100% CPU Usage

Discussion in 'ESET NOD32 Antivirus' started by Daegalus, Apr 25, 2008.

Thread Status:
Not open for further replies.
  1. cdysthe
    Offline

    cdysthe Registered Member

    In cases with high cpu utilization by ekrn.exe, we'd need to need the following:
    1, if the problem occurs with advanced heuristics and runtime packers disabled in the real-time protection on access (default setting)

    Response:
    It's better with Advanced Heurisitcs and runtime packers disabled in real-time protection. With those enabled it's literally hopeless (but probably VERY secure :)

    2, if setting the real-time protection to scan files with default extensions instead of all files (default setting) makes a difference

    Response:
    That does not make much of a difference. The worst problems I have is accessing large archives using a third party file manager like FreeCommander. But I do not want to give up all my productivity tools because my AV doesn't like them :)

    3, if the problem goes away after uninstalling ESS/EAV. Since all http/pop3 traffic is routed through ekrn.exe, you might see ekrn utilizing the cpu instead of that application (e.g. a known bug in Windows Installer, see http://support.microsoft.com/kb/916089 for details)

    Response:
    I am not sure what ESS/EAV is and how to uninstall it. I am not using e-mail scanning at all, but I do notice when I download with either Opera or Firefox that when the file download completes ekrn.exe gets really busy doing it's thing to the extent that it slows down the whole browser.

    And btw, I am running Vista Ultimate SP1.

    I really want to be a happy user, but this is driving me nuts right now.. :)
  2. Marcos
    Offline

    Marcos Eset Staff Account

    Emulation is a time consuming operation. For this reason, advanced heuristics and runtime packers are enabled only for newly created or modified files.

    I can imagine a slowdown would occur while copying/moving large sfx archives. Unlike v2, v3 scans them all without any limitation. If you don't want to disable scanning of sfx archives, hopefully a better control over archive scanning that will be introduced in the next major program update will mitigate the impact on performance.

    This could be due to large archives being downloaded and subsequently extracted and scanned. The best would be if you could provide me with an example url so that I could download that particular archive/program and test it myself.
  3. cdysthe
    Offline

    cdysthe Registered Member

    I've been trying a little more. The worst problem right now is when I select a large amount of files and right click for the context menu to for instance delete the files. Then my file manager locks up totally until I kill the ekrn.exe process. I have to hurry to do what I need to do before ekrn.exe wakes up again. The problem is bigger in FreeCommander than in Windows Explorer.

    As for downloads just download any large file (20MB plus) using Firefox with DownThemAll (a download manager). As soon as you get close to the end of the download the browser almost locks up and you have to wait for ekrn.exe to do it's thing before you can browse again. I know it's safe having downloads scanned, but with Avira they got scanned also but I didn't even notice. Maybe NOD32 is doing a better job of this kind of scan, but it is annoying getting locked up like that.
  4. Marcos
    Offline

    Marcos Eset Staff Account

    You can narrow it down as follows. After each step, download the large file:
    1, disable the web-access and real-time protection
    2, go the protection setup and disable advanced heuristics, runtime packers and archives/sfx archives, one at a time
  5. Magritte
    Offline

    Magritte Registered Member

    It seems to me that when ekrn.exe goes off it has a tendency to essentially lock up explorer, bringing Windows to its knees until its finishes (eventually) or is killed. It would be much better if it could just lock the files it needs then process in the background, ceding priority to foreground tasks. Especially with multicore processors, it should be able to do this without an appreciable impact on most foreground processes.

    Note, as I type this, I'm backing up a bunch of large files onto an external drive and ekrn keeps stealing the cpu and apparantly switching windows focus. And this is on a core 2 quad with 4 GB RAM. (Note, I restored all setting to default as suggested but this didn't help.)

    When is the next major version coming out and will it fix this issue?
  6. Marcos
    Offline

    Marcos Eset Staff Account

    Windows itself manages this, if I copy files ekrn utilizes only 1 core and while the other core is idle and ready to process other operations.

