8 Replies Latest reply on Sep 9, 2010 12:05 PM by DavidA

    Optimising Visual C++ under McAfee VirusScan Enterprise

      Hi

       

      Our PCs run McAfee VirusScan Enterprise 8.7.0i.  I am trying to optimise Visual C++ 2008 Express build times by specifying suitable low-risk process definitions to McAfee.  However, having done this, I find that these definitions make little or no difference to the build time. I'm pretty sure that McAfee does impact build time because we have seen an increase in build time after installing McAfee. I am wondering whether anyone else has analysed this situation and found a good solution?

       

      The details are that I have added cl.exe as a low-risk process and defined the following exclusion folders for that process:

       

      • C:\Program Files\Microsoft Visual Studio 9.0\VC (including subfolders)
      • The project's folder (including subfolders)
      • %temp% (excluding subfolders)

       

      Does anyone have experience of making such optimisations?

       

      Best regards

       

      David

        • 1. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
          rmetzger

          DavidA wrote:

           

          Hi

           

          Our PCs run McAfee VirusScan Enterprise 8.7.0i.  I am trying to optimise Visual C++ 2008 Express build times by specifying suitable low-risk process definitions to McAfee.  However, having done this, I find that these definitions make little or no difference to the build time. I'm pretty sure that McAfee does impact build time because we have seen an increase in build time after installing McAfee. I am wondering whether anyone else has analysed this situation and found a good solution?

           

          The details are that I have added cl.exe as a low-risk process and defined the following exclusion folders for that process:

           

          • C:\Program Files\Microsoft Visual Studio 9.0\VC (including subfolders)
          • The project's folder (including subfolders)
          • %temp% (excluding subfolders)

           

          Does anyone have experience of making such optimisations?

           

          Best regards

           

          David

           

          I would Strongly Advise Against excluding %TEMP% as many malware programs that install (without your permission) use this directory to launch. Instead I would configure C++ to use a subdirectory of temp and exclude just that subdirectory (including it's subdirectories).

           

          Performance Optimization is an art. However, several tools exist which may help in isolating performance problems specific to Your environment.

           

          You could start with Microsoft/Sysinterals' Process Monitor which should help you isolate many of the repeated actions causing performance issues. This is however, fairly generic in that it shows all of what is happening and may include areas that you want to continue to monitor for security reasons.

           

          Alternatively, the McAfee Profiler is available for work in 32-bit environments. Though you may find 32-bit restrictive, my guess is that it will allow you to see what is taking the most performance away, then allow you to apply what you learn to the 64-bit system. McAfee Profiler is far more focused on how VirusScan Enterprise is impacting everything else on the system and should give you a quick idea of what is costing you the most in performance. After that, you could go back to Process Monitor to verify what you see and the impact of changes.

           

          I would be interested in seeing your results.

          Thanks,

          Ron Metzger

           

           

          Message was edited by: rmetzger on 9/7/10 5:11:01 PM EDT
          1 of 1 people found this helpful
          • 2. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
            andyross

            Have you checked build times with McAfee disabled (as a test)? It could be other factors that caused the slowdown beyond having McAfee installed.

            1 of 1 people found this helpful
            • 3. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
              wwarren

              You can expect significant return in performance by disabling Buffer Overflow Protection and Access Protection features (requires Patch 2 or later to be installed).

              Further tunning using low risk is possible, and you might find some key file/folder exclusions help too.

               

              An area of overhead that can't be avoided though is our mfehidk.sys driver's functionality in tracking processes. And in a build environment you have many, many, many short-lived processes - or rather, the same processes being spawned hundreds or thousands of times in the course of the build. As always, multiply a tiny amount of overhead for a single action by hundreds or thousands of repetitions in a short amount of time, and that tiny amount of overhead becomes very noticeable.

              It's something to look for improvements on in future releases of the product.

              1 of 1 people found this helpful
              • 4. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
                rmetzger

                wwarren wrote:

                 

                You can expect significant return in performance by disabling Buffer Overflow Protection and Access Protection features (requires Patch 2 or later to be installed).

                Further tunning using low risk is possible, and you might find some key file/folder exclusions help too.

                 

                An area of overhead that can't be avoided though is our mfehidk.sys driver's functionality in tracking processes. And in a build environment you have many, many, many short-lived processes - or rather, the same processes being spawned hundreds or thousands of times in the course of the build. As always, multiply a tiny amount of overhead for a single action by hundreds or thousands of repetitions in a short amount of time, and that tiny amount of overhead becomes very noticeable.

                It's something to look for improvements on in future releases of the product.

                So, would you say, turning Off Process On Enable is suggested? What about ScriptScan? How about Scanning inside Archives? Which Access Protection features are you potentially suggesting? Of course, all of which should be associated to a Low-Risk Process, I assume, correct?

                 

                Really interested. . .

                Ron Metzger

                • 5. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
                  wwarren

                  So, would you say, turning Off Process On Enable is suggested? What about ScriptScan? How about Scanning inside Archives? Which Access Protection features are you potentially suggesting? Of course, all of which should be associated to a Low-Risk Process, I assume, correct?


                  Process On Enable should be off, for everyone.

                  The only customers who need it on are those who want their systems locked down per our "Maximum Protection" setting option you can pick at install time. We made this change in its classification with repost w/ patch 1.

                   

                  For the other options, it all depends on what is relevant for your build environment -

                  - ScriptScan will be relevant only for processes using javascript or VBscript, in which case you would use a process exclusion before looking at disabling the feature.

                  - Archive Scanning should be off, if that's a file type leveraged by the build system. Scanning the end result with archive scanning enabled might be the better idea.

                  - Placing processes into low risk is advisable for performance sake. Most people aren't compiling malware, I hope . Remember the process itself is still scanned, but the work it will be doing will not be scanned (that's how I would configure it anyways).

