100% CPU Usage

I have the same problem. We write desktop application, that access a web service over HTTP protocol. Every time it tries to connect, ekrn.exe hangs, occupying 49% of the processor at first, and 99% after a while (on dual core machine). No matter if our application is still running, once the ekrn.exe hangs, it stays at 99% of the processor. The only thing that helps is killing the ekrn.exe process.

When we disable NOD32 protection, or add the web service IP to the excluded addresses list, or exclude our application from "web browsers" list ( ), it works.

Earlier versions of NOD32 (2+) had no problems.

I wonder why the ekrn.exe does not hang when IE or FF are making HTTP requests, our application does nothing special.

It is a big problem for us, since we are independent software vendor, and we must support clients that have bought NOD32 v3+. How could we overcome this problem so that our clients would not be obligated to reconfigure NOD?

http://www.kolman.cz/tajne/ekrn.png

 

For goodness' sake, wise up! You can tell people this until you're blue in the face. It makes no difference. Lots of people - with the default settings - experience excessive, debilitating, CPU usage with NOD32 v3. They have attested to this here, and in lots of other places on the 'net.

You're beginning to exhibit a siege mentality. The corporate denial that you represent for Eset is indicative of starting on a very slippery slope...

 

Yea... recently my nod32 is starting to act wierd too... cpu usuage is very high from time to time... for example when I connect with RDP (remoting) into it I have to wait up to a minute before I can do anything while nod is doing something...

I will prolly change to f-sec 8 and test during the weekend to see if they have fixed their cpu problems... hehehe

I know most antivirus have this problem from time to time (except norton corp ed) but nod32 is selling with the argument its resource usage is very low... I think its time to rethink that ...

Changing nod32 code from 2.7 to 3.xx obviously put it in the same boat as all the others...

 

The bottom line is this - how hard can it be to at least add some code to throttle back ekrn if it's using 100% CPU? Even if it's a stopgap until the developers can figure out how to get this red headed bastard child to behave?

When ekrn is using 100% CPU, add some waits into it's thread to let other apps have some love!

 

I've some experience about 100% CPU usage. And if I disabled advanced heuristice and runtime packers settings, the problem disappeared. But I worry that if NOD32 will miss to detect some malware?

 

By default, these are only enabled for newly created or modified files as code emulation is a time consuming operation. This means that files are scanned by advanced heuristics when written to the disk or modified and thus the program prevents them from running. The new version we're working on will provide some additional settings in this regard.

 

I just spent an hour reading this entire thread. Marcos, I'm trying to tie a bow around the big picture. If I change the following three advanced settings in the expanded tree's real-time protection setup, will my NOD32 v3 behave and perform like v2.7 did? As per your suggestions:

1) untick advanced heuristics,
2) untick runtime packers,
3) untick all extensions, and
a. tick default extensions.

Marcos, did I miss anything?

The sub-dialogue on program/file exclusion left me very confused. Are there any programs or files that should be excluded from real-time protection? If so, would you be so kind as to specify which programs/files to exclude and secondly, please specify how to access the dialogue box where I would enter the name(s) of said programs/files to be excluded?

Cheers.

P.S. I'm still hoping that eset patches this problem, so I would prefer not rolling back to v2.7 (since I just paid for v3).

 

Please check your settings and make sure they are set as on the screenshots below. When scanning ordinary files you shouldn't notice any impact of advanced heuristics on the performance, only protected/encrypted files take more time to get scanned.

To sum up the instructions for those having issues with ekrn.exe causing high cpu utilization, please continue as follows and after each step check if the problem persists:
1, uninstall EAV and install the latest version 3.0.672 (please refrain from making any additional changes to the settings for now)
2, disable the real-time protection
3, change the real-time protection module to scan only files with default extensions instead of all files (by default)

If the problem disappears after step 3, set the real-time protection to scan all files, run Process Monitor from Microsoft and filter out the process ekrn.exe. Then replicate the problem while keeping an eye on the log. I assume you'll see a particular file which is continually being scanned; try excluding it and let me know the name and full path to it.

 

I've been watching this thread for a while, because I have had CPU problems with 3.0. What I don't understand is why people who are using 3.0 seeming have to disable half of their protections just to get the thing to run properly on their systems. Seems to me that indicates that 3.0 still isn't ready for prime time.

My NOD32 subscription expires next week, and though I've been happy for years with 2.7, since it's only getting definition updates and not program updates I am seriously considering making the jump to another AV. Which will be a shame because in NOD32 2.7 I'd found an AV that didn't hog resources and worked efficiently. As it stands now, I won't put 3.0 on this computer.

 

OK, I'll explain it again. The features that we recommend to leave disabled are ones that are new in v3 and did not exist in v2. We added them for those who don't mind slight delays when accessing/executing files and are disabled by default. Code emulation is a time intensive operation that takes time, even up to several seconds. With normal files you shouldn't see any noticable delays, however, complexly packed runtime files may take much more time to emulate.

 

I will try those settings above and see if improves... however... one of the reasons I upgraded to 3.xx is to get those new features... so in the end I want em...

I just want em to work fast and efficient...

 

As I said, code emulation is a time intensive process. It's like you wanted your computer to perform much faster without upgrading the hardware, especially the cpu. It's simply impossible.

 

As I said, code emulation is a time intensive process and normal files should be scanned reasonably quickly. It's like you wanted your computer to perform much faster without upgrading the hardware, especially the cpu. It's simply impossible.

 

Unless you tell the program to use one core instead of all of em... and splitt the processes in several sub-processes that dosnt interfere with the rest of the OS... There is always a workaround...

Well.. I guess its time to upgrade my hardware aswell...

