Thanks Venu.  But I'm not sure this addresses my question.  Also I'm on ENS (posting in the ENS community) 10.6.  There is no KB5098, but I have checked KB50981 prior to posting and it provides an example of operation contains IRL_MJ_READ, but no context in terms of if that means the file is being "scanned" by mcshield.  TS102057 (link you provided) mostly just provides information on how to capture a procmon (which isn't an issue).

When I trigger a manual scan of a directory, I see a series of the following operations on the directory.  What I'm looking for is someone that might be more familiar with this and can tell me if one (or all) are indicative of Mcshield "scanning" a file/folder. 

FASTIO_NETWORK_QUERY_OPEN

IRP_MJ_CLOSE

IRP_MJ_CLEANUP

FASTIO_QUERY_INFORMATION

IRP_MJ_CREATE

IRP_MJ_SET_INFORMATION

IRP_MJ_CLOSE

IRP_MJ_DIRECTORY_CONTROL

@robg3381 

Dear Rob,

I think you are getting confused or deviated, the examples that you have mentioned are nothing to do with McShield.exe as it tries to scan an object during I/O operations. And to clarify your question, I have to take an example within the list you have provided. Please be informed that the below is what happens. 

IRP_MJ_CLEANUP is sent when the last user handle is closed;
when the last reference goes away and the FILE_OBJECT is
about to be torn down, IRP_MJ_CLOSE is sent. You can
receive I/O requests from kernel components between IRP_MJ_CLEANUP
and IRP_MJ_CLOSE.

Thanks akatt.  What you wrote made sense.  I'll have to re-review what I'm seeing as I had implemented a "test" policy which I put in a few processes as low-risk and then on the low-risk policy, unchecked the scan on read/write.  After I implemented the policy on the system I was still seeing procmon activity for it which confused me and I thought perhaps Mcshield (like you said) was asked to check a file - but not necessarily an indicator that it in fact was scanned. 

Would you recommend then a combination of ProcMon and Profiler?  I started using Profiler and was advised to instead use ProcMon as it details more overall activity, but perhaps Profiler is the better tool for confirming that mcshield actually scanned it?  But if we're looking for defining processes and paths needing to be excluded, maybe using ProcMon is a better tool?

@robg3381 

Just to concur with Jess, yes, Profiler is normally the "go-to" for checking whether or not implemented exclusions are working as intended.  Procmon, in my mind, is more of a hunting utility for when we are not too sure what exclusions might help with a scanning performance issue.  There are often times when I also want to see absolutely all registry/network/file activity that is happening on the system, and of course Procmon is great for that.  Profiler won't show us that perhaps another real-time scanning product is enabled, and the two applications are fighting for file access, and the system is incurring a large performance hit due to that.

In terms of the low-risk process additions that you mentioned, make sure that the OAS policy to first enable the default/low/high-risk feature is set.  I often see this missed, since ePO allows modification of all policies at any time.

For VSE, the option is within the Default Processes Policy in ePO, or it can be accessed through the properties of the On-Access Scanner within the local VSE console.

For ENS, the option is within the On-Access Scan policy under "Process Settings," or within the local console under the Threat Prevention>On-Access Scan section.

It will list as "Configure different settings for High risk and Low Risk."

@robg3381 I would second akatt's recommendation of utilizing McAfee Profiler in order to test your exclusions. ProcMon can be misleading as McShield is a front process for a many actions of the "scanner", and is not limited to an actual scan of files. Often you may see McShield touching a file in ProcMon, but it isn't always clear what was a scan, and what is an examination of the file to check for exclusion matching. 

McAfee Profiler will only output information about what is gettings scanned--so if it's showing in the relevant parts of the report, then there are gaps in the exclusion.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?