I have been noticing an issue that seems to be related to the ekrn module. One of the scenarios when this occurs is as such:

I open windows explorer, browse to a folder and right-click on a file (either local or on the local network). I get an hourglass and the system stops responding. If I attempt to open task manager it eventually starts. I'm able to see that ekrn.exe is consuming around 80-90% of the cpu (non-kernal). Concurrently, all the desktop icons revert to generic icons, all open windows turn white and any attempts to open new applications fail (don't respond). I can kill the ekrn.exe and the system starts working normally. Ekrn automatically re-loads after approx 3 seconds. I'm using ver. 3.0.672.0, tried uninstalling it, then ran registry clean expert to clean out any residual eset entries and the problem disappears. I re-install ESET and the problem reappears. The same symptoms occur randomly whenever I attempt access to files, such as in Dreamweaver or Outlook.

I haven't received any reports from any of my clients running ESSET-SS just yet, but want to be proactive since I actively promote this product.

I can provide any additional information needed to resolve this issue.

Thanks,
Jon Smorada
http://nipstech.com

I have been occasionally getting this problem as well, though it started a couple of builds ago.

I wondered if it was clashing with the last version of Acronis Privacy Suite that I have installed.

I never used the Arconis Privacy Suite, but have used their True Image product. I found that about the only thing it's good for is using the trial version to create a bootable recovery image for a client's new PC. The GUI is cumbersome and I wouldn't use it for everyday use. Paragon Hard Drive backup seems to work better for me personally; every so often I create a new full image and for everyday backups I use NovaNet 11 utilizing a rotation scheme to keep the size of the backups manageable. But I digress...

Nipstech, I have the same problem which only started after I modified some of the settings in version 672. Unfortunately, I cannot go back to my original settings as I did not save a copy. I reset all the settings to default and just changed the Threatsense ones, but I still have the problem and it only occurs erratically so I can't pinpoint what causes it.

-{ Quote: "Nipstech, I have the same problem which only started after I modified some of the settings in version 672. Unfortunately, I cannot go back to my original settings as I did not save a copy. I reset all the settings to default and just changed the Threatsense ones, but I still have the problem and it only occurs erratically so I can't pinpoint what causes it." }-

I'd suggest that you download Process Monitor from Microsoft, filter our operations by ekrn.exe and reproduce the problem. The log should reveal which file(s) the scanner is actually scanning. It could be that an application is continually writing to a log which is subsequently scanned. As an interim solution, you can exclude that file from scanning. Please let us know about your findings.

I note there is one program that I have that causes buffer overruns when EKRN scans it. (SysInternals reports)

Would this be an Esset problem or an O&O problem as it is accessing their software when this happens.

Perhaps I should have started a new thread.

-{ Quote: "I'd suggest that you download Process Monitor from Microsoft, filter our operations by ekrn.exe and reproduce the problem. The log should reveal which file(s) the scanner is actually scanning. It could be that an application is continually writing to a log which is subsequently scanned. As an interim solution, you can exclude that file from scanning. Please let us know about your findings." }-

I have the software but really don't know how to use it. Could you explain how to filter by ekrn.exe

-{ Quote: "I have the software but really don't know how to use it. Could you explain how to filter by ekrn.exe" }-

It's quite straightforward, just create a filter that will exclude all processes but ekrn.exe as show below:

316296 12:28:08.8985252 ekrn.exe 1512 QueryAllInformationFile C:\Users\m\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db BUFFER OVERFLOW CreationTime: 03/06/2008 02:46:49, LastAccessTime: 09/09/2008 00:34:28, LastWriteTime: 09/09/2008 00:34:28, ChangeTime: 09/09/2008 00:34:28, FileAttributes: ANCI, AllocationSize: 2,097,152, EndOfFile: 2,097,152, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xc1000000000971, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word

Thumbnail cache should be exluded by default in my opinion.


342780 12:29:38.3169591 ekrn.exe 1512 ReadFile C:\ProgramData\ESET\ESET Smart Security\Charon\CACHE.NDB SUCCESS Offset: 7,718, Length: 40

Why isn't this file exluded by default? It appears to be scanned around 100 times a second.

