Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3182 Views 0 Replies Latest reply: Oct 27, 2010 6:12 PM by John Oz RSS
John Oz Group Leader 4 posts since
Sep 26, 2009
Currently Being Moderated

Oct 27, 2010 6:12 PM

McShield.exe causing high CPU usage when starting On Access Scan

Background

We apparently have a "sensitive" application that while running and On-Access Scan is enabled from a disabled state (from the mcconsole) it causes the application to crash.  I'm not quite sure what specifically is causing the crash, but I notice the McShield.exe process spikes to 99%-100% when the crash occurs and after that all is good.

 

I can match correlate each occurrance of the crash to an event in the Windows Event Log which indicates the McShield Service was started.

 

Source: McLogEvent

ID: 5000

Description:

McShield service started.

Engine version : 5400.1158

DAT version : 6135.0000

 

Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

It doesn't have anything to do with the Policy reinforcement Interval as I can do a collect and send props all day without duplicating the issue, it is only linked to the start of the OAS service.  The issue occurs when there is a DAT update since when applying the DAT OAS is forced to shutdown and restart.  Our update task is set to occur at 2am every morning and machines are online overnight, but the service continues to be restarted periodically throughout the day (2-3) times without any regular intervals.

 

Once On-Access Scanning is running, all is fine...the application runs perfectly well, but McShield service keeps restarting and thus crashes the application...

 

Questions

Is there a way to prevent the service from taking up so much CPU when OAS is enabled? 

Or...

How do I determine what's causing the service to keep restarting when new DAT's are not being applied?  Is it possible for the service to be restarted because it thinks it got a DAT even though the DAT version never changed?

 

Troubleshooting

  • Our policy does have the "Scan Processes on Enable" enabled, but after disabling it the issue is still present.
  • Disabled all scanning option in the On-Access Default Processes Policy (scans writes only)
  • Disabled all scanning option in the On-Access Default Processes Policy (scans reads only)
  • Applied VSE 8.7i Patch 4
  • Applied Agent 4.5 Patch 2
  • Tried the registry fix for Agent Updates

 

Windows XP SP3

VSE 8.7i SP4

Agent 4.5 SP2

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points