Troubleshoot performance issues with Threat Prevention
Technical Articles ID:
KB89757
Last Modified: 2022-02-08 14:50:11 Etc/GMT
Environment
Endpoint Security (ENS) Platform 10.x
ENS Threat Prevention 10.x
Summary
This article describes how to review the troubleshooting data collected for an ENS performance issue to determine a root cause.
- Determine when the issue occurs. For example, does the issue occur during boot, logon, on-demand scan, or normal usage?
- Collect the appropriate data listed in KB86691 - Minimum data collection steps for Endpoint Security issues, based on the performance issue that you’re seeing.
- Perform the following troubleshooting steps based on when the issue occurs:
- If the issue occurs during boot/login:
- Make sure that you’re running the latest version of ENS. For the latest version, see: KB82761 - Supported platforms for Endpoint Security.
- Determine which, if any, component of ENS is causing the issue by disabling components one at a time and testing whether the issue is resolved.
- Disable on-access scan. Is the issue resolved?
- Uninstall ENS Threat Prevention. Is the issue resolved?
- After you’ve narrowed down the component of ENS that is causing the issue, note it and contact Technical Support.
- If the issue occurs during on-demand scans, try the following. If the changes don’t resolve the issue, contact Technical Support.
Does the issue occur when using the McAfee default on-demand scan policy? On-demand scans use a large percentage of CPU resources and impact performance when invoked. This behavior is expected. For best practices to improve performance, such as enabling the option Scan only when the system is idle, see: KB88205 - How to improve performance with Endpoint Security.
- If the issue occurs during normal use, create a "ZZZ" test. Modify the current on-access scan settings to only scan the file type of ZZZ. Does this test resolve the issue?
- If so, you might need to create exclusions to improve performance.
- Review the Process Monitor capture:
- Click Tools in the menu bar.
- Click Count Occurrences.
- In the top left, in the Column drop-down list, select Process Name.
- In the top right, click Count.
- Double-click mcshield.exe.
- Click Tools in the menu bar.
- Click Count Occurrences.
- In the top left, in the Column drop-down list, select Path.
- In the top right, click Count.
- In the table itself, click Count to filter the largest number to the top.
- Use this data to create exclusions based on the results, and consider enabling the High Risk/Low Risk configuration. Follow the instructions in the "Preventing Threat Prevention from blocking trusted programs, networks, and services" section of the Endpoint Security 10.7 Product Guide.
NOTE: Be mindful of the exclusions you create. Consider the security impact an exclusion can present.
- If not, determine which, if any, component of ENS is causing the issue. Disable the components one at a time and test whether the issue is resolved.
- Disable on-access scan. Is the issue resolved?
- Disable Exploit Prevention. Is the issue resolved?
- Disable Access Protection. Is the issue resolved?
- Disable ScriptScan. Is the issue resolved?
- Disable Antimalware Scan Interface (AMSI). Is the issue resolved?
- Uninstall ENS Threat Prevention. Is the issue resolved?
After you’ve narrowed down the component of ENS that is causing the issue, note it and contact Technical Support.
|