I had the same issues especially the high cpu usage. This made my system unstable. This all started after 3.0.650.0 build was updated and so forth. I just switched back to 3.0.650.0, no problems since. (back to normal) I think I will stay with this build till I see signs that this issue is resolved.

Thanks, guys. I'm on the road right now but I'll download process explorer as soon as I have some free time and do some troubleshooting...Jon

-{ Quote: "I had the same issues especially the high cpu usage. This made my system unstable. This all started after 3.0.650.0 build was updated and so forth. I just switched back to 3.0.650.0, no problems since. (back to normal) I think I will stay with this build till I see signs that this issue is resolved." }-

I had the same issues on two different computers so for now I run nod32 2.7 a/v only and another firewall. Glad at least that older version is stable for you and I would stay there too if I were you.

-{ Quote: "I had the same issues especially the high cpu usage. This made my system unstable. This all started after 3.0.650.0 build was updated and so forth. I just switched back to 3.0.650.0, no problems since. (back to normal) I think I will stay with this build till I see signs that this issue is resolved." }-

Exact same thing here. But with me it was AVI files that caused it. Back to 3.0650.0 and all is fine. I have reported this before. But they want a URL which I do not have. To send a 3/4 gig file is out of the question.

If it is not resolved by the time my license expires it will be blown out of my machine as well as my clients. >:( >:(

Hi - I've been experiencing the same prob. Am running ESET Smart Security 3.0.672.0.

ekrn will consume 98-99% of cpu time for periods up to 5-8 mins locking everything up. Have only noticed it in the last few weeks and have been running ESET for a while. Only things new in the last couple of weeks are: Chrome, Java updated itself, itunes updated itself.

Cant see a pattern as to how it occurs - I can open explorer and select a directory and it locks. Next time it goes straight thru. Same with apps - sometimes it locks, sometimes not. Just tried to to open Advanced Uninstaller Pro v8 and machine was locked for 8mins.

I've run the process monitor as suggested but not sure what info I can provide to help. There are lots of entries :)

-{ Quote: "Hi - I've been experiencing the same prob. Am running ESET Smart Security 3.0.672.0.
" }-

Do you use default settings or you have altered some options in the real-time protection setup? Does confining the real-time protection to files with default extensions instead of all files make a difference?

I've been lurking and following this thread and I also have the 100% CPU problem with ekrn.exe. Coupled with the 100% that svchost(dcomlaunch) is trying to use and my machine is completely unusable for the first 15 minutes or so after it boots.
I discovered the other day that if I set my CPU affinity to use only one core for ekrn.exe and svchost, along with rolling back Smart Security to version 3.0.650 my cpu usage drops considerably and my machine is much more stable after rebooting.
My question is, would I be correct in guessing that Smart Security won't be affected by doing this? I'm also guessing that the slightly older version should be at least as good as the newest version with latest signatures.
Thanks

-{ Quote: "I've been lurking and following this thread and I also have the 100% CPU problem with ekrn.exe. Coupled with the 100% that svchost(dcomlaunch) is trying to use and my machine is completely unusable for the first 15 minutes or so after it boots.
I discovered the other day that if I set my CPU affinity to use only one core for ekrn.exe and svchost, along with rolling back Smart Security to version 3.0.650 my cpu usage drops considerably and my machine is much more stable after rebooting.
My question is, would I be correct in guessing that Smart Security won't be affected by doing this? I'm also guessing that the slightly older version should be at least as good as the newest version with latest signatures.
Thanks" }-

I have not had a problem with SVCHOST although there is more than one running.

Unless there have been major updates in the later versions. Which I do not think there was. I think 650 should be fine and that is what I am running.

They seem (ESET) to be powerless to fix this problem.

For my clients and myself we will stick to 650 till the year runs out. If it is not fixed before then. I will look for another application for this. ESET will lose a lot of licenses. But such is life in computer programs.

-{ Quote: "I have not had a problem with SVCHOST although there is more than one running.

Unless there have been major updates in the later versions. Which I do not think there was. I think 650 should be fine and that is what I am running.

They seem (ESET) to be powerless to fix this problem.

For my clients and myself we will stick to 650 till the year runs out. If it is not fixed before then. I will look for another application for this. ESET will lose a lot of licenses. But such is life in computer programs." }-

I agree, I'll take a hard look at other programs next July if there isn't some improvement on this. Oddly enough, the latest version works fine on my wife's XP machine, even though it lacks the power of my machine.

