20VirusScan%20Enterprise%20Best%20Practices.pdf