ekrn.exe traffic - is it all its own?

Discussion in 'ESET Smart Security' started by parkher, Apr 9, 2010.

Thread Status:
Not open for further replies.
  1. parkher

    parkher Registered Member

    Apr 9, 2010
    I just installed Eset Smart Security a few hours ago, everything default so far, firewall on automatic still.

    I am looking at Network connections

    It shows Eset kernel ekrn.exe Sent: 10 GB, Received: 56 GB

    Is it only its own traffic, or it includes somehow also traffic from other applications? I somehow doubt very much that Eset kernel needed to download 56 GB or to upload 10 GB. Or is it a bug?

    I have three WANs (3 adapters) simultaneously.
    On one (default GW) I was running uTorrent, on another - NewsBinPro from a specific nntp server. On the third - nothing.

    The traffic displayed for uTorrent is also not clear: Sent and Received values are too small there (but adding together with Eset kernel still too small, especially sent part) and also are changing back and forth between larger and smaller values, again and again, although gradually increasing - as if switching between two somethings (networks?) not sure. But uTorrent is using only one network mostly, as shows Windows Task Manager Networking tab, of course if a peer happens to be on one of 2 other networks, it would probably go through it, even if not default gw.
    Even adding together those switching back and forth values, I still get less than needed, especially in "sent" column, if counting from the time I started Smart Security.

    BTW, if expanded, kernel connections are suspicious, looks like they are some peers from uTorrent. And they are changing all the time. Maybe they are shown in kernel as they are scanned by the kernel? But is the kernel also taking credit for sent/received numbers? - And its up/down speeds are 0/0, only sent/received numbers are huge (huge for Eset kernel)

    Any ideas?

    Sorry, if it is a known feature described in some FAQ.
  2. stackz

    stackz Registered Member

    Dec 27, 2007
    Sydney Australia
    Update to new build ESS - previous 4.2 builds have a bug in network connections view, where all previous connections since reboot are displayed.
  3. parkher

    parkher Registered Member

    Apr 9, 2010
    Yes, sorry, I just saw 4.2.40, read its changelog and downloaded,
    I will try it and see what happens.
  4. Marcos

    Marcos Eset Staff Account

    Nov 22, 2002
    I assume you're using an older system than Windows Vista SP1. In such case, all http/pop3 traffic is routed through ekrn which acts as a local proxy.
  5. parkher

    parkher Registered Member

    Apr 9, 2010
    I am using XP SP3.

    However not all the traffic is shown there.

    For example, from the time I started SS, I know I uploaded > 320 GB (uTorrent) and downloaded about 150 GB (95 GB - uTorrent, 50 GB - nntp)

    ekrn.exe shows:
    Sent: 38,998.8 MB
    Received: 57,859.7 MB

    nbpro shows as received: 95,453.8 MB while I think I downloaded about 50 GB,
    uTorrent shows:

    Sent/Received 40517/6693 MB - but switches occasionally to different values:
    46091/7116 MB
    switches back and forth.
    and all 4 values are growing all the time.

    So these numbers do not add up.

    Of course, protocols used are nntp and what uTorrent uses - tcp? (it is 1.8.2, not 2.0)

    That is still with 4.2.35. I will try switching to 4.2.40 now.

    UPDATE 1:

    Now switched - ekrn only occasionally shows up and again disappears - it has some sent/received numbers but difficult to see them.
    Sometimes it stays longer - its numbers are much smaller than my real traffic, but so far, all the intended traffic is through uTorrent, maybe not much through http.

    Again, uTorrent switches between 11.5 GB and 4 GB (sent) - the same with recieved.
    In reality sent > 30 GB.
    But I will have a better picture tomorrow after a longer run.
    Last edited: Apr 9, 2010
Thread Status:
Not open for further replies.