-{ Quote: "I agree, I'll take a hard look at other programs next July if there isn't some improvement on this. Oddly enough, the latest version works fine on my wife's XP machine, even though it lacks the power of my machine." }-

I suppose that is what makes it so hard for them to track down? It only happens on random systems. Even is there are many.

I'm outta here. Have a good weekend.

this thread's been out here over a month with no response from anyone at eset. it makes me wonder whether anyone there is even looking at these forums. i offer this product as the premium product to all of my clients, but now i'm having second thoughts.

I got this problem too on a new XP SP3 install with build 672.0

Had no problems with previous version but don't know know what this was. Tryign to dig out previous version from my backups.

Are previous versions downloadable from ESET?

Have reinstalled 3.0.667.0 and fingers crossed, so far this seems okay. Will post back if it turns out not to be.

No need to wait. Not only was I getting the windows explorer issue mentioned but all navigation was just sluggish. Back to how I remember it now!! Even start up is quicker.

Get it sorted ESET or you've lost another customer and I have recommended your product to many people.

-{ Quote: "Do you use default settings or you have altered some options in the real-time protection setup? Does confining the real-time protection to files with default extensions instead of all files make a difference?" }-

You are really starting to sound like a parrot.

You have asked this many times of several people. Some as well as myself said they are using the default settings. As to the last question. No it does not.

-{ Quote: "this thread's been out here over a month with no response from anyone at eset. it makes me wonder whether anyone there is even looking at these forums. i offer this product as the premium product to all of my clients, but now i'm having second thoughts." }-

Much longer than a month. I brought it up many months ago on AVI files.

Posted in error - apologies especialy to MKRET

I think this is going to be a difficult one to solve. My system is now ok and I no longer have the problem. I don't know why. I do know that I started it by modifying the ESS settings but, at the same time, I also had loaded some new software. I have basically put my ESS settings back to where I had them before the changes I made but that did not fix the problem immediately. I think it has something to do with the activity of some programs, in particular, Google Chrome would cause my system to go into slow mode immediately but now it no longer happens. So perhaps ESS is now recognising the program activity is ok. I don't know. My partner has the same operating system but many different programs and he still experiences the problem from time to time. A couple of other programs which cause the excessive cpu usage on opening are Directory Opus and Personal Passworder. There could be lots more.

email from ESET:

Good Afternoon,

We will soon be releasing version 4 of our software (pencilled in for some time in February 2009) and any bugs that you may have experienced in 3.0.672 should be resolved in that version.

Many thanks,

-{ Quote: "email from ESET:

Good Afternoon,

We will soon be releasing version 4 of our software (pencilled in for some time in February 2009) and any bugs that you may have experienced in 3.0.672 should be resolved in that version.

Many thanks," }-

Now that is finally good news.

Thanks for sharing it.

I've downloaded and started using Kapersky Internet Security and haven't had a problem since. It seems to be much more stable than ESET SS. I've had problems with ESET blocking rpc traffic to my domain controller even though I defined the Local LAN as trusted. The workaround was to use interactive mode and manually add the ports as the warnings appeared. With Kapersky, it worked with no interaction, yet still recognized public networks when I take the laptop off of the LAN and connect to a public wireless network. Fortunately, all of my clients so far are running standalone machines and haven't had the problems I've had. I have to say that until ESET works out their issues, I'll have to recommend using Kapersky. Ordering a license is instantaneous with Kapersky, I don't have to wait a day or two for someone at NHA to email me a key.

As an FYI, the last time I uninstalled ESET, when I rebooted the system hive was corrupt, forcing me to restore the machine from a backup image. It took me a day to recover the machine using a month-old image combined with the daily backups, but I didn't lose any data. I was pretty annoyed to say the least.>:(

-{ Quote: "I've downloaded and started using Kapersky Internet Security and haven't had a problem since. It seems to be much more stable than ESET SS. I've had problems with ESET blocking rpc traffic to my domain controller even though I defined the Local LAN as trusted. The workaround was to use interactive mode and manually add the ports as the warnings appeared. With Kapersky, it worked with no interaction, yet still recognized public networks when I take the laptop off of the LAN and connect to a public wireless network. Fortunately, all of my clients so far are running standalone machines and haven't had the problems I've had. I have to say that until ESET works out their issues, I'll have to recommend using Kapersky. Ordering a license is instantaneous with Kapersky, I don't have to wait a day or two for someone at NHA to email me a key.

