4 Replies Latest reply on Mar 3, 2011 8:37 AM by clbarnett

    New DAT update starts scan, then slows down machine


      We have ePO setup to deploy new DAT updates about 2:30pm, randomized I belive. So by 3pm a windows 7 user gets the update and it does a small scan, which I didn't think it does, but then it hits a few files and leaves event id messages saying it had to cancel the scan becuase if a timeout. Well this small scan bings the machine to its knees. It only happens on Win7 machines. We have McAfee 8.7 patch3 with Spyware module.


      The thread https://community.mcafee.com/thread/24317 is very similiar but we do not allow the user to create tasks. Funny, cause teh files it gets these error are very small so it should omplete within the timeout period. also, one of the files is in the McAfee\commonframework\current folder. I understand the timeout period but why is it killing the box? A new dat shoudl net be scanning

        • 1. New DAT update starts scan, then slows down machine

          Are you sure it is not On-Access scans that are timing out?  Unpacking and loading the new DAT is a processor-intensive task.  I have seen timeouts on On-Access scans that occur while the DAT is being updated and loaded, including very small mcafee-related files.  I even have the newest Agent 4.5 and VSE 8.7 patches, which reduced these incidents but did not completely eliminate them.  We do have older hardware - mostly 3 GHz P4 w/ HT enabled.  Not sure why you would only see this on Win 7, unless your Win 7 systems are also running some other software that the non-Win 7 systems don't.

          • 2. New DAT update starts scan, then slows down machine

            The XP and the win7 have the exact same programs on them. And yes, I am positive that no On-Access scans are happening. The thing is that when it kills the machines we cannot even go into Task Manager to view what is killing it, but if we have it open then we see McShield going at about 50% CPU usage. The On Demand scan only happens in the morning and no scan should be happening late in the day unless the user logs in late and then it does their normal on-demand scan if it has been more than a certain period of time since last scan. The DAT update is killing it but why is it doing a scan?


            We get


            The scan of C:\Some file has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 5960.0000.


            When the machine comes to a halt. but no scan is happening.

            • 3. Re: New DAT update starts scan, then slows down machine

              That is the message we get in the Windows event log when an On-Access scan times out.  If you look in ePO's threat event log for that system at the matching time and date (remember ePO displays in UTC, not local time zone), and click on the event, does the Analyzer Detection Method say OAS?


              Sorry, I guess I'm getting away from the most important part of your question, which is why the DAT update is having such a significant impact on your Win 7 systems.  I guess I can't help you there.




              Message was edited by: jguenrdc on 2/24/11 10:13:42 AM CST
              • 4. Re: New DAT update starts scan, then slows down machine

                Do you have the setting 'scan processes on enable' configured?  If so, every time McAfee starts up, including immediately after a DAT update, your system is going to run a resource-intensive scan of everything in memory.  This could result in slowdowns and timeouts.


                According to McAfee's own recommendations, do not scan running processes.


                KB67634 "Process scanning is resource intensive and can negatively affect system performance. McAfee recommends that you disable the option to scan Processes on enable unless you require the maximum protection configuration for Access Protection in your environment. " (https://kc.mcafee.com/corporate/index?page=content&id=KB67634&actp=search&search id=1273676278938)