    This is because advanced heuristics and runtime packers are enabled for newly created files. If the other cores are idle, only one should be utilized by ekrn at a time so it shouldn't block your computer completely.
  7. Magritte
    Offline

    Magritte Registered Member

    It finally finished copying the files but while it was doing so ekrn used between 25-50% distributed over all 4 cores. While I think the CPU still had enough free cycles to handle other things I was trying to do, Windows Explorer (both drive windows and the desktop and taskbar/start menu) would tend to freeze repeatedly as would other applications (Outlook, Firefox, Windows Media Center) making the system virtually unusable. I was trying to type something into another web form and that would freeze periodically too.

    I don't know if the failure to properly multitask is due to Vista or ekrn, but I can't have this going on on my computer. I'm about to start a new project that will require analyzing very large files so I can't have the computer fall on its face every time I have to move or open one of these files. Note: as far as I know, none of these are archived files. They are primarily graphic or very large text files (possibly some proprietary binary database files).

    Also, I noticed that after setting restore Default settings, all options were checked for pretty much every type of scan so I don't know if that's the default or if I had set it that way in the past and Restore Default settings doesn't really do anything. Well, the only thing I noticed it did was add an obnoxious "this was scanned by NOD32" message to all my outgoing mails and the "infected items" folder to all my Outlook accounts.

    So can you answer some questions:

    1. Have you confirmed this is an issue with Advanced Heuristics and runtime packers scanning only?
    1a. If so, what are the recommended settings: where should these be enabled/disabled?
    1b. If so, will a future version enable these without the severe performance hit?
    1c. If so, and Advance Heuristics is NOD32's most powerful feature, then is there any point in having realtime scanning enabled with these disabled?

    2. To improve performance, would it be better to just disable all realtime scanning and:
    2a. Do an on-demand scan prior to opening/executing any downloaded (or third-party) file?
    2b. Schedule periodic full-system on-demand scans to insure no infected file is on the system

    3. What is the security consequence of turning off realtime scanning as in 2. above?

    4. What is the advantage of e-mail scanning? This seems to slow down IMAP activity.
    4.a. If realtime scanning is enabled or any attachments are on-demand scanned prior to opening, what advantage is there for e-mail scanning.

    5. What is the security advantage of NOD32 3.x versus 2.7? 2.7 did not seem to have these serious performance issues. What specifically does 3.x protect against that 2.7 did not?

    I'd appreciate it very much if you could address those questions. Normally, I'd be happy to help troubleshoot, but I don't think I have the time right now to be a beta tester... ;) And clearly I'm not the only one having these issues. Unless ESET has a clear solution to the problem (even if it's yet to be released) then I need to decide if I'm going to keep NOD32 3.x but disable some or most of its realtime features, downgrade to 2.7, switch to another Antivirus product, switch to a mac, give up on computers and go live in a cabin in northern Ontario... (maybe that's extreme...)

    Thanks!
  8. harlekin
    Offline

    harlekin Registered Member

    I had the same problem as everyone in here on my Vista 32bit mashine and was able to solve it by taking a look at the process explorer tab of ekrn.exe

    I'd higly recommend that anyone who is experiencing the same problem at least takes a stab at this first, before changing any settings in Nod32.

    Go to http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx and download the zip file. The process explorer doesn't require an install, so just unzip it, and you are ready to go.

    Select the ekrn.exe process and see if you find any entry, that sticks out from the rest. You are probably looking for a "file" that is no windows system entry but even though gets displayed far to long for Nod32 to scan it normaly.

    In my case this was a simple *.doc.!ut Dokument, a word file I was currently loading using uTorrent and that got stored on an external harddrive. Allthough it was only a few kb in size, Nod32 kept accessing it for minutes on.

    So I used the "Realtime Protection(Settings for ThreadSence)/Extensions/All Files 'checked'-but exclude list" (translating on the fly, as I use the german version, might be called slightly different) to exclude the !UT extension from scanning. After the following reboot, all the problems were gone.

    I had utorrent excluded from the "browsers to check ports" http list before, because I had problems accessing the web, when it was enabled, but that didn't prevent Nod32 from scanning the !ut files, probably as they were accessed and changed by utorrent itself.

    I figure as all the files should be scanned, when utorrent renames them anyways, this change in the settings should be save.
    Last edited: Jun 26, 2008
  9. Marcos
    Offline

    Marcos Eset Staff Account

    Could you please send this file to me for perusal? I'll PM you my personal email address.
  10. Pigitus
    Offline

    Pigitus Registered Member

    Harlequin, that was good sleuthing.

