Hi!

I'm new here. I'm using ESS 3.0.672 on Vista PC and today released update 3532 caused my PC to hang - all applications are starting many minutes, system doesn't responding and ekrn.exe process CPU usage is still about 50% on quad core, and in logs every 10 seconds are messages:

17.10.2008 17:17:19 Amon: released file: PortLoop NT AUTHORITY\SYSTEM or
17.10.2008 17:17:42 Amon: released file: \Device*** NT AUTHORITY\SYSTEM

BUT when I disabled advanced heuristics for real time protection everything went back to normal...

So I think something is wrong with the new update and /or with the new advanced heuristics module 1078...

Please can someone confirm it and can ESET fix it :-)

Regards

Tom

P.S.: Sorry for my bad English...

UPDATE (18.10.): The reason was probably found - The Bat! mail program is causing this behavior when advanced heuristics is enabled for on-access scanning. ESET is resolving this issue. Workaround - add thebat.exe file to your exclusion list.

Same problem here. Need a reboot and I disabled, too, advanced heuristics. Back to normal for now.

I can't confirm the OP's problem as I am not home right now, but if there is a problem with the update Eset will fix it.

Ok I rechecked Advanced Heuristics in real-time file system protection. After I closed Skype, ekrn.exe goes crazy (100% Cpu), computer freeze etc,. Reboot. Disabled Advanced Heuristics and everything back to normal (Skype, Cpu...).:doubt:

-{ Quote: "I'm using ESS 3.0.672 on Vista PC and today released update 3532 caused my PC to hang" }-

No problems running Vista SP1 here . No problems on XP SP3 laptops at home .

No issues with my customers - just checked a few of them with Remote Desktop , all are fine with 3532.

You guys should NOT touch the default settings e.g. you should not enable AH and RTP for on-access scan - they are enabled only for newly-created and modified files in the real-time file system protection . I would open the user interface , press F5 to open the Advanced setup tree and click on the "Default" button to revert all the settings to their default ones

-{ Quote: "

You guys should NOT touch the default settings e.g. you should not enable AH and RTP for on-access scan - they are enabled only for newly-created and modified files in the real-time file system protection . I would open the user interface , press F5 to open the Advanced setup tree and click on the "Default" button to revert all the settings to their default ones" }-

Hmm, this is part of "EAV 3.0 Tutorial" from Official ESET Support Forum: ;D

-{ Quote: "1. Click on "Options".

2. You can place a tick in "Advanced heuristics", however WARNING: enabling "Advanced heuristics" for "on-access" may cause a slow down, if you find this is the case, simply untick this box.
" }-

and I had NO problems until today, so... 8)

But anyway, thank you for your testing.

Regards

Tom

WARNING: enabling "Advanced heuristics" for "on-access" may cause a slow down

You are welcome .

I have the same problem since yesterday too ... massive hangs and lags.

-{ Quote: "WARNING: enabling "Advanced heuristics" for "on-access" may cause a slow down" }-
Does that mean that "Advanced heuristics" for "on-access"-scanning was faulty before and works now? It was always activated here, and i never noticed any slowdown from it. So what has changed now?

EAV 3.0.672.0
---------------------------------
Virus signature database: 3533 (20081017)
Update module: 1024 (20080514)
Antivirus and antispyware scanner module: 1155 (20081016)
Advanced heuristics module: 1078 (20081016)
Archive support module: 1083 (20081016)
Cleaner module: 1032 (20080724)
Anti-Stealth support module: 1002 (20080723)

Advanced heuristics is a sophisticated emulator that runs files in a virtual environment to determine whether the actions carried out by the file being scanned are suspicious or safe. The emulation is a time intensive process that may take up to several seconds to complete, hence it's enabled only for newly created or modified files in the real-time protection module by default. The option to enable it on acess was first introduced in version 3 and only those who don't mind delays when running certain packed files should use it. In the next version, a warning will be displayed telling the user that enabling this option might have adverse effect on the performance.

Sure, i understand that, but why did that not happened before? Has Eset implemented new checking/testing algorithms? From "not noticeable" to "massive slowdown" in one day? As i said before: It was always activated here. I dont want to complain, i only would like to know whats going on...

