How-to Speed Up McAfee Antivirus Scanning

[morrowd]

Issue: McAfee antivirus scanning is very slow
Fix/Solution: Use the uvscan --decompress command line option on new signature updates before scanning - applies to McAfee VirusScan Command Line versions below 6.0.5

McAfee antivirus scanning is listed as "(Very slow, only enabled when running all the engines)"; however, there is a way to significantly improve the McAfee scan performance. Unfortunately McAfee has not documented this feature in the uvscan man page or in the uvscan -h help option AFAIK. McAfee has documented this in their Virus Scan for UNIX product documentation. This feature applies to versions below 6.0.5

On page 34

After an update, run the following command once to decompress the newly downloaded DATs and accelerate the time for subsequent initializations.

uvscan --decompress

Example:

uvscan --decompress /usr/local/uvscan/

See results below for an example of before and after running uvscan --decompress

Some of the extra white space has been removed for brevity.

Before uvscan --decompress

d@ubuntu:~/Downloads$ time uvscan --ASCII --ANALYZE --MANALYZE --MACRO-HEURISTICS --RECURSIVE --UNZIP Cover-Letter.pdf
McAfee VirusScan Command Line for Linux64 Version: 6.0.4.564
Copyright (C) 2013 McAfee, Inc.

AV Engine version: 5600.1067 for Linux64.
Dat set version: 8036 created Jan 6 2016
Scanning for 670676 viruses, trojans and variants.

Time: 00:00.00

real 0m21.249s
user 0m20.277s
sys 0m0.341s

d@ubuntu:~/Downloads$ time uvscan --ASCII --ANALYZE --MANALYZE --MACRO-HEURISTICS --RECURSIVE --UNZIP Resume.pdf
McAfee VirusScan Command Line for Linux64 Version: 6.0.4.564
Copyright (C) 2013 McAfee, Inc.

AV Engine version: 5600.1067 for Linux64.
Dat set version: 8036 created Jan 6 2016
Scanning for 670676 viruses, trojans and variants.

Time: 00:00.00

real 0m16.388s
user 0m15.362s
sys 0m0.306s

After uvscan --decompress /usr/local/uvscan/

d@ubuntu:~/Downloads$ time uvscan --ASCII --ANALYZE --MANALYZE --MACRO-HEURISTICS --RECURSIVE --UNZIP Cover-Letter.pdf
McAfee VirusScan Command Line for Linux64 Version: 6.0.4.564
Copyright (C) 2013 McAfee, Inc.

AV Engine version: 5600.1067 for Linux64.
Dat set version: 8036 created Jan 6 2016
Scanning for 670676 viruses, trojans and variants.

Time: 00:00.00

real 0m2.834s
user 0m2.677s
sys 0m0.156s

d@ubuntu:~/Downloads$ time uvscan --ASCII --ANALYZE --MANALYZE --MACRO-HEURISTICS --RECURSIVE --UNZIP Resume.pdf
McAfee VirusScan Command Line for Linux64 Version: 6.0.4.564
Copyright (C) 2013 McAfee, Inc.

AV Engine version: 5600.1067 for Linux64.
Dat set version: 8036 created Jan 6 2016
Scanning for 670676 viruses, trojans and variants.

Time: 00:00.00

real 0m2.846s
user 0m2.683s
sys 0m0.147s

McAfee says:

From version 6.0.5 the DECOMPRESS switch is automatically applied. So the first time after each DAT update it will automatically replace the local copy of the compressed DAT with the decompressed equivalent for future use. It is no longer necessary to use the DECOMPRESS switch with the VSCL 6.0.5 and later releases." Documented here - https://kc.mcafee.com/corporate/index?page=content&id=KB68023

[shadowbq]

McAfee Labs releases at least one DAT file every day of the year, with the exception of January 1 and December 25

https://kc.mcafee.com/corporate/index?page=content&id=KB55986

[morrowd]

Yes, thanks for the link. I was not asking a question about the DAT file releases though. I was making a comment about how older versions of uvscan have a "--decompress" option which speeds up subsequent initialization and therefore reduces the overall scanning time. McAfee has been great about releasing daily updates to their DAT files.