7 Replies Latest reply on Jun 24, 2016 11:55 AM by rmetzger

    On Demand Full Scan idle when computer idle, why?

    maajdl

      Hello,

       

      Every month the Full Scan scheduled in my company make me nervous.
      It slows down my computer too much and I am obliged to PAUZE the Full Scan.

      As I take care for my computer, I always RESUME the process when I don't need my computer anymore, typically during the night.

       

      When I wake up in the morning, I always observe a strange thing:

       

      - the CPU usage is near 0%

      - Virus Scan has stopped scanning (it scanned only 100000 files or so, not a lot)

      - when I start working, Virus Scan begins again to use 25-50% of the CPU

       

      My summary is that Virus Scan does not work a lot when I don't use my computer,

      and it likes to run when I need my computer.

       

      We are using VirusScan Enterprise, I have no admin rights on VirusScan.

      I asked our help desk to solve this problem, since two months now, and keep them informed of my observations.

      I guess they have no clue about how to solve that.

       

      Would you have some suggestion?

       

      Thanks

       

      Michel

        • 1. Re: On Demand Full Scan idle when computer idle, why?
          Peter M

          Moved to VSE for faster responses.

          ---

          Peter

          Moderator

          • 2. Re: On Demand Full Scan idle when computer idle, why?
            sriniraula

            • Configuring what locations to scan • Scheduling how often to scan Configuring what locations to scan Regular on-demand scans should, at a minimum, include the following McAfee default On-Demand Scan locations: • Memory for rootkits • Running processes • All local drives NOTE: To improve system performance during on-demand scanning of All local drives set the scanner system utilization to Below Normal or Low. Refer to Configuring system utilization to match system use. Configuring Essential Security 7. Configuring regular on-demand scans McAfee VirusScan Enterprise 8.8 13 • Cookies • Registry Click the following Scan Options: • Include subfolders • Scan boot sectors The following ePolicy Orchestrator 4.5 display shows these on-demand scan location settings and options configured:

            See on screenshots below:

            epo.JPG

             

            On-demand scanning of processes and memory is the early warning system for your VirusScan Enterprise protected computers. You must enable this feature, as part of your essential protection, to scan running processes and memory for rootkits at least once per day. This on-demand scan finishes in 30-90 seconds with virtually no impact to the end-users. NOTE: Any system with a detection from this memory scan should have a full on-demand scan performed immediately. Rootkits and hidden processes function at the operating system level and are very hard to find once they gain access. They allow the attacker to have hidden access to your system at the Administrator level and they are your worst nightmare. Malware rootkits can inadvertently be installed on a target computer when you: • Open rich-content files, such as PDF documents. • Open malicious links that appear legitimate. • Install a legitimate application with a rootkit added as part of the installation.

             

            NOTE: Configure throttling using the Performance tab and the System utilization slider

            • 3. Re: On Demand Full Scan idle when computer idle, why?
              maajdl

              I would like to understand why  VirusScan stops scanning when the computer is fully available.

              Eventually, I would like to know how to change that and communicate this solution to our helpdesk.

               

              My hope is that by pausing a full scan when I work and resuming the full scan during the night,

              I could bring the scan to an successful end.

               

              For the moment, a full scan would stop after some time and restart when I am again busy on my computer.

              This is rather frustrating and totally illogical.

              Our helpdesk has no clue.

               

              Thanks,

               

              Michel

              • 4. Re: On Demand Full Scan idle when computer idle, why?
                tomz2

                Michel,

                 

                There are a number of variables in your organization's scan task that could contribute to the behavior that you are seeing. I'm a bit surprised that you are having to investigate this yourself and your admins have not engaged to review. Sounds like your help desk needs to escalate your ticket to your ePO admins.

                 

                If your organization has scan archive files enabled in an on-demand scan task, that could contribute to increased scan times and reduced performance. This is not a best practice. Archive files on their own are benign. It's when files are extracted that a problem could occur, so we recommend not scanning archive files during on-demand scans, but do it with on-access scanning.

                 

                The amount of your own user data can contribute to increased scan times and reduced performance. If your organization has a high number of exclusions in their policies, that can cause the scanner to bog down as well.

                 

                There are a number of changes in recent VirusScan Enterprise 8.8 patches around scan performance. At a high-level, we rely on Windows to manage the amount of system resources we consume. By design, when a scan is running, we want to consume as many resources as possible as this will lead to scans completing faster. We rely on Windows to manage system idle time and balance scan performance with an active user session.

                 

                I would strongly suggest that your ePO admins engage as they can use some tools such as McAfee Profiler to analyze what the scanner is doing during a scan task, and they have the ability to engage our support folks should the need arise.

