How on-access scanning works

The on-access scanner integrates with the system at the lowest levels (File-System Filter Driver) and scans files where they first enter the system.

When detections occur, the on-access scanner delivers notifications to the Service Interface.

Note: If you configure McAfee GTI, the scanner uses heuristics to check for suspicious files.

Windows 8 and 10 — If the scanner detects a threat in the path of an installed Windows Store app, the scanner marks it as tampered. Windows adds the tampered flag to the tile for the app. When you attempt to run it, Windows notifies you of the problem and directs you to the Windows Store to reinstall.

The scanner uses this criteria to determine whether to scan an item:

  • The file extension matches the configuration.
  • The file information isn't in the global scan cache.
  • The file hasn't been excluded or previously scanned.

Read scan

When Read scan is selected and an attempt is made to read, open, or execute a file:

  1. The scanner blocks the request.
  2. The scanner determines whether the item must be scanned.
    • If the file doesn't need to be scanned, the scanner unblocks the file, caches the file information, and grants the operation.
    • If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file.
      • If the file is clean, the scanner unblocks the file and caches the result.
      • If the file contains a threat, the scanner denies access to the file and takes the configured action.

        For example, if the action is to clean the file, the scanner:

        1. Uses information in the currently loaded AMCore content file to clean the file.
        2. Records the results in the activity log.
        3. Notifies the user that it detected a threat in the file, and prompts for the action to take (clean or delete the file).

Write scan

Note: The scanner examines the file only after it is written to disk and closed.

When Write scan is selected and a file is written to disk:

  1. The scanner determines whether the item must be scanned.
    1. If the file doesn't need to be scanned, the scanner caches the file information, and grants the operation.
    2. If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file.
      • If the file is clean, the scanner caches the result.
      • If the file contains a threat, the scanner takes the configured action.

        The scanner doesn't deny access to the file.



When is the global scan cache flushed?

The on-access scan detection list is cleared when the Endpoint Security service restarts or the system reboots.

Threat Prevention flushes the global scan cache and rescans all files when:

  • The On-Access Scan configuration changes.
  • An Extra.DAT file is added.
  • The system reboots in safe mode.

If the process is signed by a trusted certificate, the signing certificate is cached and remains in the cache after the system reboots. The scanner is less likely to scan files accessed by processes that are signed by a cached trusted certificate, resulting in scan avoidance and improved performance.