Use this article to improve performance and solve problems that can occur after you install ENS. The article is updated as more information is gathered about performance issues. So, check here first for assistance if you experience performance symptoms.



Topics in this article:

• McShield.exe - high CPU use from McShield might not be the problem
  • On-access scanner - uses CPU only when needed
  • On-demand scanner - scanning when idle can use all CPU
• Exclusions - not the most efficient way to improve performance
• Profile Scanning to improve performance
• Allowing files via the GetClean tool
• Scan Avoidance - most efficient way to improve performance
• Adaptive Threat Protection - another performance enhancing option

McShield.exe
The McShield.exe process in ENS is the process that performs scans of files. On-access scanning is when files are scanned as they're accessed. On-demand scanning is when files are scanned as they're specified. It's easy to confuse which feature is contributing to the performance symptom if you look only at this process and its CPU consumption. 

To determine whether the on-demand scanner is contributing to a performance symptom for McShield.exe, inspect the OnDemandScan_Activity.log (at %ProgramData%\McAfee\Endpoint Security\Logs). If the symptom coincides with activity from the OnDemandScan_Activity.log, it's likely that the on-demand scanner is involved. If not, it's likely that the on-access scanner is involved. Next, follow up on improving performance for the on-access scanner, on-demand scanner, or both, in the sections below.

Back to topics

On-access scanner
The on-access scanner is the real-time scanner, and it uses CPU only when other running processes access files on disk. A Read Scan occurs before a file is read, a Write Scan occurs after a file is written to the disk. CPU use occurs proportional to the amount of file activity that's occurring for Reads or Writes.

If you believe that the on-access scanner is using excessive CPU, contact Technical Support to investigate the behavior further. Several approaches can improve performance for the on-access scanner, whether it be for Read scanning or Write scanning. 

Back to topics

Using Profile Scanning to improve performance
Background:
The on-access scanner is equipped with three scanning profiles, named Standard, High Risk, and Low Risk. By default only the Standard profile is used. This fact means that the configuration for Standard is applied to all processes. That is, when a process accesses a file on disk, the Standard configuration is used for determining whether a scan should occur. Exclusions are defined for each scanning profile.

To enable the additional scanning profiles, select Configure different settings for High Risk and Low Risk processes under Processes Settings. This selection gives you more flexibility in controlling what's scanned or not scanned, because you can define exclusions by profile. If you want exclusions to apply only to certain processes rather than all processes, add exclusions to a High Risk or Low Risk profile and indicate the processes that you want defined for that profile.

Example: Suppose MyApp.exe is the only process writing tens of thousands of temporary files to the C:\Windows\Temp folder. Also, suppose that you know that those files don't need to be scanned because you know the MyApp.exe behavior, but you don't want to exclude \Windows\Temp for all processes.

To use the option Configure different settings for High Risk and Low Risk processes, you define **\Windows\Temp\* as a pattern exclusion in the Low Risk profile. Also, you define MyApp.exe as a process to use the Low Risk profile. Now, all other processes that access \Windows\Temp have their activities scanned. But, the activities of MyApp.exe are excluded from scanning because it resides in the Low Risk profile with the exclusion.
 
The method from the example can be taken a step further, and this step is where you can improve performance using Profile Scanning. For the processes that you define to use the Low Risk profile, instead of just exclusions, you can set Don't scan when reading from or writing to disk. This setting avoids scanning file activity generated by MyApp.exe and any other processes in that profile, and is a decision point reached much earlier in the scan workflow. This fact is why this method yields significant performance improvement compared to exclusions.

You can define the SYSTEM process as a Low Risk process, if needed. This definition is applicable when the file read/write on disk is occurring from a different system.

Back to topics

On-demand scanner
The on-demand scanner runs only when you click "Scan Now" from the ENS console, or as a scheduled task (configured from the ENS console or through ePolicy Orchestrator tasks/policies). The on-demand scanner uses CPU only when it has been invoked via these methods. The on-demand scanner can use over 90% of available CPU when run. 

There are some best practices that can be configured to reduce the system impact to on-demand scans (ODSs). But, decreases in resource usage are expected to come at the cost of increased scan times. 

System Utilization options are available to be configured. This option is related to the Windows Priority Control, which determines the priority of the on-demand scanning process when the operating system determines where to allocate system resources as needed. At a basic level, the higher priority a process is assigned under Windows Priority Control, the more resources it can claim compared to lower priority processes trying to access those same processes. For more information, see KB55145 - Understanding on-demand scan performance settings. Running an ODS at Below Normal prevents the scan from taking CPU time from processes running at Normal priority. If set to Low, the ODS doesn't take CPU time away from any processes running at any higher priority. Both Low and Below Normal are effective options, with Below Normal having the most efficient balance of resource consumption compared to time increases to scans.

