ekrn locks computer (100% cpu) on flash uninstaller - workaround available

[Brummelchen]

uninstaller (cleaner) standalone
http://fpdownload.macromedia.com/get...ash_player.exe

uninstaller in active-x setup
http://fpdownload.macromedia.com/get...0_active_x.exe

anything is ok except i start copying that file (uninstall_activex.exe)
ekrn.exe uses 100% cpu and wont go down again - ffs - i had to restart many times till now.

URL contain actual FP 10.0.32.18 - but it happens on the previous build too now.

[mickhardy]

No problem downloading or running either file with ESS 4.0.437 installed on Win7 Build 7100.

[mickhardy]

Spoke too soon. Experienced the same issue you describe. Still investigating.

Edit: Add an image.



Edit: Reboot hasn't resolved the issue. Nor has removing Flash and reinstalling via the Adobe site.

[Marcos]

No problems here scanning the two files either. What version are you using? (paste here the info about installed modules from Help-> About) Does the same happen when you scan the files with the on-demand scanner or it's just the web scanner that causes this problem?

[mickhardy]

Browsing any Flash enabled web page with web access protection and advanced heuristics enabled along with Flash 10.0.32.18 caused a sustained 50% CPU spike, presumably one core at 100%.



Uninstalling the Flash Player from the normal Control Panel Add/Remove would cause a near 100% sustained CPU spike.



Rebooted, reinstalled Flash Player, rebooted again. Browsed a Flash enabled site and same issue 50% CPU.

Disabled web access protection and killed ekrn.exe. Problem solved. Disabled Advanced Heuristics but enabled web access protection and problem remained resolved.

Now I have both web access protection and advanced heuristics enabled and can't reproduce the problem. It must be something to do with having AH enabled during the installation.

Edit: Added version as per request

Virus signature database: 4292 (20090730)
Update module: 1028 (20090302)
Antivirus and antispyware scanner module: 1229 (20090724)
Advanced heuristics module: 1095 (20090727)
Archive support module: 1099 (20090730)
Cleaner module: 1043 (20090728)
Anti-Stealth support module: 1012 (20090526)
Personal firewall module: 1050 (20090625)
Antispam module: 1011 (20090114)
SysInspector module: 1213 (20090507)
Self-defense support module : 1005 (20081105)

[mickhardy]

This is 100% reproducible on a different box with XP SP3 EAV 4.0.424. Just installed the latest Flash Player from the Adobe site using the standard web update and the CPU spiked at 100% and stayed there.

I'm guessing this is not good and ESET or Adobe have some work to do.

Beer o'clock for me. This is an SEP for sure.

[Marcos]

No problems here with Flash enabled websites nor the Flash uninstaller. The best would be if you could create a dump from ekrn (Self-defense must be disabled) and convey it to ESET. Vista allows generation of process dumps from withing the task manager.

[Hydro]

Similar problem here: while downloading the new Flash Player setup ( v10.0.32.18 ) for Opera from http://get.adobe.com/flashplayer/ my ekrn.exe CPU-load jumped to 50% and stayed there. Next I downloaded the Flash Player setup for Internet Explorer and the CPU-load jumped from 50 to 100%. Had to reboot to cure it, but the problem reappeared as soon as I moved the downloaded setups to another folder. Rebooted again, disabled all advanced heuristics and ran install_flash_player.exe, but again ekrn.exe bogged down the CPU...

Running 32-bit DEP-enabled Windows XP SP3 (fully patched) with ESET Smart Security 4.0.437.0, 4293 (same module versions as mickhardy).

If this problem can occur with the latest Flash Player, it might also occur with other files (and malware). ESET, please fix this...

[Brambb]

I cant reproduce this; downloading, copying and installing both flash for IE (activex) and other browsers work fine. There is a spike scanning the files but it stops after a (few) second(s).

Running latest v4 on Vista Ult. x64 system.

