Another Nod 32 3.0 cause for high utilization

We run Novell Zenworks here. Zenworks has a process ZfDInvScanner.exe which scans every file on the PC to collect an inventory and upload it to a Sybase database.

With nod 2.7, this was no problem.

Nod 3.0.567 goes ahead and scans each and every file, causing 100% cpu utilization and unresponsive PC.

I switched from CA eTrust to Nod 2.7 because the performance was awesome.

Version 3.0 really sucks, imo. eSet is working on fixing these issues, correct? If these problems persist when our license expires, we will be looking elsewhere. Not a threat, I'd like to stick with eSet, but I can't with this type of performance issues. 2.7 is last generation, so that's not a long term answer either.

 

V2.7 is last generation come on..... v3 is really new and i am sure that v2.7 can beat other AV so...... you can downgrade to v2.7 in confidence, you will be well protect

 

Do you mean that the real-time protection counter continually rises? Have you tried disabling the real-time and web protection to narrow it down to the particular module? Did you use default EAV settings?

 

I believe I have the default settings for realtime. I opened up a the remote admin configuration editor and have created a NEW config, then copied those settings into my configuration xml. Pushed to my client & the GUI seems to match.

I have filemon on my quicklaunch and with that I can see the zenworks process is looking at file version information of all programs on all drives. Right after zenworks looks at the file, Nod32 comes along as ekrn appears to be scanning it.

So is it being actively developed? While 2.7 was much quicker, it was not without problems. For example, we run AXIS cameras all over the country on a private network. With 2.70.39, Nod32 builds these IH*.tmp files in the users %temp% directory which grow to consume the entire hard drive and crash the computer. This has been mentioned, and this is fixed in 3.0. Can I get this fixed in 2.7? If so, I'll backrev - otherwise were in a catch 22.

 

Did you have this problem with v. 3.0.650 ?

The development of v2 was discontinued a couple of months ago. The problem you mentioned is by design. Unlike the web protection in v3, IMON works at Winsock level.

 

I'm on 3.0.657 now and problem persists. There are many periods of lockups. I've had to disable many explorer plugins/enhancements.

In other AV products, I can exclude a process from it's activity being scanned.

While I know I can select c:\avexclusion\*.* or c:\mssql\sqlserv.exe from being scanned itself, is there a way to state not to scan file access from a particular application?

In CA eTrust, I had to exclude many processes to make it usable. PCMiler, SQL server, Zenworks, contig.exe etc. Can I exclude contig.exe and ZfDInvScanner.exe file access from triggering a realtime scan? Perhaps that is my answer?

 

Just to make sure, does the problem persist if you do the following?

1, uninstall v. 3.0.657 and restart the computer
2, delete the HKLM\SOFTWARE\ESET and HKCU\SOFTWARE\ESET keys in the registry if they were not deleted during uninstallation
3, delete the folders:
"C:\Documents and Settings\All Users\Application Data\ESET",
"C:\Documents and Settings\%USER%\Application Data\ESET",
"C:\Documents and Settings\%USER%\Local Settings\Application Data\ESET\"
4, install v. 3.0.657 with default settings.

It's important for us to know if it works fine then, please try it on one computer and keep us posted about your findings.

 

I'm testing this on my PC to see. Every morning, the Zenworks scans my user files, and ekrn goes to 100% during this. It means that it takes an additional 5 minutes out of my busy morning. I have a lot of stuff on my PC. I've got others complaining about the same thing logging in.

I'm following your steps on my PC and I'll post back.

 

Could you try using Filemon or Process monitor from Microsoft to monitor what files are being accessed by particular applications when you observe the slowdown?

 

Yes, I've used Filemon. I can see contig.exe running and then ekrn scanning what contig is defragging. I can see Zenworks inventory running, and ekrn scanning those files. I can see when I right click on a video file a loop of Nero6 and ekrn scanning the file over and over. Those are times of lockups and 100% utilization.

I have a virgin install of Nod32. No special settings except for my userid/pwd for updates and I told it to talk to my admin RA server. I HAVE NOT PUSHED MY POLICY. I exported my xml and am comparing that versus my network default settings.

There does seem to be a difference noticeable after using for about an hour.

So I am comparing the configs to determine what I have set wrong.

Differences other than GUI settings (alerts disable, SMTP);

ESET Kernel
..Scanner (Startup scanner)
...Options
....Potentially unsafe applications is NO, but domain default is YES
...Cleaning
....Cleaning level is standard, domain default is no cleaning (after that false positive issue.)

File System Filter
..Scanner (File System filter)
...Options
....Advanced Heuristics no domain default is yes
.....potentially unsafe applications no domain default is yes because I have people using hacking tools you block here.
....Cleaning
.....Standard cleaning domain default is no cleaning



Everything else is the same as far as the realtime scanner goes. So the problem is that I either have potentially unsafe applications on or Advanced Heuristics on, right?

But Nod32 has detected most viruses on my LAN under the Advanced Heuristics feature.

Or is there something else a matter that I'm not seeing? I installed NOD32 3.0 ontop of 2.7 as an inplace upgrade. (480 PC's.)

--edit
--- Well, Explorer.exe has locked up again. Windows desktop search kicked in and now I have a locked up explorer for 10 minutes... As soon as I kill off Windows Desktop Search 2.6 processes, Explorer.exe comes back.