nod32krn.exe high cpu usage on certain files

[falcon_four]

Hi all,

I recently purchased NOD32 and have been very impressed with its speed and low resource usage. I've followed Blackspear's recommended settings guide on the forum and have had only a few issues (trying to get NOD to ignore a certain file, which it classed as a trojan. The utility was from www.nirsoft.net, called Protected Storage PassView. Even after excluding it, on trying to run the app NOD immediately quarantined it.).

Yesterday I downloaded ABC Amber Text Converter (as well as 3 others) from www.processtext.com. I had purchased these a while ago but have not reinstalled it since my last XP clean install. The files are packed as zip files with a .exe installer. I went to extract them to my archive folder using Winrar. I started the extraction and there was a significant pause between each file as they were extracted - which took much longer than usual. After checking with Task Manager it seems to be the nod32krn.exe process which takes 70%-95% CPU time whilst the extraction takes place.

The pause and high CPU usage also occurs if you right-click > Properties on the setup file and also if you run the installed program.

After going through the settings in AMON, I have found turning off Advanced Heuristics solves the problem and the software starts normally and has no problems - and you can right-click > Properties with no pause.

The bit I do not understand is that the Advanced Heuristics option is in a section that says "Additional options on Create" - for new and modified files. Which, as I understand it, would mean the pause on extraction was to be expect if NOD32 can unpack the file but why should there be a pause on get the properties for the file or when running the installed app?

Does anyone here have the same pause on their system (just try downloading the demo of ABC Text Converter)?

Also as I'm typing this, I've tried to download their outlook converter which NOD32 has altered me as being infected with
probably unknown NewHeur_PE virus (I have submitted the file). The Text Converter has NO virus alerts but the software from this company seems to cause NOD32 slow downs.

Thanks for any help - or an explanation of why this happens with these files (has AH been updated recently?)


>>>>F-4>>>>


p.s. I also use AppDefend so I fairly certain the exe's are not changing each time I run them - or that the installed applications are changing in anyway.

[fosius]

Quote:

I recently purchased NOD32 and have been very impressed with its speed and low resource usage. I've followed Blackspear's recommended settings guide on the forum and have had only a few issues (trying to get NOD to ignore a certain file, which it classed as a trojan. The utility was from www.nirsoft.net, called Protected Storage PassView. Even after excluding it, on trying to run the app NOD immediately quarantined it.).]

Try turning off "Detect potentially dangerous applications" in AMON settings.

Quote:

Yesterday I downloaded ABC Amber Text Converter (as well as 3 others) from www.processtext.com. I had purchased these a while ago but have not reinstalled it since my last XP clean install. The files are packed as zip files with a .exe installer. I went to extract them to my archive folder using Winrar. I started the extraction and there was a significant pause between each file as they were extracted - which took much longer than usual. After checking with Task Manager it seems to be the nod32krn.exe process which takes 70%-95% CPU time whilst the extraction takes place.
The pause and high CPU usage also occurs if you right-click > Properties on the setup file and also if you run the installed program.

After going through the settings in AMON, I have found turning off Advanced Heuristics solves the problem and the software starts normally and has no problems - and you can right-click > Properties with no pause.

If I were you, I would send those files that slowdown NOD32 to ESET and ask them to analyse why this problem occurs. You can add temporarily those files to AMON's exclusion list. Leave Advanced Heuristics on, don't turn it off.

[falcon_four]

Thanks for the reply,

Which is the best address to send the files to?

For the moment it's not a critical problem and I would prefer to leave AH enabled as it seems fine with most of my other files.

>>>>F-4>>>>

[fosius]

As the problem with slow down is in my opionion technical problem I would send those files to support@nod32.com. But suspicious files should be sent to samples@eset.com.

[iNsuRRecTioN]

Quote:

Originally Posted by falcon_four

Thanks for the reply,

Which is the best address to send the files to?

For the moment it's not a critical problem and I would prefer to leave AH enabled as it seems fine with most of my other files.

>>>>F-4>>>>

Hey,

or use the NOD32 internal file submission function, in the quarantine..

best regards,

iNsuRRecTiON

[Brian N]

I got the same problem with certain .exe files - I just disable 'self-extracting archives' in AMON, and away goes the problem

[Proactive Services]

Hiya,

I'm having a similar problem on Windows 2000 Professional SP4, and again disabling SFX scanning solves the problem. If I copy, rename, delete or view properties of an affected file it causes the CPU spike.

I'm in contact with UK tech support but they can't do a lot as they can't re-create the problem, maybe with a few more affected users we can track down the problem.

What hardware (motherboard, CPU etc) are you using? Which version of Windows XP are you using and which service pack?

I'm using a Pentium III 733 on a Chaintech/VIA motherboard with 1024MB RAM.
I tried a few affected files on my girlfriend's laptop which has NOD32 but it wasn't affected.

[Proactive Services]

Brian - could you set these two options and see if you still see the CPU spike?
Self-extracting archives: ON
Advanced heuristics: OFF

Could you time how long the spike lasts for, using the Task Manager? I'm seeing an average of 25s, unless I move the file to another folder where it already exists, then it is around 95s.

If I have either self-extracting or advanced heuristics off there's no spike at all.