7 Replies Latest reply on Oct 30, 2010 10:15 AM by chris128

    See what On Access Scan is actually scanning

      Hi Guys,

       

      We are using VSE 8.7 on all of our workstations and lots of the workstations use an intranet site throughout the day but a few of them are having problems with the performance of the site. What we have found is that when the site is running slowly for them the McShield.exe process is taking up a large amount of the CPU on each workstation. Is there any way we can get VSE to log exactly what it is scanning? This doesn't happen all the time so I don't want to have to sit there and watch the "last file scanned" thing for ages whilst the user's try to access the site (also this wouldn't be very accurate as I could easily miss something).

       

      Thanks, Chris

        • 1. Re: See what On Access Scan is actually scanning
          rmetzger

          chris128 wrote:

           

          Hi Guys,

           

          We are using VSE 8.7 on all of our workstations and lots of the workstations use an intranet site throughout the day but a few of them are having problems with the performance of the site. What we have found is that when the site is running slowly for them the McShield.exe process is taking up a large amount of the CPU on each workstation. Is there any way we can get VSE to log exactly what it is scanning? This doesn't happen all the time so I don't want to have to sit there and watch the "last file scanned" thing for ages whilst the user's try to access the site (also this wouldn't be very accurate as I could easily miss something).

           

          Thanks, Chris

          Hi Chris,

           

          It sounds like you need to analyze the differences between those who do not see the problem and those who do, correct?

           

          A couple of questions:

          1. Are these systems (having problems) 32 bit or 64 bit Windows?
          2. Is .Net Framework v2.0 installed?
          3. Have you White Listed or changed the White Listing of your intranet site

           

          McAfee has a tool for helping with this analysis.

           

          Profiler requires .Net Framework 2.0 to be installed and works on 32 bit Windows (XP and above).

           

          Hopefully this tool can help isolate what is happening on both the good and badly behaving systems.

           

          Let us know if this helps.

          Ron Metzger

          • 2. Re: See what On Access Scan is actually scanning
            woodsjw

            Check out VirusScan Profiler:

             

             

            What is McAfee VirusScan Profiler? 
            McAfee VirusScan Profiler provides administrators the ability to  see how McAfee processes are affecting their systems and ultimately  performance.

            McAfee VirusScan Profiler gathers statistics from  systems and shows how on-access scan is affecting the CPU. McAfee Profiler  captures top processes and files that are accessed by on-access scan. Based on  the data collected, an administrator can decide if they want to exclude a  process or a file for scanning to lessen the impact on the system.

             

            To download the McAfee VirusScan  Profiler:

            1. Go to  http://mer.mcafee.com/enduser/downloadmcprofiler.aspx.
            2. Accept the license agreement, and then click  Download.

             

            Ron beat me to it!

             

             

            Message was edited by: woodsjw on 10/22/10 8:23:25 AM GMT-08:00
            • 3. Re: See what On Access Scan is actually scanning

              See also KnowledgeBase article KB69683 with a link to the documentation.

               

              HTH

              • 4. Re: See what On Access Scan is actually scanning

                Thanks for the replies guys, I ran the Profiler and got the user to try doing something on the website that goes slow (sure enough McShield started taking up around 70% of the CPU again). However, looking at the profiler log all I can see is that it scans the following, all in the temporary internet files folder:

                 

                FileRead/Write CountPercentage
                trident[1].js517%
                dxr[3].axd413%
                dxr[4].axd413%
                salescontracts[1].htm310%
                scriptresource[1].axd310%

                 

                The thing is though, I can't just exclude the temporary internet files folder because obviously that is one of the most likely locations for a virus to originate from, so any ideas how we can avoid this? I'm going to run the profiler on some of the workstations that do not have this problem and see what sort of stats they report but not sure how that is going to help either way really..

                 

                Thanks

                Chris

                • 5. Re: See what On Access Scan is actually scanning

                  I suspect it's actually an issue with Scriptscan with that website - not the actual On-Demand scanner. From memory, profiler won't seperate out what is being scanned.

                   

                  Have a look at whitelisting the website

                  https://kc.mcafee.com/corporate/index?page=content&id=KB65382

                  1 of 1 people found this helpful
                  • 6. Re: See what On Access Scan is actually scanning

                    Thanks that sounds like it will help and even if it doesn't sort out this problem I'm sure its worth doing for our internal websites. Will give it a go and let you know the results thanks

                    • 7. Re: See what On Access Scan is actually scanning

                      Adding the site to the ExcludedURLs registry key seems to have made a big improvement thanks! We have now rolled this out to all of our workstations via group policy (if anyone wants the group policy ADM file I made for controlling this setting just let me know).