How on-demand scanning works

The on-demand scanner searches files, folders, memory, and registry, looking for any malware that could have infected the computer.

You decide when and how often the on-demand scans occur. You can scan systems manually, at a scheduled time, or at startup.

  1. The on-demand scanner uses the following criteria to determine if the item must be scanned:
    • The file extension matches the configuration.
    • The file hasn't been cached, excluded, or previously scanned (if the scanner uses the scan cache).
    Note: If you configure McAfee GTI, the scanner uses heuristics to check for suspicious files.
  2. If the file meets the scanning criteria, the scanner compares the information in the item to the known malware signatures in the currently loaded AMCore content files.
    • If the file is clean, the result is cached, and the scanner checks the next item.
    • If the file contains a threat, the scanner takes the configured action.

      For example, if the action is to clean the file, the scanner:

      1. Uses information in the currently loaded AMCore content file to clean the file.
      2. Records the results in the activity log.
      3. Notifies the user that it detected a threat in the file, and includes the item name and the action taken.

      Windows 8 and 10 — If the scanner detects a threat in the path of an installed Windows Store app, the scanner marks it as tampered. Windows adds the tampered flag to the tile for the app. When you attempt to run it, Windows notifies you of the problem and directs you to the Windows Store to reinstall.

  3. If the item doesn't meet the scanning requirements, the scanner doesn't check it. Instead, the scanner continues until all data is scanned.


The on-demand scan detection list is cleared when the next on-demand scan starts.

Threat Prevention flushes the global scan cache and rescans all files when an Extra.DAT is loaded.