Experiencing some issues when advanced heuristics(AH) is enabled in real-time file system protection (in threatsense engine parameter setup).
When opening video files with windows media player 11 there is quite big delay before video starts to play and ekrn.exe is using 99% of cpu. This lasts for about 10 seconds and then everything is back to normal.
If I open video files with some other media player, like VLC, this issue does not occur.
When AH is disabled the problem with wmp 11 is gone.
So, I'm just wondering if somebody else is having this same issue and are there any drawbacks having AH disabled in real-time file system protection because everything is maxed-out in "On-Demand scanner" option, so that should pretty much cover it, right?

Running xp home edition sp3 and EAV v4 Beta

Realtime protection is imperative !! , otherwise its pretty pointless in having a AV product installed.

Realtime protection does not cause any issues for me, are you sure this isn't a problem with codecs you have installed on your system ?

Try installing media player classic and use that to open videos and see if you still have the issues.

Hi :)
yes, I know that real-time protection is imperative, that's why I have it turned on of course, it's just advanced heuristics that's giving me issues with WMP11.
So you're saying that you don't have any problems opening video files with
WMP11 while having AH on? No delay of any kind?
Well then I need to investigate this matter further but I know it can't be any codec problem because once AH is unticked the issue's gone.

Thanks for reply anyway.

As you can see here (http://www.wilderssecurity.com/showthread.php?t=228495) I also had problems with AH.
I don't think is about WMP 11 only. My example was wih Advanced Uninstaller PRO 9.1 on XP Pro SP3. So is something connected with launching
applications and having AH real-time enabled.
Nobody from ESET confirmed that .

{QUOTE-> when advanced heuristics(AH) is enabled in real-time file system protection (in threatsense engine parameter setup <-QUOTE}

Plain and simple :


205235




Use the default settings

{QUOTE->
Use the default settings <-QUOTE}

That warning only comes up if you enable advanced heuristics on file execution (which I have not).
I was referring to advanced heuristics in threatsense engine parameter of real-time file system protection and no warning pops up when you do that.
It's the exactly same problem as ugly described above in his own thread.
For now I'm leaving AH off, maybe future builds will adress this issue.

Thanks on your replies ;)

{QUOTE-> That warning only comes up if you enable advanced heuristics on file execution (which I have not).
I was referring to advanced heuristics in threatsense engine parameter of real-time file system protection and no warning pops up when you do that. <-QUOTE}

I understood you very well ... the first time .

No matter the text appears only if one tries to enable advanced heuristics on file execution the text applies to all modules/submodules . As Marcos has written it numeours times , AH (emulation) is time and resourse consuming operation . Forget that there's no warning . By default AH are only enabled to be used on newly created/modified files , not on all files , even the well-known ones such as Windows Media Player . If you enable AH in the Threatsense engine parameters of the real-time file system protection, AH will be used for on-access scans for every file (PE file) you have on your computer and if your hardware configuration can't handle this , you'll notice slow downs . On Vista with Dual-core processor I have enabled AH absolutely everywhere and I notice no slowdown but on old machine with single core processor this could be disasterous!

Use EAV with its default settings - AH enabled only for newly-created and modified files .

205236

AH is enabled on all other modules (kernel-memory scanner , email , web , on-demand scanners)

Alrighty then ;D
thanks for clearing that up HiTech boy
the deafult setting it is!

Cheers :thumb:

{QUOTE-> Cheers :thumb: <-QUOTE}

Cheers :P

That is a very nice theory but it does not explain why I have no problem running v3 with AH enabled in real-time.

{QUOTE->
When AH is disabled the problem with wmp 11 is gone.
<-QUOTE}

Could you please enable AH on file access again and exclude the WMP executable from scanning to see if it makes a difference? We'd need to make sure that it's actually the WMP executable that is causing the delay when being scanned.

Hello Marcos

I did as you asked and issue is still there.
I even excluded entire windows media player folder and still get 99% of cpu usage with ekrn.exe when opening video files with wmp11.
No issues with VLC player no matter what video file format.
I've tried opening several video formats with wmp11 (.avi, .wmv, .mpg) and the only ones that are causing this initial freeze are .avi ones.
Does this mean that there is actually a codec issue with "file ->wmp11 ->ekrn.exe" and not the player itself?
Is there anything else that needs to be excluded in order to play these files?

@Waterfox:

Hi, which codec are you using? Perhaps it is not WMP but the codec... Try excluding that... I know Divx can be heavy some times.

{QUOTE-> @Waterfox:

Hi, which codec are you using? Perhaps it is not WMP but the codec... Try excluding that... I know Divx can be heavy some times. <-QUOTE}

I have no idea... is there any way to see which codec wmp11 is using... there is no list to find in properties.

{QUOTE->
I did as you asked and issue is still there.
<-QUOTE}

Maybe you could open the real-time protection statistics window and watch the names of files being scanned when opening avi files.

Hi, Marcos
I followed your instructions and these are the two files that seems to cause the issue:
C:\WINDOWS\NeroDigital.ini followed by C:\Program\Shared Files\Ahead\DSFilter\NeVideo.ax.
I've excluded these two from real-time scanning (actually entire DSFilter folder) and now the problem is gone.
AVI files work in wmp11 without initial freeze up while AH is enabled.
I have Nero 6 (6.6.1.15) installed so it looks like some of it codecs were interfering with ekrn.exe while playing .avi files in wmp11.

{QUOTE-> I have no idea... is there any way to see which codec wmp11 is using... there is no list to find in properties. <-QUOTE}

Well, you could use Mediainfo to see wich codec was used to make the avi file and go from there. You can find Mediainfo here: http://mediainfo.sourceforge.net/es

It's possible there was a problem emulating those 2 files. I would submit them to ESET so they can analyze the problem. I'll wait for Marcos to post where to submit them to. ;D

{QUOTE-> It's possible there was a problem emulating those 2 files. I would submit them to ESET so they can analyze the problem. I'll wait for Marcos to post where to submit them to. ;D <-QUOTE}

Yes, that's exactly what happened, Marcos contacted me and the issue will be resolved soon with an upcoming signature update. :)


@MasterTB: thanks for that link to Mediainfo.

Take them off the exclusion and tell us when they are fixed. :)

You're welcome Waterfox.

Nice to see that Eset is working on a fix.

{QUOTE-> Take them off the exclusion and tell us when they are fixed. :) <-QUOTE}


Well looks like signature update 3743 fixed the problem. :D
AVI files play without issue on wmp11 and with advanced heuristics enabled in real-time file system protection.
Kudos to ESET (and Marcos, of course). :thumb:


Cheers