This article provides a brief description of the processes associated with TA. The sequence in which the main components load is also described below.
TA 5.x Processes
Windows process |
Non-Windows process |
Description |
masvc.exe |
masvc |
Performs functions such as the following:
- Property collection
- Policy enforcement
- Scheduling of tasks
- Agent-server communication
- Trigger update sessions
|
mfemactl.exe |
N/A |
A process created from masvc.exe. This executable monitors the syscore version on the system and applies AAC rules if the supported syscore exists in the TA self-protection policy |
macmnsvc.exe |
macmnsvc |
Hosts multiple TA services such as peer-to-peer server, wake-up, and RelayServer. |
macompatsvc.exe |
macompatsvc |
This executable is the compatibility service for the TA service. The TA service starts this service and communicates to the managed product plug-ins. |
cmdagent.exe |
cmdagent |
A command-line program that invokes TA. To learn more about switches available with this command, use the following:
cmdagent.exe -h |
FrmInst.exe |
N/A |
TA installation program. To know more about switches available with this command, use the following:
FrmInst.exe /h |
maconfig.exe |
maconfig |
A command-line program used to configure different options of TA. To know more about switches available with this command, use the following:
maconfig –help |
McScanCheck.exe |
N/A |
A command-line program used by McScript_InUse.exe to perform DAT or engine updates. |
McScript_InUse.exe |
Mue_InUse |
Runs scripts for updating DAT files, engines, service packs, or any other component checked in to a repository. This process loads when the update task is started. |
UpdaterUI.exe |
N/A |
Provides user interface for updates. It also controls the TA icon in the notification area and is loaded using the Run key in the Windows registry. |
marepomirror.exe |
N/A |
Performs repository mirroring according to the policy settings. |
FramePkg.exe |
N/A |
TA installer. |
mctray.exe |
N/A |
Icon management tool. It runs under the same user session. The UdaterUI.exe process starts the icon. |
mcupdater.exe |
|
Initiates the Data Exchange Layer (DXL) client installer as part of the TA install. |
The following procedure describes the sequence in which the main components load:
- The computer starts (drivers and services load):
- If the operating system is Windows 8 or later, the mfeelamk.sys driver is loaded using the Microsoft ELAM framework.
- The mfehidk.sys driver loads.
- The mfetdik.sys/mfewfpk.sys driver loads.
- The mfeavfk.sys driver loads.
- The Service Control Manager automatically starts the mfevtps.exe service.
- The McShield, Framework service, and VsTskMgr services load automatically. As described above, McShield is the user-mode component of the On Access Scanner. The Framework service provides updating, scheduling, and mirroring functions, and VSTskmgr is a service used to coordinate events. For example, it sends scheduling information to CMA. It restarts McShield if a fatal timeout occurs and also protects VSE files from being modified.
- The McShield service loads the mfeapfk.sys driver.
- The McShield service loads the mfebopk.sys driver.
- The FrameworkService loads NaPrdMgr to communicate with managed product plug-ins.
- The user logs in (items in the Run key are loaded):
- The UpdaterUI/UdaterUI and ShStat (VSE 8.7i) load.
- The UpdaterUI/UdaterUI provides a user interface to see what CMA is doing.
- The ShStat, vShield icon shows the statistics and displays the OAS messages window when OAS detections occur.
- The mfeann.exe process starts.
- Other components are loaded (as needed):
- The McScript/McScript_In_Use runs scripted operations for TA.
- The Scan32 on-demand scanner is used when scheduled On-Demand Scan (ODS) tasks run.
- The McConsole displays the Console, and also performs an ODS if invoked by the user through the Console.
- The ShCfg32, On Access Scanner property configuration.
- The ScnCfg32, ODS property configuration. It also performs an ODS if invoked by the user through this screen.