How on-access scanning works

The on-access scanner integrates with the system at the lowest levels (file system filter driver) and scans files where they first enter the system.

The on-access scanner delivers notifications to the System Service interface when detections occur.

When an attempt is made to access or modify a file, the scanner intercepts the operation and takes these actions.

  1. Examines the file at the client system.
  2. Checks if any exclusion is defined in the policy. If any exclusion is defined for the file, the access is allowed.
  3. If an exclusion is not defined, the scanner checks whether the file is present in local cache in the client system. If it is present, access is allowed.
  4. If the file is not present in local cache, the scanner checks for publisher trust in the client system. If it matches, the access is allowed.
  5. If the publisher trust does not match, the scanner checks for the file in global cache in the SVM. If the file is present, the access is allowed.
  6. If the file is not present in global cache, the scanner compares the information in the file to the known malware signatures in the currently loaded DAT files.
    • If the file is clean, the result is cached and the read, write, or rename operation is granted. McAfee MOVE AntiVirus caches the result in the SVM and client system.
    • If the file contains a threat, the scanner sends the file nature as malware to the client systems, where the configured action is taken.

On-access scanning with TIE and ATD enabled

  1. On-access scanner goes through the steps 1 through 4 of How on-access scanning works.
  2. If the publisher trust does not match:
    • The client looks for the reputation in global cache in the SVM. If the reputation is available, the access is allowed based on the Shared Cloud Solutions policy assigned to the system.
    • If the reputation is not available in global cache in the SVM, the client sends the file hashes to the SVM for TIE lookup.
    • The SVM checks the reputation cache for the file hash. If the file hash is found, the SVM gets the reputation data from the SVM cache and sends the reputation to the client and the action is taken.
    • (SVM is connected to TIE) If the file hash is not found in the SVM cache and TIE server does not have the reputation:
      • (Advanced Threat Defense is present) If the policy on the endpoint determines that the file must be sent to Advanced Threat Defense, the server sends the file for further analysis. To send the file to Advanced Threat Defense, these requirements must be met:
        • Advanced Threat Defense (ATD) option is configured in the Shared Cloud Solutions policy on the McAfee ePO server.
        • Size of the file is less than 10 MB
      • The TIE server returns the file hash's reputation to the SVM once the data is received from Advanced Threat Defense after analyzing the file.
  3. McAfee MOVE AntiVirus takes action based on the Shared Cloud Solutions policy assigned to the system that is running the file.
  4. The SVM sends threat details as threat events to McAfee ePO.

Changing when files are scanned

You can change the client policy to determine which files are scanned for threats and when.

By default, files are scanned when they are read from or written to disk, or when opened for backup. The McAfee Agent program files and the User Profile Manager process are excluded from scans.

When files are written to disk, the on-access scanner examines these files:

  • Incoming files written to the local drive.
  • Files (new, changed, or files copied or moved from one drive to another) created on the local drive or a mapped network drive (if enabled with Multi-Platform).

When files are read from disk, the scanner examines these files:

  • Outgoing files read from the local drive or mapped network drives (if enabled with Multi-Platform).
  • Files trying to execute a process on the local drive.
  • Files opened on the local drive.
CAUTION: Depending on your environment, selecting On network drives can degrade network performance.