[Brummelchen]

reproducable here on winxp sp3
causing: real time protection -> threat sense|configure -> objects -> files

the change has been come since
>> Macromedia FlashPlayer 10.0.22.87
and
>> Macromedia FlashPlayer 10.0.32.18

Februar till now

[AlunS]

I started having the same problems yesterday also with 4.0.437 for the very first time. I was updating a bunch of apps (npp, filezilla, ccleaner, defraggler, cdburnerxp and a few others) from installers downloaded from FileHippo.com and the first time I ran an installer CPU usage went up to 50% and running the next one it went up to 100%. Only way to stop it was a reboot. 4.0.437 has been on here for a while (XP +SP3) but this is the first time I've had a problem like this.

[Marcos]

We'd highly appreciate if you could try installing the previous archive module to confirm or deny possible connection with yesterday's archive module update. You can install it as follows:
1, disable automatic update tasks so that the archive module will not be updated automatically during testing
2, download the previous version of the archive module from here and save it to the disk
3, restart Windows and start it in safe mode
4, backup the current file em003_32.dat in the ESET installation folder (e.g. by renaming it to em003_32.bak) and copy the downloaded build 1098 instead.
5, restart Windows
6, verify that you have the archive module build 1098 installed (Help->About) and try to replicate the problem

Please let us know if installing the previous archive module build makes a difference or not. We'd need to determine if the problem is actually with the latest archive module or there's something wrong with yesterday's update of the Flash player. When you manage to replicate the problem, generate a complete memory dump per the instructions here and convey it to customer care along with a description of the problem.

Remember to enable automatic update tasks after you finish testing.

[Hydro]

Marcos, using the previous archive module ( 1098 ) the problem doesn't occur here, even with advanced heuristics enabled. So it looks like the problem was introduced in archive module 1099.

Is there a way we can keep archive module 1098 and still enable updates, until a solution has been found? If module 1099 doesn't handle certain input properly, this problem might not only be inconvenient but also a possible attack vector for malware.

[Brummelchen]

inbetween the spiking occurs on some more events - also on my own compiled files and the new from 2day.

Quote:

You don't have permission to access /support/archm1098/em003_32.dat on this server.

Firefox couldnt load it - needed DLM.
After copying & restarting gui&krn i started the setup again. all fine - my files also.

what should we do now?

btw thx for your fast help.

[Marcos]

Quote:

Originally Posted by Hydro

Marcos, using the previous archive module ( 1098 ) the problem doesn't occur here, even with advanced heuristics enabled. So it looks like the problem was introduced in archive module 1099.

Hi Hydro,
thanks for testing it. Would it be possible for you to generate a complete memory dump and convey it to us? It's a really odd issue as we've tried everything to reproduce this problem with the latest build of the Flash player and archive module on various systems to no avail. It doesn't seem to affect every system configuration, for instance, we haven't got a single report of it here in Slovakia, just one report from the Czech republic and a few others from our distributors. If there was a general problem in the past we received a huge number of reports shortly after the release an erroneous update. Of course, here at Wilders there are more reports of it as people usually come to visit forums to seek a solution when they run into a trouble. I can assure you that we'll do our best to investigate it and make a fix as soon as possible, but we need your assistance. A process dump of ekrn.exe or complete memory dump from the moment when the problem occurs is now the only thing that can help us determine the cause of the problem. Before you create one, make sure to disable Self-defense and restart the computer.

For instructions how to create a process dump, read the following articles:
Windows XP: http://support.microsoft.com/kb/241215
Vista: http://support.microsoft.com/kb/931673

[Hydro]

Wasn't easy to get a successful memory dump of ekrn.exe with the real-time monitor enabled. Even after disabling self-defense + anti-stealth and excluding the kktools folder, userdump.exe froze or couldn't dump ekrn.exe, or the original problem didn't occur anymore (although 4 out of 5 times it did).

Finally succeeded by excluding drive C from the real-time monitor and opening the Flash Player installer on drive D, causing a continuous 100% CPU-load. During the subsequent dump, ekrn.exe CPU-load dropped from 100 to 0% and stalled the dump process (but the dump file appeared to have been completed already, sized approx 100 MB). Had to terminate ekrn.exe for the userdump to finish.

Marcos, I've uploaded the dump to a server and mailed the url to support@eset.sk.