    I came to a similar conclusion through good luck.

    1. EKRN.EXE was using 45% of CPU capacity on a powerful machine for a long time this morning. I dropped the real time scanner options to default because I had all the protection turned on before (advanced heuristics, potentially usafe applications, runtime packers, etc.). But EKRN was still intensely at it.

    2. Then I ran a search on WildersSecurity and chose this thread.

    3. At the same time, I was keeping an eye both on EKRN.EXE's CPU use and on an application called WATCHER.EXE. It was stuck on the screen while EKRN was super busy. Watcher is a tiny (and free) program that detects changes in the registry between reboots.

    [Before installing NOD32, Watcher would quickly run at startup time and position itself at the top of the main monitor as a tiny reminder that it's ready to be read. After NOD32 (3.something) was installed yesterday, I noticed that Watcher would get stuck in the middle of the screen. I would try to open it, but it would not respond. After something like 5 or 10 minutes, it would suddenly be unstuck to position itself near the top of the screen in its normal way.]

    As soon as Watcher got unstuck, EKRN's CPU use also dropped to practically nothing. Even after I put all the real-time scanning options back on, EKRN would still show "0" CPU use.

    4. Therefore, I am 99.99% sure that EKRN.EXE has nothing wrong with it. It simply took seriously an activity that deserved to be taken seriously, like WATCHER.EXE's snooping on the registry + its potential to write into the registry. Maybe EKRN was observing its actions step by step as it was writing its registry report, looking for an escalation of action? And that registry report was long, since I am setting up a new machine with card conflicts on top of installing conflicting HIPS software. Actually, I am glad EKRN took Watcher seriously, since Watcher does daring stuff: it allows administrators to interfere with DRIVERS installations and with automatic startups. You can ask Watcher to temporarily or permanently suppress certain registry entries from running in all future reboots.

    So my best guess is: if EKRN is doing that number on you, it's because something dangerous or APPARENTLY dangerous is actually happening (or you simply have a HUGE file being scanned).


    5. To ESET, I would suggest you borrow a page from some of the great HIPS software of recent years (for example, ProcessGuard or many of COMODO's products): BE MORE TRANSPARENT ! SHOW THE USER WHAT THE REAL-TIME SCANNER IS EXAMINING (at least if the examination takes more than n seconds--you pick n). The alternative is users in the dark, thinking of uninstalling this or that software, rolling back to earlier versions, checking for clues over the Internet, OR filling up your email boxes with ultimately ridiculous questions. You can prevent the waste of thousands or millions of hours in inquiries, uninstallations, and miserable, fruitless tinkering by just making EKRN.EXE transparent.
    Last edited: Jun 27, 2008
  11. wrathchild
    Offline

    wrathchild Registered Member

    That was feature in v 2.7 and I really miss this in new version.
  12. cdysthe
    Offline

    cdysthe Registered Member

    I have thought about the exact same thing! What is ekrn.exe actually doing? With other AVs I've used you can see in real time what's being scanned, but I do not think you can do it with NOD32. I hope I'm wrong though. Anyone?
  13. cdysthe
    Offline

    cdysthe Registered Member

    A couple of things that helped me:

    Having utrorrent which I use for bittorrent downloads add a custom extension to incomplete downloads (it doesn't do that by default). Then I made an exception for that extension in the real time scanner settings in NOD32. It seems like ekrn.exe is scanning incomplete downloads constantly until they are done. I am not sure why and if it's necessary.

    Make an exception in NOD32 for my TrueCrypt encrypted volume files extension. I have a few encrypted volumes on my drive. They appear as large files (+8 GB) until and while they are mounted. It seems like NOD32 tries to scan them constantly when they are mounted and thus accessed as drives. That's a double whammy since NOD32 will also access the files on the drive when they are accessed in addition to the drive file itself.

    Both of the above are assumed since I can not see what ekrn.exe is actually doing, but both these measures helped. There's still too much ekrn.exe activity. What I am doing now is killing the process every hour or so. It seems to behave for a while after that. Killing it doesn't mean that's it's not running. ekrn.exe comes back immediately, but the kill seems to have the process "snap out of it".

