PDA

View Full Version : Possible lead for Eset? --> ekrn.exe:AmonPort hang

meschubert
December 29th, 2007, 07:26 PM
I would like to offer what appears to be a repeatable scenario related to slow file transfers and explorer.exe instability to the Eset support people.

I can generate an unlimited number of the following types of hangs with V3.0.621.0:
Virus signature database: 2755 (20071229)
Update module: 1019 (20071030)
Antivirus and antispyware scanner module: 1101 (20071217)
Advanced heuristics module: 1068 (20071119)
Archive support module: 1067 (20071227)
Cleaner module: 1024 (20071217)

Example #1:

Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangXProcB1
Application Name: explorer.exe
Application Version: 6.0.6000.16549
Application Timestamp: 46d230c5
Hang Signature: e1f2
Hang Type: 132
Waiting on Application Name: ekrn.exe:AmonPort
Waiting on Application Version: 0.0.0.0
OS Version: 6.0.6000.2.0.0.256.1
Locale ID: 1033
Additional Hang Signature 1: 35ac14a99d41431ac2b15bf6cf1748fc
Additional Hang Signature 2: d168
Additional Hang Signature 3: 4180a50a86208072c3e410ec781698ae
Additional Hang Signature 4: 2017
Additional Hang Signature 5: 583e1a4e8a17e81d2a0793c5863b3f94
Additional Hang Signature 6: d0db
Additional Hang Signature 7: 2e192edd046a818338c431ecf59ca942

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

---------------------------------------------------------------------
Example #2

Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangXProcB1
Application Name: explorer.exe
Application Version: 6.0.6000.16549
Application Timestamp: 46d230c5
Hang Signature: ed3b
Hang Type: 129
Waiting on Application Name: ekrn.exe:AmonPort
Waiting on Application Version: 0.0.0.0
OS Version: 6.0.6000.2.0.0.256.1
Locale ID: 1033
Additional Hang Signature 1: dc44c19cf50594e30550683bcfcb33a5
Additional Hang Signature 2: cc28
Additional Hang Signature 3: f8a03c1fedd93530e035667c9021c616
Additional Hang Signature 4: 5c3d
Additional Hang Signature 5: 026a5d019acb76ce0825fb9387f59b10
Additional Hang Signature 6: dc1a
Additional Hang Signature 7: 4bad92cb9f7340ed8a11a1462569d4dc

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Description:
A problem caused this program to stop interacting with Windows.
--------------------------------------------------------------
Example #3

Problem signature:
Problem Event Name: AppHangB1
Application Name: explorer.exe
Application Version: 6.0.6000.16549
Application Timestamp: 46d230c5
Hang Signature: 9f69
Hang Type: 0
OS Version: 6.0.6000.2.0.0.256.1
Locale ID: 1033
Additional Hang Signature 1: 7ddba8aa251f02bd2c8406defb92bc72
Additional Hang Signature 2: 88cf
Additional Hang Signature 3: 78da7a6016398044448c2831a395d320
Additional Hang Signature 4: 9f69
Additional Hang Signature 5: 7ddba8aa251f02bd2c8406defb92bc72
Additional Hang Signature 6: 88cf
Additional Hang Signature 7: 78da7a6016398044448c2831a395d320

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
--------------------------------------------------------------
Example #4

Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangXProcB1
Application Name: explorer.exe
Application Version: 6.0.6000.16549
Application Timestamp: 46d230c5
Hang Signature: 95ee
Hang Type: 129
Waiting on Application Name: ekrn.exe:AmonPort
Waiting on Application Version: 0.0.0.0
OS Version: 6.0.6000.2.0.0.256.1
Locale ID: 1033
Additional Hang Signature 1: ac126d603a845dbf74dcf17c758ec389
Additional Hang Signature 2: f3f5
Additional Hang Signature 3: d46cd87a70dbb3e530af91f5aaee3769
Additional Hang Signature 4: c941
Additional Hang Signature 5: 1c934992d9bb9e6abf9c6beb6f4b60ad
Additional Hang Signature 6: 1b22
Additional Hang Signature 7: 6a90fe125cebee5a91b973a13832e73b

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

If you look at post #88 in the “New version 3.0.621 available” thread, you will see that I had this problem suddenly appear with V3.0.566.0 after a couple weeks of trouble free use. I erroneously associated the upgrade to V3.0.621 with fixing the issue even though I knew the assumption was weak because of a full Microsoft Windows PC Restore not solving the problem prior to the upgrade.

I unintentionally recreated the issue this morning and I now know how to repeat it at will. It is detectable with transfers of certain large files while having Heuristics enabled for “Real-time file system protection” under specific conditions. Enabling Advanced heuristics exacerbates the issue to the point of getting the hangs I listed above.

This only becomes apparent under specific circumstances for very specific files that I can send along with similar larger files that do not cause the issues. If I had to venture a guess, the heuristics is getting caught up in something specific in these files, possibly the way the vendor implements their licensing.

The conditions are very specific, but it may lead to a solution of the “larger” issue. If someone from Eset support is interested in my sending the files and additional information regarding the conditions, please send me a PM.