-{ Quote: "Sure, i understand that, but why did that not happened before? Has Eset implemented new checking/testing algorithms? From "not noticeable" to "massive slowdown" in one day? As i said before: It was always activated here. I dont want to complain, i only would like to know whats going on..." }-

We've improved AH so that it's able to emulate certain files better than before. As a result, detection should be improved, too.

Ahh, good to hear.

Thanks Marcos & have a nice ... whatever. :-)

-{ Quote: "We've improved AH so that it's able to emulate certain files better than before. As a result, detection should be improved, too." }-

Thank you, Marcos, for your explanation. I have now AH disabled and everything seems to be ok. So I will keep it there.

But, I'm still thinking... Is really possible that the "improved" AH module may cause "if enabled for on-access" that for example The Bat! mail program did not start even after 15 min. and it takes about 2 min. to open Start menu after I click Start button... ???

Regards

Tom

-{ Quote: "Thank you, Marcos, for your explanation. I have now AH disabled and everything seems to be ok. So I will keep it there.

But, I'm still thinking... Is really possible that the "improved" AH module may cause "if enabled for on-access" that for example The Bat! mail program did not start even after 15 min. and it takes about 2 min. to open Start menu after I click Start button... ???

Regards

Tom" }-

Hi Tom,
please send the The Bat's executable in a password protected archive to samples[at]eset.com with this thread's url in the subject. We'll check it out. Does excluding it from scanning actually make a difference?

Yes, it was "The Bat!" here too, what causes that behaviour. I can confirm that.

When i put "C:\Programme\The Bat!\thebat.exe" on the exclusions list, and re-enable the "Advanced heuristics" for "on-access"-scanning, everything works fine.

But isnt the pop3-scanning-proxy also disabled then?

-{ Quote: "Hi Tom,
please send the The Bat's executable in a password protected archive to samples[at]eset.com with this thread's url in the subject. We'll check it out. " }-

I have done that. The password is "password".

-{ Quote: "

You guys should NOT touch the default settings e.g. you should Not enable AH and RTP for on-access scan - they are enabled only for newly-created and modified files in the real-time file system protection . I would open the user interface , press F5 to open the Advanced setup tree and click on the "Default" button to revert all the settings to their default ones" }-

(.672) I'm Clk'ing Default (All Settings) everywhere I see it and AH and RTP are Still Chk'd in each module. Has Default changed vs. your instructions or is something amiss here?...... (By "On Access" I presume you guys mean the Web Access part of the Setup tree.)...I'll Manually UnCheck AH and RTP if that's the better Setup.

-{ Quote: "Yes, it was "The Bat!" here too, what causes that behaviour. I can confirm that.

When i put "C:\Programme\The Bat!\thebat.exe" on the exclusions list, and re-enable the "Advanced heuristics" for "on-access"-scanning, everything works fine." }-

Good job, The Bat! was the real cause! I can confirm it too that after I excluded thebat.exe from scanning, my PC is running smoothly as before even with AH enabled!

I did not recognize that only this program is the reason why entire PC is hanging, because the mail program was starting automatically with windows, so it seemed that everything is slow...

Thank you, b00ze. You sent ESET the file, so I think don't have to do the same...

Regards

Tom

@COSMO26

By on-access I mean All Threat Sense settings for the Real-time file system protection .

AH and RTP are enabled by default for newly created/modified file and also on all modules except from the Real-time file system protection . Click the Default button and enjoy

-{ Quote: "Sure, i understand that, but why did that not happened before?" }-

If enabled for on-acces tt has always caused delays especially on older computers . However , something else has changed additionally . All you need to do is to think about it (keep it in mind , I mean) and check . By checking , you'll see what Marcos confirms - AH module was last updated on 16 Oct 2008

Virus signature database: 3534 (20081018 )
Update module: 1024 (20080514)
Antivirus and antispyware scanner module: 1155 (20081016)
Advanced heuristics module: 1078 (20081016)
Archive support module: 1083 (20081016)
Cleaner module: 1032 (20080724)
Anti-Stealth support module: 1002 (20080723)
Personal firewall module: 1040 (20080924)
Antispam module: 1008 (20080708 )