This content has been marked as final. Show 5 replies
You have two choices :)
The easy one is to look at the OAS Statistics (just double click de VSE icon at the systray). It allows you to see what folders and files are being scanned.
But sometimes, when the file path is too big, the statistics dialogue box is small and cuts the path, making really hard the task of understating what's being scanned.
Now the hard one. You can use filemon.exe (from sysinternals) to filter the mcshield access to files.
For more info check this McAfee ticket:
I downloaded Filemon but did not know about the
"Advanced Output" setting in the Options menu. That does add more
Which entries indicate a file has been scanned?
Does McShield:xxxx FASTIO_CHECK_IF_POSSIBLE
mean it was scanned by the on access scanner?
Well, when I'm troubleshooting I only focus on IRP_MJ_READ events.
Never investigated other event types.
I have filtered all entries to see only
IRP_MJ_READ entries from over 2 million.
Any suggestions on how to determine which
ones to start excluding?
I see that there are a lot of reads on
shell32.dll. Would that cause the system to respond slowly?
explorer.exe:27312 IRP_MJ_READ C:\WINDOWS\system32\shell32.dll SUCCESS Offset: 0 Length: 12
The log entry you mentioned is from explorer.exe .
You need to filter the process to match only mcshield.exe.