1 Reply Latest reply on Jul 25, 2012 6:54 PM by wwarren

    McAfee Virus Scan Enterprise and AntiSpyware Enterrprise 8.8 clashes with IIS 6.0 and SiteImprove Alerts

      Hello All:

      Can you help me?

       

      I am an IIS Server Specialist and would like to know more about a problem which I need to understand.

       

      My company runs McAfee Virus Scan Enterprise and AntiSpyware Enterrprise 8.8 and uses a third-party web url/site monitoring portal called Siteimprove.  When there is an situation with hardware or software which would cause the monitored web site to go down, Siteimprove will send a text msg out to alert the web site is down. 

       

      Internal investigations have shown that by moving the anti-viral/ant-spyware scaning jobs to a differnet time of the day or night keeps the site up. During the suspected "downtime" interval - http.sys logs, site logs, eventvwr (application and system) logs show the system is up, servicing and handling requests and fielding responses.

       

      I think this Mcafee product is consuming all the system resources in respect of the servers: cpu/memory/ hard disc assembly.  It is not unknown for the cpu assemby to run at 100% for a considerable amount of time.  IIS is there to provide application availablity and function. It seems to me that Mcaffe is strangling the server if it thinks or has found a threat. This was proved by watching server jobs via Taskmgr.

       

      When the scanning job finishes, Mcafee releases resourses/processes and lets IIS 6.0  render the Web Site. I also use Tridion 5.3 and Umbraco 4.3.1. to manage/administrate my web site(s). 

       

      Surely, Macaffe should work seamlessly and unobtrusively?

       

      Is there any one else out there in corporate internet-land who has experience of this situation and has any ideas on how I can make this situation better.

       

      All constructive comments welcomed.

       

      Thanks.

       

      Message was edited by: main_man123 on 22/07/12 05:52:08 CDT
        • 1. Re: McAfee Virus Scan Enterprise and AntiSpyware Enterrprise 8.8 clashes with IIS 6.0 and SiteImprove Alerts
          wwarren

          Yes, there are things you can do to help.

          And there are certain actions of the product where it's unavoidable that we'll be using as much CPU as we can get. Knowing what those are and possible ways around them, could help you manage your server availability.

           

          1. When updates occur.

          The daily DAT update puts enormous strain on a system, CPU/memory/disk all see a spike in activity by multiple McAfee processes; most predominantly "McScript_InUse.exe" and "McShield.exe"

          • Install the latest version and patch (sounds like a cop out but it's common sense, we fix issues and those fixes go into our latest release)
          • Make these changes: KB66044
          • Make sure you don't have this issue: KB75051
          • Make sure the On Access Scanner setting "Processes on Enable" is OFF.

          ... and more relevant fixes are coming with VSE 8.8 Patch 2.

           

          2. When a scheduled scan occurs

          This action invokes the process Scan32.exe or Scan64.exe. Easy to spot if this is the cause or a contributor of performance woes; i.e. it'll be a running process when things are bad.

          • The on-demand scanner "system utilization" setting should be "Below normal" or lower.
          • Do not scan Archives in the configuration (a current engine limitation can lead to archive files creating a train wreck-like bottleneck for the scanner threads, which will impact performance)
          • Do not scan memory (unless you're willing to take an initial performance hit when the task runs - the system utilization setting applies to scanning of files, not to the memory scan)
          • Run the scan at low usage times

           

           

           

          There are other specifics but they would be in place by default, such as sharing the OAS scan cache with the ODS.

          These come to mind initially at least.