 

Well like I said earlier, my advice for others is clean up your desktop as much as you can, particularly shortcuts and files. This solved the problem on my XP machine (admittedly not entirely). But several spikes a day became 1 spike a week.

I have my vista laptop back now thankfully and I have no problems with that. (2Ghz dual core). Now I don't know what kind of throttling ESET have (if any) I can't say I've ever noticed if it's limited to the usage of 1 core, but on my XP machine (100% CPU one) which is 1 core (2 fake with HT) it does not apply. It is 3.4Ghz though, so I'm not so sure the "not being able to handle it" is in the question.

 

And why the heck the fact that we have, for example, advanced heuristics on, makes nod32 use 100% of our CPU, when using the same feature with other AVs it won't happen?

Also, if I had no problems with version 3.0.669.0 with all features turned on, I would guess that the problem was not on such advanced features. Then I installed version 3.0.672.0 and the problems start. And the difference from one version to the other is not that huge. Practicaly doesn't even exist. So, honestly, do you really think that the 100% CPU usage is caused by such features that we turned on? I mean, I turned them all down and the CPU usage still happened (at the moment have no nod32 on my system, but since my license still is valid for near 1 year, I would like to use it!).

Couldn't the problem be caused after we install a new version upon an existing version? I'm just wondering. A lot of people that I know of had no problems of what so ever, then, after installing a new version they all started to have the same problem. Go figure.

 

I'm running Vista here and all I have on my desktop are My Computer, Users and Recycle Bin folders.

For what I can understand the problem isn't totally gone. You still got spikes from time to time, right?

I can make the spikes disappear by disabling nod32's active protection when the system first boots, but from time to time I'll still have those spikes. This is just a work around and not a solution.

 

I've spent the last 3 weeks going through this thread, trying everything to solve my problem. My NOD32 goes to 100% CPU usage from the time I start the notebook until I disable the anti-virus protection. Nothing I've seen here solves this problem and the notebook is either unusable or without A/V.

For my 2 cents worth, our company has 20 copies of NOD32 A/V and my XP SP3 laptop is the only one that has this problem. In addition this was running OK for 4 months and I suspect that the problem has occurred since I did a mass Windows security / drivers update, so it might be a Win / drivers issue.

My main concern here is that as a tech in a service operation we've spent the last year switching hundreds of corporate and end user clients from Bit Defender because it was crashing the servers and getting disabled then virus infected on the PC's. So you can imagine fear now that I see NOD32 heading down the same road.

I'd like to make an offer here, out of self interest and the determination to not go back to my clients with head hung low about the anti-virus I recomended, Eset support - contact me and send a courier to collect my laptop, I'll give it to you in the hope that you can throughly investigate this problem and come up with a solution to this 12 page forum.

My reputation with the client is worth more than the laptop and I like NOD32, it's a great application when it's working, I want this problem solved, so please contact me.

Thanks and best regards

DGilzean

 

Hello dgilzean, any news on your "offer"?

 

Yes, in fact Markus contacted me, in out of hours time I add, to setup a remote session to check the problem.

And while I was searching for the link to download the process monitor I spotted a post that spoke about the IBM Thinkpad as I have, the post was spot on for my fault in that IBM is constantly updating an html log file and NOD32 is constantly scanning the same file, producing 100% CPU from laptop start-up. Excluding it from real time scan got my laptop back to normal state, now everything is working fine.

So thank you Markus for the assistance, you've restored my confidence in NOD32.

Rgs.
Dgilzean

 

That's great news for you. Unfornately, not all of us can say the same about that, as we simply don't have IBM computers, neither that file. And in my specific case I can't even monitor Eset nod32 3.0 because my system simple will "stop" responding with nod32 activated.

I really think that for most of us the only 2 possible solutions are:

- switch antivirus (which I did, but would like to make use of my near 1-year license)

- Eset try to reproduce the problem somehow. Honestly, got no idea.

 

I've been dealing with the intermittent ekrn.exe high cpu usage for months now & figured Eset would have came out with an update that fixed it by now. This is on two different pc's (1 Vista Home Premium, the other WinXP Pro.)

I'm not really excited about spending time troubleshooting a product that I paid for that has had this problem for probably at least 6 months so I just uninstalled it from both my computers. This is quite a big disappointment. I realize that any program can have bugs, but for this to not be fixed after such a long time seems unacceptable.

The main reason I chose Nod32 was because it's so light on resources, but the ekrn.exe issue makes it unbearably slow. What's ironic is I might give Norton AV 2009 a try now.

 

Please don't forget that 2.7 is still being maintained, and AFAIK, it doesn't have this problem.

If I'm not mistaken, you can use a current 3.0 license on 2.7

The elder version is unlikely to offer as much protection as 3.0 through.

 

It could be a solution. One other solution is to ditch nod32 and install another antivirus, which by sign won't cause any problems of whatsoever, even with advanced heuristics on, etc., etc...

Taking back the car analogy, if you had bought one and noticed that it was consuming all your fuel within 2 seconds, then go to the manufacturer and complain about it and they tell you: hey switch to an elder car, as you won't have that problem.

No sir, don't think so. One of the reasons why I began to use nod32 3.0 was 'cos it was light (used to? is it still? no idea.) and had extra security, when compared with previous versions.

 

Actually that's wrong. It's more like being sold a new car with a red button that says boost on it. The boost button will obviously wear your car out faster and/or cause problems, otherwise it would always be on. v2.7 works without problems because it doesn't have the features of v3 (which are off by default).

Marcos I realize this problem probably has a different solution according to different desktops/laptops, for example the IBM mentioned earlier has a problem with over scanning a file. Perhaps you should add a throttle to the amount of times a file can be scanned? Especially if the file returns negative detection.