An alternative to System Utilization is using the option to Limit Maximum CPU Usage. This option is only available when the system to scan is running ENS 10.7.x, and only when the Scan Anytime option is selected in the scan configuration. This option replaces the operating system System Scheduling logic dependency with process CPU consumption thresholds within the ENS ODS policy itself. Once the thresholds are met, ENS takes action to throttle its usage of CPU time to prevent exceeding the configured parameter. For example, if Limit Maximum CPU Usage is set to a value of 25%, ENS tries to keep the McShield.exe process handling the scan below that value except when entering critical actions such as scanning inside archives. While highly effective on scan performance, this option has a direct result on scan times, and doesn't take effect if any exclusions are present for the ODS.

ENS also includes the option to configure scans to only run when the system is determined to be in an idle state, through the setting Scan only when the system is idle. This option completely pauses a running scan when end-users are active on the system, and once user activity on the system ceases, the scan continues while trying to use the maximum amount of resources made available to it. This option takes into account multiple different parameters to determine whether a system is idle, including mouse/keyboard input, disk I/O, and more. This option can be highly effective on end-user systems. But, it's not recommended to be selected when scanning server systems.

You can take more actions in terms of scan locations and scan items to improve scan performance. Scanning compressed archive files can be redundant, as the act of extracting an archive invokes an on-access scan as well. Performing smaller-scope Quick Scans daily of common locations, such as user download directories, Windows folders, and temporary folders can enhance security posture, and also build a scan cache to prevent duplicate scanning. Further enhancements to trust scanning and ODS cache were made in the ENS 10.7.0 June 2021 Update, and running the most recent version of ENS makes sure that the latest product enhancements and improvements are being used.

Back to topics

Exclusions aren't the most efficient way to improve performance
When a file is accessed, there are multiple decision points in the scanning logic or scan workflow. The earlier a decision can be made to avoid scanning the file and its contents, the better the performance gain. Exclusions are processed at the end of the scan workflow, which makes them the least effective way to improve performance.

Exclusions are a simple means to improve performance because the options for excluding files are flexible and you can configure any number of them. But, if you have many exclusions or many unique files that require the exclusion, the scan workflow timing and effort to process exclusions can hinder performance. The best practice is to use exclusions as a means to improve scan performance in the following scenarios:

• When a quick and simple solution is needed
• When you don't have an excessive number of exclusions already
• When you don't have an extensive number of unique files being accessed that require the exclusion

NOTE: If you're considering excluding a folder, especially if you're also excluding its sub folders, a better option is to use Profile Scanning with the exclusion to significantly improve security. Profile Scanning is explained above. This option is better than creating a full folder exclusion.

Back to topics

Allowing files via the GetClean tool
Use the Trellix tool named GetClean (see the GetClean Product Guide, available from the Product Downloads site) to improve scanning performance. This tool provides either samples or file information to Trellix and is used to update our Global Threat Intelligence (GTI) Cloud. After the Cloud is updated, when a scan occurs and a GTI lookup is performed, the response of "known good" can often be returned faster than a scan completes. This fact negates the need to further inspect the file.

GetClean is also used to obtain certificate information of digitally signed files. Periodically, the team receiving this data reviews submitted data for possible inclusion in our Trust DATs (used by ENS only). When we've designated a digital signature as Trusted via the DATs, it allows for all systems worldwide to take advantage of this information. They take advantage as part of the Scan Avoidance technology that's built into the scanner and explained below.

Back to topics

Using Scan Avoidance as the most efficient way to improve performance
This feature of the scanner takes advantage of our Trust framework to help recognize when a scan isn't needed. This mechanism provides the greatest performance increase. This feature indicates whether a scan is needed early in the scan workflow. This feature also has longer term relevance because cached Trusted + Clean results survive a DAT update while Clean results alone won't. The use of the GetClean utility feeds into content improvements that apply to scan avoidance.

Back to topics

ATP
ATP users can yield performance improvements when a trusted vendor and certificate digitally sign the acting process and file objects. An object that's trusted avoids more decision making from ATP. For example, it avoids a reputation lookup from the cloud and checking the scanner's trust disposition toward the object.

Back to topics