I have "Scan all files" unchecked in ThreatSense parameter setup for realtime. However, watching the Antivirus and Antispyware statistics graph I see C:\windows\system32\wbem\logs\wbemcore.log continually scanned.

I shouldn't need an exclusion. Anyone else notice this?

V4.0.437

Hello Marv Gordon,

Since this is a server, my first thought to restart is not really an option for some people. However, it is a first step to see if this will resolve the issue you are having. Please try that and let us know if it works.

-{ Quote: "Hello Marv Gordon,

Since this is a server, my first thought to restart is not really an option for some people. However, it is a first step to see if this will resolve the issue you are having. Please try that and let us know if it works." }-


Rebooted...same issue..

The file name shown in the statistics section is the name of the last file processed by real-time protection. This feature is intended mainly for troubleshooting purposes and thus it currently shows all files, including those that are excluded and not actually scanned, and only "flow" through real-time protection. We'll consider changing the behavior and displaying only files actually being scanned, but then the feature won't work reliably for troubleshooting purposes.

Marcos, that would be a BIG improvement. Or an even better one would be some kind of audit list of all scanned files - even a plain text file!

Only last week I had to firefight a new install where Sage Accounts was running dreadfully slowly. We eventually traced it to a .EXE that was doing strange things but we had no idea that it was even being scanned. A log file would have shown that it was getting scanned 4 times per second, which it was....



Jim

-{ Quote: "Marcos, that would be a BIG improvement. Or an even better one would be some kind of audit list of all scanned files - even a plain text file!
" }-

Unfortunately that won't be possible. Logging files scanned by real-time protection would either slow down the system performance to such an extent that the system would become unusable or would cause a complete lock up by continual writing to the log. Needless to say that text logs might easily grow up to hundreds or thousands of MB.

-{ Quote: "The file name shown in the statistics section is the name of the last file processed by real-time protection. This feature is intended mainly for troubleshooting purposes and thus it currently shows all files, including those that are excluded and not actually scanned, and only "flow" through real-time protection. We'll consider changing the behavior and displaying only files actually being scanned, but then the feature won't work reliably for troubleshooting purposes." }-

This really needs to be changed in some way because there is no way to tell if a file has actually been fully read via RTP. Stats really needs to be expanded to show total # of scanned objects and # of processed objects (those that RTP did not skip for processing), as well as the name of the last file processed.

It would certainly raise the trust level of the exclusion process...

I'm noticing strange server based behavior for V4. Much longer file open/save times (vs. v3) as well as an increase in problems with our Legal Case Management system (currently troubleshooting)

I've had to remove V4 from all of our "file servers".

Symptom: Any client opening a file on a "share" experiences significant delays because of RTFP.

Excel users seeing ~10 second delays opening and saving files.

Performance on our legal case management system (uses Word) was also this bad.

Re-installed V3 on these servers with the same RTFP settings and files open/save with no apparent delay. Removing DOC and XL? settings from V4 also works.

Anyone else find a permanent solution? (V3 install and DOC/XL? removal are only temporary workarounds)

Just to make sure, you don't have a Novell client installed, right?

100% Microsoft. No Novell involved. V4.0.437 and made sure we did clean installs (removed any previous NOD32 installs when changing versions). Windows 2K3 SP2 R2 Enterprise.

..also...on the client side no scanning of "Network Drives". We let the servers handle that....

Seems its best to have a copy of Process Monitor installed on every pc with an ekrn.exe include filter at hand then?

-{ Quote: "Seems its best to have a copy of Process Monitor installed on every pc with an ekrn.exe include filter at hand then?" }-


Seems to be directly related to the server settings. I can mitigate the problem by adding/removing the DOC or XL? values in the ThreatSense Extensions for RTFP on the server.

We also tested with the same files opened/saved from a the local c: drive of a client. No problems at all.