Funny thing is I went from Kaspersky to ESET about 2 years ago. Kaspersky was having trouble when I cloned drives. ESET had no such problem.

No I am pissed for another reason. The definition file from last Saturday is now giving me a false positive on a DLL file. Sent them an email along with the file as requested on their form. Took them four days to reply with a canned reply.

I am beginning to think the program and company are just not ready for prime time.

I have the latest Kaspersky on my drive to be installed and evaluated.

-{ Quote: "-{ Quote: " The definition file from last Saturday is now giving me a false positive on a DLL file. Sent them an email along with the file as requested on their form. Took them four days to reply with a canned reply.
" }-

Just to make sure, did you email the sample to samples[at]eset.com with "False positive" in the subject? In such case, it'd have been fixed in Monday's update.

-{ Quote: "-{ Quote: "

Just to make sure, did you email the sample to samples[at]eset.com with "False positive" in the subject? In such case, it'd have been fixed in Monday's update." }-

It was mailed to wherever it goes in the request form and yest it was entitled false positive.

I have an exclusion for it right now. Jammed up with work so I do not have the time to clone and remove the exception to try it. But I will.

Thanks Marcos

I'm also experiencing the same issue, to no such avail yet.

"Best AV in the world" - my arse ¬_¬

I have had a similar problem. At start up, the cpu usage would hit 99% for a period of 2-3 minutes.

When I installed the latest version I chose the default options. I noticed that the start up cpu usage was now normal. Curious about this, I started to tinker with settings and noticed that when I turned advanced huristics on, the cpu usage problem returned.
Thankfully, cpu usage problem disappeared again when I turned it back off and rebooted.

I'm watching/logging ekrn processes with Process Watcher and am seeing tons of BUFFER OVERFLOW and RANGE NOT LOCKED errors/warnings in the Result column. Would this be normal?

Im also getting the same, but there's so may files with the buffer oveflow...whats going on seriously, why has this only just started to happen?

-{ Quote: "-{ Quote: "

It was mailed to wherever it goes in the request form and yest it was entitled false positive.

I have an exclusion for it right now. Jammed up with work so I do not have the time to clone and remove the exception to try it. But I will.

Marcos just wanted to let you know that indeed it has been corrected. No longer getting a false positive. I have also removed the exclusion.

Thanks again/

-{ Quote: "-{ Quote: "-{ Quote: "

It was mailed to wherever it goes in the request form and yest it was entitled false positive.

I have an exclusion for it right now. Jammed up with work so I do not have the time to clone and remove the exception to try it. But I will.

Marcos just wanted to let you know that indeed it has been corrected. No longer getting a false positive. I have also removed the exclusion.

Thanks again

Marcos one other question?

To cut down on CPU usage if I was to take off all heuristic scanning. How much of a risk am I exposing myself too?

Thanks.

-{ Quote: "
To cut down on CPU usage if I was to take off all heuristic scanning. How much of a risk am I exposing myself too?
" }-

I wouldn't leave advanced heuristics disabled. Perhaps you could uninstall your current version and try the new beta v4. More info can be found here (http://www.wilderssecurity.com/forumdisplay.php?f=18). Perhaps you could watch the statistics window when the slow down occurs, this would reveal you the file being scanned. As the last resort you could disable AH for newly created files and leave it enabled on file execution (a new feature introduced in v4).

-{ Quote: "I wouldn't leave advanced heuristics disabled. Perhaps you could uninstall your current version and try the new beta v4. More info can be found here (http://www.wilderssecurity.com/forumdisplay.php?f=18). Perhaps you could watch the statistics window when the slow down occurs, this would reveal you the file being scanned. As the last resort you could disable AH for newly created files and leave it enabled on file execution (a new feature introduced in v4)." }-

Thanks for the quick reply. Heuristics will stay enabled.

95% of my work is done on this machine. So I can't chance running anything BETA on it.

