So it seems I need to work on my appology I think.
I found a KB saying that I should only look for ProcessMonitor events where:
Operation CONTAINS IRP_MJ_READ
But, what is McShield.exe doing during the following operations (which are the ones I see in ProcessMonitor)?
During the 8 minutes I was logging with ProcessMonitor McShield was doing 360,000 operations inside the "excluded" directory.
1 of 1 people found this helpful
For McShield to exclude a file from scanning, it must still access the file to obtain some information about it.
In other words, you'll still see File I/O from McShield touching all your excluded files - but it won't be scanning them.