Mcaffe sucks

[Kenazo]

The system:

Win2003 terminal server
2xXeon 2400's (i think they were 2400)
4 gigs ram
Mcaffe Viruscan Enterprise 7.1.0


Most of the time it's fine, but once or twice a day the Mcaffe goes crazy and hogs huge amounts of the processor time. Short of getting rid of Mcaffe is there any way to get it to quit hogging the resources?

I notice it's set to run at high priority. Is it possible to turn it down to normal? (I've tried and I get a windows error message that it can't be done).

 

[mechBgon]

What is it scanning when it's doing that? Double-click the McAfee shield icon and look. If it's plowing through the daily antivirus scan, then it's probably hit a big tough chewy .CAB, .CHM or .JAR file and is working its way through it.

Bigger picture: assuming your grant's current, you should move to VS Enterprise 8.0i, and try the beta 5000 engine

 

[Kenazo]

The techy guys that my company keeps insisting on dealing with tell us that the reason it's slow now is b/c the virus definition files are getting quite large and so it's taking longer. I'm thinking that this is more than that.

Anyway, some more info:
Scan engine 4.4.00

It's set to scan all files on every read and every write. Is this necessary? And is this what's causing our slow down?

Would VS 8 run quicker for us?

Also, when does Mcafee run its daily virus scans by default? And how do I change it?

EDIT: Oh, and as to what it's scanning, it seems to be cycling through files quite normally even when it's hogging resources.

 

[KoolDrew]

Mcaffe sucks

You just figured this out?

 

[mechBgon]

Originally posted by: Kenazo
The techy guys that my company keeps insisting on dealing with tell us that the reason it's slow now is b/c the virus definition files are getting quite large and so it's taking longer. I'm thinking that this is more than that.

Anyway, some more info:
Scan engine 4.4.00

It's set to scan all files on every read and every write. Is this necessary? And is this what's causing our slow down?

Whether it's necessary will depend on how much protection you want.

Would VS 8 run quicker for us?

The 5000 engine may run quicker for you. VS 8 itself, I doubt it would inherently be any faster.

Also, when does Mcafee run its daily virus scans by default? And how do I change it? I suspect that our techies (who also happen to be the ppl that sell us our hardware) are looking for a good excuse to sell an upgrade.


EDIT: Oh, and as to what it's scanning, it seems to be cycling through files quite normally even when it's hogging resources.

McAfee does not run a daily virus scan by default. VirusScan requires configuration, and I would know Look in VirusScan Console (right-click the McAfee icon) for the schedule of the scan (if any).

Originally posted by: KoolDrew

Mcaffe sucks

You just figured this out?

It can be brutal on the computers, but it does do its job dam' well :evil: I sleep far better at night knowing that I have buffer-overflow protection against known AND unknown exploits, a beautiful complement of behaviour-blocking rules (including some of my own design), central monitoring/tasking/reporting, daily DAT updates, and a product that NEVER crashes. It's not the poser wannabe home-user McAfee here :evil:

Kenazo, the other thing I can tell you is that Xeons are feeble, The Force is not strong with them at all when it comes to McAfee. I did a benchmark scan where I had a HT Xeon 2.4 scan a set of files, then had my A64 3000+ Clawhammer and my AthlonXP 1800+ scan them. SCSI on all three systems, incidentally. The Xeon got its bootie handed to it by almost a 2:1 ratio by the A64, and even lost to the AthlonXP 1800+ by 10%. How about some dual-core Athlon64 X2 or Opteron?

 

[Kenazo]

The Xeon should be more than enough for what we're doing though. I mean prior to maybe 4-5 months ago we never had this problem ever.

 

[Homerboy]

we run McAffee ASAP on 80+ machines here... not a single problem and not a single virus has gotten through yet (/me knocks on plastic).
McAffee will eat up SPARE CPU cycles as it runs at a low affinity... it should NOT be hamperin performance at all.

 

[Kenazo]

Originally posted by: Homerboy
we run McAffee ASAP on 80+ machines here... not a single problem and not a single virus has gotten through yet (/me knocks on plastic).
McAffee will eat up SPARE CPU cycles as it runs at a low affinity... it should NOT be hamperin performance at all.

It should be set to low? I checked the mcshield.exe process and it's set to high, which maybe is our problem. But, how do I change it to low? When I try windows tells me that it can't be changed.

 

[mechBgon]

With a fleet running VirusScan Enterprise 8.0i, I'll venture to say that the simple progression of the DAT files doesn't really explain a significant slowdown all by itself. If your techie guys initially set McAfee up in "nerf mode," and then 4 months ago they got a clue and turned on heuristics, compressed-file scanning, and spyware/adware/etc detections, then THAT would explain it. VirusScan is a very different beast when it's got everything turned on, versus out-of-the-box settings.

The next time you notice the high CPU usage, open VirusScan Console and see if the daily scan task (if there is one) is shown as "running." If so, that probably is the issue, and maybe just rescheduling the task to run after-hours would be a good solution.

 

[networkman]

mechBgon is quite correct in saying that you need to update your software. Our enterprise at work is a mix of Windows 2000 workstations/servers and Windows 2003 servers with the current v8 of McAfee Enterprise AntiVirus.

It is a darn good product, although no single solution will detect EVERY virus threat out there every time.

 

[Kenazo]

The daily scan task had been started @ 12am, and was done already. It appears that the On-Access scanner was definately the culprit. I temporarily disabled the on-access scanner and our CPU usage dropped to 10% from 95%-100%. Compressed file scanning is enabled, but not within Zip files.

 

[networkman]

Good point. One of the things we did at my work was to limit the On-Access scanner to just when files were written, not when read. Since all of the drives are scanned at night anyway, we then know the files are clean, so a read-scan is not necessary. Only on removable drives would a read-scan be warranted.

 

[Kenazo]

Ok, but the weird thing is this, when I re-enabled On-Access it didn't resume it's high resource usage ways. It's staying at a low CPU usage point now. Before mcshield was using 80% of the CPU by itself, now it's using 5% at most. What would have caused this to fix itself?

 

[CalvinHobbes]

McAfee slows my machines to a crawl (or locks it) when I open a folder with a bunch of files that it thinks it needs to scan. I've never seen a more intrusive on-access scan.

 

[jack1201]

In this world, no perfect program. Just bad and worst.

 

[Kenazo]

Originally posted by: jack1201
In this world, no perfect program. Just bad and worst.

Exactly, and Mcaffe is being a pain.

We had been running it on some of our Win98se clients too, but it made them unusable. Thus, they are completely unprotected right now. Everything the client's do is through Termserv though, so it's not too big of a deal.

I'm thinking eTrust might be the route for us. They use it at my wife's work and love it.

 

[DPmaster]

McAfee ePO = :thumbsup:

The ability to install and update VirusScan 8.0 (and any other version for that matter), set repositories, custom scans, etc. for 1000+ users with just a few mouse clicks is great. I was able to deploy VirusScan 8 when it first came out to about 1100 computers in a matter of hours. The older versions of McAfee VirusScan weren't that great but they seem turned around now with version 8.0i (with the latest patches of course).