I am not sure I know what you are referring to by "statistics window." I can see the processes in Windows Task Manager but not the individual file being scanned.

-{ Quote: "
I am not sure I know what you are referring to by "statistics window." I can see the processes in Windows Task Manager but not the individual file being scanned." }-

I mean this (http://www.wilderssecurity.com/showpost.php?p=1350614&postcount=18) statistics window in v4.

-{ Quote: "I mean this (http://www.wilderssecurity.com/showpost.php?p=1350614&postcount=18) statistics window in v4." }-

That looks like a great addition.

Thanks as always.

-{ Quote: "That looks like a great addition.

Thanks as always." }-

Well curiosity got the nest of me.

Stopped working and cloned my HD. Than installed V4. To say my socks were knocked off is an enderstatement.

I am amazed at all the changes especially in the GUI.

Also a preliminary look seems to show that the CPU problem has been solved.

Unfortunately I had to go back to work so I can eat.

But a great job and huge Kudos to the ESET team. :thumb:

Are you looking at a February 2009 for this?

Ok I've identified the problem on my computer using Process Monitor. It gets "stuck" on it's own log file!

C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat

My epfwlog.dat is currently about 877,358 KB and it took 33 minutes to "process" it (don't know exactly what it was doing), using about 30% of my CPU.

The entire time I can't surf the web. I assume this is the firewall log file and while it's processing it, it locks up the firewall blocking all http communications.

As soon as it was done, 33 minutes later, everything went back to normal.

So now the question is, how do I prevent this from happening? Just turn off all logging and delete the file?? Or is this some glitch with ESS?

Is 877,358 KB unusually large for this log file?

http://www.wilderssecurity.com/showpost.php?p=1281739&postcount=9

I'm just using the default settings. I installed ESS on 5/28/2008 and my epfwlog.dat is now over 850 megs. I just can't imagine ESS would install itself in a default configuration that would ultimately cause my web surfing ability to go dead for 33 minutes every other day. Are you saying this is normal??

I'm not logging all blocked connections. And other than that I don't see how to tell it what to log. All I see is that I can "Delete records older than X days" which defaults to 90, and "Optimize log files automatically" is checked by default. Am I missing a feature somewhere that I can tell ESS specifically what to log and what not to log?

I don't care about logging really so for now I'm changing the 90 days to 1 day to see if that helps.

But does anyone know if it's normal for ESS to "process" this logfile every few days and it makes it so I can't surf the web the entire time it's processing the file? I assume it should only take a second or two rather than the 33 minutes in my case. Is there some way to tell ESS not to "process" this log file? What exactly is it doing when it's "processing" this log file??

Whatever it's doing is not part of a virus scan, it's happening automatically...

-{ Quote: "I'm just using the default settings. I installed ESS on 5/28/2008 and my epfwlog.dat is now over 850 megs. I just can't imagine ESS would install itself in a default configuration that would ultimately cause my web surfing ability to go dead for 33 minutes every other day. Are you saying this is normal??

I'm not logging all blocked connections. And other than that I don't see how to tell it what to log. All I see is that I can "Delete records older than X days" which defaults to 90, and "Optimize log files automatically" is checked by default. Am I missing a feature somewhere that I can tell ESS specifically what to log and what not to log?

I don't care about logging really so for now I'm changing the 90 days to 1 day to see if that helps.

But does anyone know if it's normal for ESS to "process" this logfile every few days and it makes it so I can't surf the web the entire time it's processing the file? I assume it should only take a second or two rather than the 33 minutes in my case. Is there some way to tell ESS not to "process" this log file? What exactly is it doing when it's "processing" this log file??

Whatever it's doing is not part of a virus scan, it's happening automatically..." }-

I think I finally realised that ESS does not optimise the log file. I had the same problem with the file getting bigger and bigger and I kept reducing the number of days kept but that didn't help. In the end I reduced the number of days kept from 90 to 45 and manually ran the optimisation and the log file went from over 500mb down to 200kb.
I have now changed over to beta4 so will continue to monitor the log file to see if the same thing happens.

I changed the number of days to 1 and manually ran the optimization and it didn't reduce the filesize at all.

I've since rebooted a few times and it looks like the log file is down to 128k or so. I'll keep an eye on it...