My machine runs 64 bit Vista Ultimate, and I downloaded and installed the NOD32 v3 64 bit edition. When I look at my processes, I see the Eset Service (ekrn) is operating as 32 bit.

Shouldn't that component operate at 64 bit? Am I missing something here (which is very possible / likely)?

Again ;D

{QUOTE-> Is ESET NOD32 Antivirus a native 64-bit application?

ESET NOD32 Antivirus 3.0* is a hybrid program in that it contains both 32-bit and 64-bit program code. The engine (ekrn.exe) and interface modules used by ESET NOD32 to protect a system from malware are the result of years of development to create highly-optimized x86 assembly language code. During testing, it was discovered that recompiling certain portions of the program to 64-bit code resulted in increased memory usage with no discernable improvement in performance, stability or reliability.

When a 64-bit interface needs to be monitored, such as for on-access or Windows Socket layer scanning, 64-bit code is used to do so. As evidenced by ESET NOD32's high scanning throughput and detection rate under 64-bit operating systems, this does not cause any complications.

The general rule-of-thumb for ESET NOD32 Antivirus 3.0 is that parts of the program which need to run as 64-bit do, while parts which have no advantage running as 64-bit remain 32-bit code. <-QUOTE}

So , if it runs OK (as fast as usual) and detect threats , I don't see a single reason to worry about

Hey, sorry to dig this back up again, but I'm still confused as to how this is working on a 64 bit machine - For example, how is it scanning 64 bit addressed memory?

Its running great as usual, but I also want to make sure its protecting me!

if you want to see EAV protection
try to download this test virus and see if EAV detect it
http://www.eicar.org/anti_virus_test_file.htm

Well, I would hope it detects the EICAR file - My issue isn't with its ability to detect viruses, I just want to better understand how a 32 bit executable / service is managing a 64 bit system.

With my example above, memory above 3GB (pretty sure anyway) can't be addressed in 32 bits. I just want to make sure there isn't a gap in coverage due to the ekrn.exe service being a 32 bit application. I'm sure its not, and hardware isn't my forte, but I'm curious as to how this works assuming its not proprietary knowledge.

FYI, the product is ISCA Labs certified for 64 bit Vista, so this is more curiosity at this point than concern.

The driver must be 64-bit, the other components can be 32-bit.
The ekrn.exe service is the core of the scanning engine, you should look for eadrv.sys (IIRC, that's the name of the filesystem filter) and the likes.

{QUOTE-> The driver must be 64-bit, the other components can be 32-bit.
The ekrn.exe service is the core of the scanning engine, you should look for eadrv.sys (IIRC, that's the name of the filesystem filter) and the likes. <-QUOTE}

Ugh, duh -- That makes perfect sense. Since ekrn.exe sits in the services list, I took that at face value as being the component that requires the ability to read 64 bit addressing. That's pretty much what was being said before, but I was thinking of it as a driver (vs. the individual sys files). Thanks Lucas!

So, eadrv.sys (or whatever the filesystem filter is called) is a 64-bit app? :)

Not sure how to tell to be honest, but if the ekrn.exe takes advanatage of 64 bit drivers that explains how it does work.

Try to find it in the drivers directory.

Hello,

The program registers 64-bit filter drivers on a system to monitor the activities which occur at those points where threats can be introduced. Those drivers then pass the data back to an engine which contains 32-bit hand-optimized x86 code for actual analysis.

It is analogous to how the old thunking layer used to operate for getting old 16-bit Windows 3.1 programs to work under 32-bit Windows 95 and Windows NT, although the actual manner in which it operates is not the same.

Regards,

Aryeh Goretsky

Excellent, thank you for the replies all. On a side note, the latest version is running blazing fast on my machine - Well done on optimizing v.3!!