Troubleshooting performance SCOM 2012 and SCOM 2007 agent with McAfee Antivirus

I got quite a number of questions on performance of the SCOM and related processes (Heathservice.exe, monitoringhost.exe and CSCRIPTS). High CPU load on the SCOM process is mostly related to antivirus software.

In most cases the culprit ends up being the incorrect setup of the antivirus software; specially McAfee is very tricky when it’s not configured well and when the exclusions are not in the right place.
See my blogpost on antivirus exclusions for SCOM 2012 management, gateway and SQL servers or SCOM 2012 and 2007 agents

Here is how to troubleshoot antivirus in combination with the SCOM agent. In this case we monitor McAfee in combination with SCOM. To troubleshoot I used Procmon from Sysinternals.
In my later post I will make a list of recommended exclusions.
Lot’s of servers with high CPU load specially on the SCOM process; healthservice.exe, cscripts and more.

Troubleshooting the process with “Sysinternals Process Monitor”
1. Lets start with downloading the Process Monitor on http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2. Stop the monitoring, go to Filter, Enable Advanced Output

3. Go to Filter, Process name, is, Mcshield.exe and click Add, OK

4. Click on the magnifyingglass to start the capture
Ok, we see that the McShield.exe process is scanning the OpsMgr data. This is not good.
After checking we noticed that the antivirus exclusions aren’t configured properly.

We’ve changed the exclusions to the best practice settings.
See my post for the working best practice for Antivirus Exclusions in combination with SCOM 2012 and 2007.