[Hydro]

Did some more testing and noticed that the problem is very hard to reproduce when the real-time scanner is set to "Scan all files", which I think is the default setting. Previously I had disabled that setting and used the default extensions (and added MSI + MSP to the list, but this doesn't appear to be the cause of the problem). Using the default extension list, the problem is very easy to reproduce here: just viewing the properties of install_flash_player.exe is enough in most cases. Same issue with the on-demand scanner: it only seems to cause problems when the extension list is used.

Now I'm wondering: when setting "Scan all files" is enabled, are some files actually skipped or scanned differently from when the extension list is used?

During my tests, at one point, ekrn.exe (using archive module 1099) was consuming 100% CPU and 1.5 GB RAM, and eating another 50+ MB RAM each second... there's a nasty bug somewhere.

[Brambb]

Confirmed.

I also have 50% CPU load with ekrn.exe after disabling 'scan all files' in the ThreathSense settings in the real-time scanner. After reboot I enabled it again and it didn't happen, after disabling it once more it happened again.

Copied two flash install files from one folder to another. After one file 25% CPU, after the second 50% CPU. (have 4 cores)

[MarcR]

Same problem on 2 workstations with Ver. 3.0.684

[rtt_77388]

Hi
I am experiancing the same issue. I have eset smart security 4.0.437.0 and have installed adobe flash ver 10.0.32.18. I am running on a Vista Home Premium 64 bit platform. A few minutes after boot up, the windows process monitor shows ekrn.exe at 100% utilization. I have also posted a support ticket with eset.
Tim

[Demente1982]

Hydro is rigth.. enable "scan all files" on real time proteccion not lock the computer. Also has a problem with Thunderbird so i have to put that folder in exclusion. I waiting for a comunicate from ESET because i have 1000 pcs and a good part of them locked.

[Marcos]

Quote:

Originally Posted by Hydro

Did some more testing and noticed that the problem is very hard to reproduce when the real-time scanner is set to "Scan all files", which I think is the default setting. Previously I had disabled that setting and used the default extensions (and added MSI + MSP to the list, but this doesn't appear to be the cause of the problem). Using the default extension list, the problem is very easy to reproduce here: just viewing the properties of install_flash_player.exe is enough in most cases. Same issue with the on-demand scanner: it only seems to cause problems when the extension list is used.

Thank you for finding that out, I've managed to reproduce the issue with "Scan all files" disabled in the real-time protection setup. I'm about to create a process dump and convey it to our developers who will analyze it immediately. When a fix is ready, I'll let you know. In the mean time, could everybody having this issue confirm or deny that the problem doesn't occur when all files are scanned?

[Brambb]

Confirmed as I replied earlier, tried making a process dump twice but that took so long and I still had stuff to do so I aborted it. Was planning to let it go on tonight for the dump to complete, but I guess that ain't of use anymore?

[sd_mark]

I am also seeing high CPU but under different circumstances. I started a thread on this but was directed here.

If I understand correctly, the issue in this thread pertains to NOD32 version 4 and the Flash player/installer.

I am experiencing the issue with NOD32 version 3.0.684. All I have to do is log on to the XP SP3 computer and the CPU goes up to 97% and stays there. It is possible that a Flash Player auto-update is attempting to run in the background--I saw and declined a Flash update prompt, I think while NOD32 was disabled.

All my machines run with Real-time file system protection > Setup > Extensions > Scan All Files UNchecked. I can confirm that after checking Scan All Files (and rebooting) that the CPU did NOT go up. I can also confirm that dowgrading to Archive support module 1098 solves the problem.

Mark

[Marcos]

The problem should only occur with scanning all files disabled (enabled by default) and only if certain NSIS installers are scanned. Please enable the "Scan all files" option (enabled by default) in the Setup - Antivirus and Antispyware -> Real-time file system protection -> Threatsense engine parameter setup -> Extensions -> Scan all files.

Those who have been using default settings are not affected even if NSIS installers are scanned. A fix to this issue is being worked on and will be distributed to all users automatically later today. Thank you all who have contributed and helped us pinpoint the issue. My special thanks go to Hydro who found the setting which caused the issue to appear/disappear and navigated us in the right direction.