Mark
meschubert
December 29th, 2007, 07:51 PM
PS: For those of you who will see this as another reason to "abandon ship", you may want to think again. The grass isn’t necessarily greener on the other side (pun intended – both of my favorite AV Vendors chose green as their primary color).

Check out the “KIS 7.0.0.125 NDIS filter problem” thread in the Kaspersky forum. Six months of LANs disappearing. It was somewhat of a “toss up” when I chose NOD32 over KAV last spring as I moved from XP and Norton. Both vendors are having difficulty with the massive changes in their products and Vista coming along.
Marcos
December 29th, 2007, 08:06 PM
Are you sure the problem goes away after uninstalling EAV? If so, what do you need to do to make the error occur?

At least one of the error repots was not related to AMON, maybe it's something else. I've found something in another forum:

Description
A problem caused this program to stop interacting with Windows.

Problem signature
Problem Event Name: AppHangB1
Application Name: iexplore.exe
Application Version: 7.0.6000.16386
Application Timestamp: 4549b133
Hang Signature: 3e79
Hang Type: 5
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 2057
Additional Hang Signature 1: e3501adad3d49b25bfa99c5ec23c6ec9
Additional Hang Signature 2: cb77
Additional Hang Signature 3: 625c4577808ca2a782ae70fe53416f66
Additional Hang Signature 4: 5b94
Additional Hang Signature 5: cc5c5cb673cfad469945b617046d3ec8
Additional Hang Signature 6: e870
Additional Hang Signature 7: d0988f191c741962bf47aed33f2e9c5d

If you google AppHangB1 you will find alot of sites but none of them truely match your same #'s
I suggest sending it off to microsoft and i'm sure that they can provide you with a answer
it's probably a add-on program for IE that is causing the problem try disabling all the add-ons in IE

go to Tools - Manage Add Ons -Enable or Disable Add Ons. Change the Drop down to Add Ons currently loaded in Internet Explorer

I used to have the same problem, I followed the advice mentioned in this topic & it worked with me 100 %

Thanks for your help problem solved
meschubert
December 29th, 2007, 08:44 PM
I don’t have to uninstall anything or reboot to make the problem go away. All I have to do is turn off Real-time file security scanning and the problem is gone.

As for the 3rd hang, although it doesn’t specifically call out amon, it happened during the same situation as the others except that time I happened to have the NOD32 interface up. I tried to get into the advanced protection setup tree after explorer froze and the 3rd hang is the results.

These results are repeatable as many times as wanted. I would be careful about making quick assumptions about it being a Windows issue. I am in the middle of watching my (American) college football team lose a bowl game. I’ll provide additional details at halftime. ;D

Mark
meschubert
December 30th, 2007, 10:55 AM
Sorry, no time during half time. There was a good pro game I switched to during college game half time break. The college team I wanted to win did, but the pro team I wanted to win lost.

I wasn’t going to use the forum to transfer the details because the conditions are very unique. This seems to be a complex set of conflicts that only causes the hang under the right conditions. There may be multiple forms of these conditions which is why this has been difficult for Eset to solve.

In many scenarios, a slow transfer may be the only evidence of anything unusal. Explorer.exe hanging is probably just a worst case type of results. I now know enough to avoid these conditions in my specific environment, but these conditions are too unique to my environment to help others.

While the issue could be completely unique to my environment (damaged DLL, etc.), it is my hope that Eset may be able to run their heuristics algorithms against the specific files that cause lots of cpu time usage (and explorer.exe hangs under the right conditions) and figure out why their Advanced heuristics module seems to work overtime when processing these files. This could lead the developers to something that may also be triggered by other conditions that are affecting other people. Troubleshooting/debugging is almost an art as all vendors know they try to test and get their software to “play well” with other elements in today’s “home” computing environments.

My specific suggestion is that Eset run their heuristics against all of the files Slysoft offers for downloading (for trial) at their site. All seem to get ekrn.exe to start eating significant cpu. I would focus on the largest one (SetupCloneDVDmobile.exe) which is where I can generate the hang 100% of the time under the right conditions on my system.

Before going further, let me say that the “method” of scanning is important. (Or possibly not scanning if it is really just a conflict between explorer.exe and ekrn.exe and/or other components possibly generating no real scanning value.) Ekrn.exe tries to do something with these files when they are copied and the “Enable real-time file system protection” and “Advanced heuristics” boxes are checked.

Even under conditions where explorer.exe won’t freeze, you can see ekrn.exe eating up a lot more time and cpu when these files are copied. Much more than when copying similar installation files from Acronis or Nero which are over ten times larger. (From 20 to 50% cpu utilization versus around 10%.) Ekrn.exe seems to see something interesting about these files.

If you right click on the file to attempt on-demand scanning you will be tempted to just dismiss the file as corrupted. A sample of the results you will see is:

C:\Users\Mark\Desktop\SetupCloneDVDmobile.exe » UPX v12_m2 » NSIS - bad archive
C:\Users\Mark\Desktop\SetupCloneDVDmobile.exe » NSIS - bad archive

It isn’t a bad archive, there is something purposely done with these files. I have dozens of update installers I have kept from Slysoft upgrades over the past few years and they will all scan like this when processed by the on-demand scanner. They will all also cause significant work to be done by the Real-time file system scanning when they are copied.