                • 5. Re: On Demand Full Scan idle when computer idle, why?
                  rmetzger

                  maajdl wrote:

                   

                  I would like to understand why  VirusScan stops scanning when the computer is fully available.

                  Eventually, I would like to know how to change that and communicate this solution to our helpdesk.

                   

                  My hope is that by pausing a full scan when I work and resuming the full scan during the night,

                  I could bring the scan to an successful end.

                   

                  For the moment, a full scan would stop after some time and restart when I am again busy on my computer.

                  This is rather frustrating and totally illogical.

                  Our helpdesk has no clue.

                   

                  Thanks,

                   

                  Michel

                  Hi Michel,

                   

                  Tomz2 is on point on many issues that should be looked at by your Security/Network Administrator.

                   

                  Another simple reason why a Full Scan may stop during the overnight hours:

                  Power Settings, possibly the system is going to Sleep or Hibernating. Can you try and disable settings for Sleep or hibernate?

                   

                  Nothing seems logical until after the problem is fully understood and solved.

                   

                  Let us know if and what helps.

                   

                  Thanks,

                  Ron Metzger

                  • 6. Re: On Demand Full Scan idle when computer idle, why?
                    maajdl

                    Thanks all of you for the suggestions that will need to be checked.

                     

                    Thanks Ron for your last point.

                    This one just came also to my mind, and I checked.
                    The computer did not go to (full) sleep.

                    However, the power plan was on "Balanced" which probably can suspend low priority tasks.

                     

                    When I switched the power plan to "Ultra Performance", I checked that the Virus Scan does not stop anymore during night.

                    Virus Scan had scanned about 2.500.000 files when I woke up, and apparently it had job done shortly after.

                    I then restarted the computer.

                    To my great disappointment, McAfee decided to restart the Full Scan from scratch counting files from 0 again!

                     

                    I am still disappointed by these troubles because I have little possibility for action,

                    little help and hope from our IT dept and its bureaucracy, and it wasted me certainly 8 hours this week!

                     

                    As you can see, I came to this forum to find suggestions I could turn to our IT dept.
                    I am still interested by other suggestions ...

                     

                    Specifically, I would like to understand when/why McAfee decides to restart a Full Scan that seemed to have completed.

                     

                    Thanks,

                     

                    Michel

                    • 7. Re: On Demand Full Scan idle when computer idle, why?
                      rmetzger

                      Hi Maajdl (Michel),

                      maajdl wrote:

                       

                      However, the power plan was on "Balanced" which probably can suspend low priority tasks.

                       

                      When I switched the power plan to "Ultra Performance", I checked that the Virus Scan does not stop anymore during night.

                      Virus Scan had scanned about 2.500.000 files when I woke up, and apparently it had job done shortly after.

                      I then restarted the computer.

                      To my great disappointment, McAfee decided to restart the Full Scan from scratch counting files from 0 again!

                       

                      Specifically, I would like to understand when/why McAfee decides to restart a Full Scan that seemed to have completed.

                       

                      Thanks,

                       

                      Michel

                      Sorry for this late reply.

                       

                      So, Power settings may be involved.

                       

                      There may be two issues combined. Specifically: When an On-Demand Scan runs, it will run until complete, assuming the power is not reset or a reboot does not happen, or a timeout period has not elapsed. If a restart occurs, the VSE v8.8 On-Demand Scan is suppose to continue where it left off.

                       

                      See: http://kc.mcafee.com/corporate/index?page=content&id=KB71905&pmv=print VirusScan Enterprise 8.8 cache persistence best practices

                       

                      However, if a DAT update occurs, the Persistent Cache is cleared and the scan restarts from the beginning. (This is as designed, to detect new malware newly introduced to the new DAT.)

                       

                      So, if your system received an update to the Signature files and had Not completed the scan, after the reboot, the scan should restart from the beginning. Perhaps your I.T. team can review the logs and determine what is happening.

                       

                      I might suggest disabling the scanning of Archives. I have found this to often take a great deal of time and stealing performance. (When extracting files from an Archive, the On-Access Scanner with default settings should catch any file within the archive file during extraction as it is written to disk. Some might argue that On-Demand Scanning of archives is redundant and unnecessary when On-Access Scanning is properly configured. Your mileage may vary and this is typically up to your Network/Security Administrators responsibility.)

                       

                      I might also suggest a thorough review of:

                      McAfee KnowledgeBase - Best Practices for On-Demand Scans in VirusScan Enterprise 8.8

                       

                      Partner up with your I.T. Department to better optimize VSE in your environment.

                       

                      Let us know what helps.


                      Thanks,

                      Ron Metzger

                      1 of 1 people found this helpful