                   

                  After making these sorts of changes and if still not seeing the desired performance, either there's tuning yet to be had or you're hitting upon a design limitation of the existing product version.

                  • 6. Re: Optimising Visual C++ under McAfee VirusScan Enterprise

                    Hi Ron,

                     

                    Firstly, I apologise for posting my last reply on the wrong thread ("Scan processes on enable"). I have quoted your entire reply below so that we keep the context:

                    Hi David,

                     

                    I agree, but to have both the enhanced memory scanner and older 'Scan Processes on Enable' is not recommended. (See "VSE_8.7i_Patch 3.pdf")

                     

                    I might also look at "Heuristic network check for suspicious files" (Artemis by another name) as I would expect that modifying or creating .exe files would seem 'suspicious' and create some delay(s) in the process of compiling. See if 'Disabled' helps performance.

                     

                    Also, check whether 'Scanning on network drives' is checked. If so, I would recommend un-checking this as long as the network share (server) has it's own AV solution actively running. (This assumes the developers access networked files for libraries, code, etc.)


                    Just some thoughts,

                    Ron Metzger


                    Now, please will you tell me how to determine whether the "enhanced memory scanner" is ON?

                     

                    As I wrote before, we have  'Scan Processes on Enable'  turned ON, so we need to turn it off if the enhanced memory scanner is turned ON.

                     

                    David

                    • 7. Re: Optimising Visual C++ under McAfee VirusScan Enterprise
                      rmetzger

                      DavidA wrote:

                       

                      Hi Ron,

                       

                      Firstly, I apologise for posting my last reply on the wrong thread ("Scan processes on enable"). I have quoted your entire reply below so that we keep the context:

                      Hi David,

                       

                      I agree, but to have both the enhanced memory scanner and older 'Scan Processes on Enable' is not recommended. (See "VSE_8.7i_Patch 3.pdf")

                       

                      I might also look at "Heuristic network check for suspicious files" (Artemis by another name) as I would expect that modifying or creating .exe files would seem 'suspicious' and create some delay(s) in the process of compiling. See if 'Disabled' helps performance.

                       

                      Also, check whether 'Scanning on network drives' is checked. If so, I would recommend un-checking this as long as the network share (server) has it's own AV solution actively running. (This assumes the developers access networked files for libraries, code, etc.)


                      Just some thoughts,

                      Ron Metzger


                      Now, please will you tell me how to determine whether the "enhanced memory scanner" is ON?

                       

                      As I wrote before, we have  'Scan Processes on Enable'  turned ON, so we need to turn it off if the enhanced memory scanner is turned ON.

                       

                      David

                      The "enhanced memory scanner" is ON if you have VSE v8.7i with Patch 2 or Patch 3 installed. This was a program improvement. Read "VSE87i Patch3.pdf" for details.

                      Previous Improvements

                       

                      14. The on-access scanner memory scan function
                           (Processes on enable) has been modified significantly to make
                           it more comprehensive.

                      NOTE: The improved functionality can cause a performance impact
                                 to the system. See item #2 under Known Issues.
                      ...
                      Know Issues
                      2. Issue: With the improved functionality of the on-access scanner
                          memory scan, lower and middle ranged systems may see a
                          performance impact at startup and after a successful AutoUpdate
                          of the engine or DATs. Currently the Process on enable option is
                          enabled by default on the shipping version of VirusScan Enterprise
                          8.7i. McAfee recommends that in a managed environment, disable
                          this option prior to deployment of the Patch, until the impact of
                          memory scanning can be determined for your environment. It is
                          not possible to maintain both the more comprehensive scanning
                          that comes with Patch 1 and later, and the former level of scanning.
                          Therefore, only the more comprehensive scan is used.

                      NOTE FOR CURRENT AND NEW USERS:
                        * The Patch installation does not modify current settings to disable
                           the Process on enable option.
                        * The VirusScan 8.7i NAP and extension that are included with the
                          Patch do change the McAfee Default policy, but do not modify the
                          My Default policy, or any custom policy settings that were made
                          prior to the check-in of the new NAP/extension.
                        * The VirusScan Enterprise 8.7i Repost with Patch now installs with
                           the Process on enable option disabled, unless the Maximum
                           Security option is selected during the installation.

                      The improved memory scanner is there (On) without a choice, making the Processes On Enable = ON redundant. For legacy reasons, the Process on Enable feature remains in place, I believe, for compatibility reasons. As such, the decision to shut off this setting also remains, for those who feel the need to test before deployment. Except for the most strict security policies, Process On Enable has been deprecated. However, the settings for existing policies do not get changed automatically, as they are for a fresh install. So, upgrading and patching leaves this setting as it was before the patch. And a fresh install leaves this setting Off (except when the stricter 'Maximum Security' option is chosen).

                       

                      (OT) One of the things that I feel make VirusScan Enterprise so much better than other security products I have been involved with, is the great abilities it has, to customize and balance performance and security. Using features like 'Low-Risk Processes' where one can tune the exposure and improve performance without sacrificing security in other areas of the system seems like a great way for the network/security administrator to provide real service and benefits to your developer(s). Processes On Enable is such a small part of this problem. Explore all the documentation, knowledge base, and the settings available, so that this tuning process can reach your goals of good security and performance.

                       

                      I wish you the best of luck and I hope that this tuning process goes well.

                      Ron Metzger

                      • 8. Re: Optimising Visual C++ under McAfee VirusScan Enterprise

                        Hi Ron

                         

                        The improved memory scanner is there (On) without a choice, making the Processes On Enable = ON redundant.

                        Thanks very much for your reply. I have passed on the info you provided to our IT guys. This should help us improve performance.

                         

                        Best regards

                         

                        David