How on-demand scanning works

The on-demand scanner searches files, folders, and registry for any malware that might have infected the computer.

You decide when and how often the on-demand scans occur. You can scan at a scheduled time, or at startup.

The on-demand scanner intercepts the operation and takes these actions:

  1. Examines the file at the client system.
  2. Checks if any exclusion is defined in the policy. If any exclusion is defined for the file, then the access is allowed.
  3. If exclusion is not defined, the scanner checks whether the file is present in local cache in the client system. If it is present, then access is allowed.
  4. If the file is not present in local cache in the client system, the scanner checks for publisher trust in the client system. If publisher trust matches, then the access is allowed.
  5. If the publisher trust does not match, the scanner checks for the file in global cache in the SVM. If the file is present, then the access is allowed.
  6. If the file is not present in global cache, the scanner compares the information in the file to the known malware signatures in the currently loaded DAT files.
    1. If the file is clean, the result is cached and the read, write, or rename operation is granted. McAfee MOVE AntiVirus cashes the result in the SVM and the client system.
    2. If the file contains a threat, the scanner sends the file nature as malware to the client systems, where the configured action is taken.

      For example, if the action is configured to Deny files automatically and quarantine (the default setting), the scanner:

      • Deletes items that are detected as threats and saves copies in a non-executable format to the Quarantine folder.
      • Records the results in the activity log.
      • Notifies the user that it detected a threat in the file, and includes the item name and the action taken.
  7. If the file doesn't meet the scanning requirements, the scanner doesn't check it. The scanner continues until all data is scanned.

The on-demand scan detection list is cleared when the next on-demand scan starts.

On-demand scanning with TIE and ATD enabled

  1. On-demand scanner goes through the steps 1 thru 4 of How on-demand scanning works.
  2. If the publisher trust does not match:
    1. The client looks for the reputation in global cache in the SVM. If the reputation is available, then the access is allowed based on the Shared Cloud Solutions policy assigned to the system.
    2. If the reputation is not available in global cache in the SVM, the client sends the file hashes to the SVM for TIE lookup.
    3. The SVM checks the reputation cache for the file hash. If the file hash is found, the SVM gets the reputation data from the SVM cache and sends the reputation to the client and the action is taken.
    4. (With SVM is connected to TIE) If the file hash is not found in the SVM cache and TIE server does not have the reputation:
      1. (Advanced Threat Defense is present) If the policy on the endpoint determines that the file has to be sent to Advanced Threat Defense, the server sends the file for further analysis. To send the file to Advanced Threat Defense, these requirements must meet:
        • Advanced Threat Defense (ATD) option is configured under Shared Cloud Solutions policy on the McAfee ePO server.
        • Size of the file is less than 10 MB
      2. The TIE server returns the file hash's reputation to the SVM once the data is received from Advanced Threat Defense after analysing the file.
  3. The McAfee MOVE AntiVirus takes action based on the Shared Cloud Solutions policy assigned to the system that is running the file.
  4. The SVM sends threat details as threat events to McAfee ePO.

Optimizing the scanning performance on systems

To minimize the impact that on-demand scans have on a system, specify performance options when configuring these scans.