BTW – If I had to guess, this is something Slysoft does related to their licensing scheme and possibly other vendors do something similar. If you scan these using Kapersky’s online scanner, it just scans them successfully (or at least says it does). NOD32 V2.7 seems to think these files are fine too.

Simply copying these files from local disk to local disk will cause ekrn.exe to do significant work, but will not generate a hang or anything all that interesting on my system. It may generate a hang on a more resourced constrained system or a system under heavier load, but I’m not interested in going that far into troubleshooting mode. As I said, I can now work around this problem.

To get the hang to happen 100% of the time, I have to copy the files between my local drive and my NAS drive which, of course, adds more potential variables and culprits. Could Eset recreate the same conditions with another NAS drive (probably running a different version of Samba) or even by purchasing the same model NAS and loading it with the same firmware level (an Infrant ReadyNAS NV+ running V4.00c1-p2)? Maybe, but I wouldn’t count on it.

(BTW – The NAS drive is very under loaded…no other users during testing with only about 6% of 1.1 TB in use. Remember that I can transfer dozens of much larger files and installers from other vendor…sub-second with Real-time file system protection turned off or within a few seconds with it turned on. It is the uniqueness of what happens with these specific files which is what may have troubleshooting value.)

The transfer will seem to complete with the file showing up in the target folder within a few seconds, but if you look closely, the correct Icon will not show up until minutes later. If you try to access the new file in any way during the following ten to fifteen minutes is when you will see explorer.exe stop responding in all windows and eventually hang with the types of errors I included I the earlier post. This happens with no other files I can find other than the Slysoft files.

To add a little more complexity to the scenario, if I were to start the file transfer and walk away without doing to anything else for the next fifteen to twenty minutes, I would never be aware of the issue because the transfer and whatever the Real-time scanner is trying to do during that time will eventually complete.

Use one of the smaller Slysoft files for the test and you will see explorer.exe stop responding for awhile, but it will pull out without an actual hang within a few minutes. I can only get the two largest files to actually generate a hang.

My suggestion simply boils down to Eset looking at these particular files from Slysoft to figure out what it is that the V3 On-demand scanner doesn’t like about them and what the Real-time file protection scanner finds so “interesting” about them when the files are copied. The files are simply a lead that may provide a clue to some of the reported performance issues or could just as easily lead to a dead end.

Attempting to recreate the specific hang scenario I’m finding is probably a less worthwhile endeavor that could waste a lot of time.

BTW – Going back to Post #88 in the New Version 3.0.621 thread, one reason I didn’t see the problem again after upgrading to V3.0.621 is because I didn’t turn on Advanced heuristics for Real-time file system scanning right after the installation. The second reason was that, after turning advanced heuristics on a couple of days later, I didn’t try copying the same "problem" files that I was copying when the issue first happened with V3.0566. I didn’t think about the possibility of specific files being tied to the problem until the problem reoccurred yesterday morning.

This was a record post for me by far. You might now understand why I didn't want to tackle this discussion via a forum.
Marcos
December 30th, 2007, 02:15 PM
-{ Quote: "My suggestion simply boils down to Eset looking at these particular files from Slysoft to figure out what it is that the V3 On-demand scanner doesn’t like about them and what the Real-time file protection scanner finds so “interesting” about them when the files are copied. The files are simply a lead that may provide a clue to some of the reported performance issues or could just as easily lead to a dead end." }-

It is normal that it takes time for advanced heuristics to emulate files. If you mind it, you can disable it and check files manually after being downloaded from web or copied from elsewhere. Anyway, I didn't have any problems copying Slysoft's files - they use a sort of NSIS archives not recognized by ESS/EAV and thus are not scanned internally unless extracted. The best would be if you could provide a direct link to the file in question. I've tried downloading 3 files from Slysoft's website without any problems.
meschubert
December 30th, 2007, 02:25 PM
As I mentioned, you won't have problems with simple copies. 15 to 20 minutes to copy a file that can be copied in that many seconds with Advanced Heuristics Disabled? I guess it is just thinking really hard and nobody is having any performance issues.

BTW - Try scanning the files you downloaded with V2.7. It will scan them without any problems. The fact the V3 doesn't understand them isn't the greatest confidence builder and should probably not be dismissed offhand. Should I enter a bug report?
piranha
December 30th, 2007, 07:55 PM
-{ Quote: "As I mentioned, you won't have problems with simple copies. 15 to 20 minutes to copy a file that can be copied in that many seconds with Advanced Heuristics Disabled? I guess it is just thinking really hard and nobody is having any performance issues.

BTW - Try scanning the files you downloaded with V2.7. It will scan them with any problems. The fact the V3 doesn't understand them isn't the greatest confidence builder and should probably not be dismissed offhand. Should I enter a bug report?" }-

yes !!!!!!!!!!!!!!!!!