    But again. I never had to mess with stuff like this with my previous AV (Avira) or with NOD32 2.x. What has changed so drastically in 3.x?
    Last edited: Jun 28, 2008
  14. cdysthe
    Offline

    cdysthe Registered Member

    This is probably the main issue! It's not bad that ekrn.exe does what it does, it's the effect on the system: It hogs tons of CPU and makes other applications like web browsers and file manager, including Windows Explorer, stall. Of course an AV needs to get priority over other processes to be able to prevent contamination, but since there are other good AVs out there that can do this in an almost transparent way, why not so for NOD32?

    If ESET told me that this makes the AV extra secure, that this is done by design to make NOD32 uniquely secure I might have tried to accept the severe performance hit. But just having this rogue process hogging up significant amounts of system resources at all times is not something I can not deal with for very long.
    Last edited: Jun 28, 2008
  15. Atlan62
    Offline

    Atlan62 Registered Member

    Im back to vers. 2.70.39 - i want security but im also want a quick work. Perhaps with vers. 3.xx i have security but not a quick working - the only way is downgrade to vers. 2.70.39
  16. JH99
    Offline

    JH99 Registered Member

    I've had the 100%CPU usage issue for several weeks, but discovered a SOLUTION today for at least my situation.

    During 100% CPU usage, ProcMon showed thousands of name collision events for NOD*.tmp files. In Windows\Temp there were 65535 NOD*.tmp files that had been created on 5-8-2008 (apparently left by a single problem on that day). After I deleted all of the NOD*.tmp files, NOD32 is happy, even with Advanced Heuristics enabled, and now I'm happy.

    Btw, I had also just upgraded to 3.0.667 before I found my solution. Also the problem for me was occurring mostly on zip files and self-extracting executables.

    Hope this helps someone else.

    Regards
  17. Bunkhouse Buck
    Offline

    Bunkhouse Buck Registered Member

    You are right- it is not good at all. A fix in the form of "patch" (via automatic download) is coming as I was just informed by tech support- but until, then, I will keep Eset of my machine.
  18. Marcos
    Offline

    Marcos Eset Staff Account

    There is actually a difference between v2 and v3 in the usage of advanced heuristics and runtime packers. Version 2 only used them for newly created and modified files whilst v3 allows the user to enable them for file access as well at the cost of higher performance impact.
  19. Gizmo
    Offline

    Gizmo Registered Member

    I have Vista SP1 64-bit and NOD32 BE 3.0.667 and I also have noticed enormous CPU usage of ekrn.exe last couple of days.
  20. ram130
    Offline

    ram130 Registered Member

    I never really had a cpu problem with Eset Anti-Virus until i changed my processor to a AMD one...from there it has been peaking 100% ever since. Right now i had to resort to Avira until Eset fixes this problem. Because i cant even play games with out a slow down. So far Avira found some hidden trojan and other tings Eset Anti-Virus never found....i jus might have dem both running..lol... wah u tink?o_O
  21. Bubba
    Offline

    Bubba Updates Team

    one off topic post removed and a reminder that this is the Nod32 Support Forum. This thread also concerns "100% CPU Usage", not a place to comment nor discuss other AV alternatives until this issue is addressed.
  22. Fajo
    Offline

    Fajo Registered Member

    Well another release just happened 669. and guess what its still broke lol!
  23. a227song
    Offline

    a227song Registered Member

    Hello everyone,

    I've just had two users in our network experiencing the same issue.

    We have NOD32 Antivirus 3.0.650.0 on XP (Intel Core Duo).

    I tried disabling some (or all) of the protection and didn't seem to work. Although I only tried disabling them for a short period of time because I was nervous about taking a risk.

    Anyways, I've sent ESET a support request so hopefully they will get back to me with some answers.

    Please post if you find out more about this problem. I will do the same.

    Regards,
    S
  24. Marcos
    Offline

    Marcos Eset Staff Account

    It is important to know if the problem occurs with default settings (ie. Advanced heuristics and Runtime packers disabled on file access) when you're not copying/moving files.
  25. a227song
    Offline

    a227song Registered Member


    Both users have default settings and this behavior started to happen to one of our users a couple of weeks ago and the other user reported this week.

    We are considering to downgrade on these machines as a temporary solution, but I'm not sure if I will have to do the same with other computers in our network. They seems to be working fine.
Thread Status:
Not open for further replies.