NOD32 AV v5.0.95.0 - ekrn.exe maxes out one core, stops all I/O, freezes system

Discussion in 'ESET NOD32 Antivirus' started by freibooter, Apr 24, 2012.

Thread Status:
Not open for further replies.
  1. freibooter
    Offline

    freibooter Registered Member

    I am not sure of this is related to the known and supposedly fixed issue regarding USB drives. I do use several external USB drives but I'm not seeing a direct connection to this lock-up.

    This is my system:
    Windows 7 Ultimate - Service Pack 1
    8 GB RAM
    Intel i5-2400
    ASUS P8Z68-V, latest stable BIOS
    3 SATA drives internal
    1 USB-HDD
    1-2 USB flash drives
    4 mounted network drives

    I'm using absolutely no "known conflicting software" from this forum's sticky, nor has any of it ever been installed on this system.

    Malwarebytes used to be installed, but has been removed thoroughly (uninstall plus official cleaner), there is no trace of the MBAM service left.


    If realtime protection is enabled in NOD32 v5.0.95.0, I'm experiencing odd and seemingly random freezes. My system can run rock solid and stable for a whole week, only to freeze with this error five times in one day.

    The symptoms are always the same. ekrn.exe suddenly uses 100% of one core and halts all I/O access to everything but network drives (which are excluded from scan). Subsequently, every program trying to access a drive freezes one by one.

    Occasionally the system recovers from a freeze, sometimes after 30 seconds, the longest I waited and actually saw my system recover from this lock-up was 15 minutes. But more often than not the only way out is to do a power-cycle.

    If realtime protection is disabled, but everything else is in its default state (HIPS is enabled) I'm still seeing similar and occasional CPU spikes by ekrn.exe, but there is no freeze or lock-up. The system is running 100% stable if realtime protection is disabled.


    I have no idea how to solve this, but if I can't, I'll have to find a different AV solution. :'(
  2. dwomack
    Offline

    dwomack Eset Staff Account

    Is there any pattern to the timing of the issue? It seems that a service or program is running on a weekly (or so) basis and might be causing the CPU spike with ekrn.exe

    Running a SysInspector Log might show the process that's triggering the spike/freeze.

    When did this issue start? Did this happen with version 4.2?
  3. Marcos
    Offline

    Marcos Eset Staff Account

    Also you could try playing with real-time protection settings, for instance, setting default extensions instrad of scanning all files. Also make sure that Smart optimization is enabled.
  4. freibooter
    Offline

    freibooter Registered Member

    I'm essentially running default settings, Smart Optimization is enabled and I really see no connection to any running services or scheduled tasks.

    Today my system froze three times, the first time after a very long uptime without any issues, the other two times about 20-40 minutes after booting.

    Before that the system worked without any problems for over a week. It's very, very random - making it terribly hard to pinpoint.

    SysInspector shows nothing out of the ordinary and I won't be able to run it after the fact (no access to any harddrive any more, every application trying to access any files will lock up).

    I never ran NOD32 v4.x, I used Microsoft Security Essentials before purchasing NOD32 v5. I had no problems with MSE. I'm actually considering abandoning NOD32 in favor of MSE 4.0 right now.

    NOD32 is faster and more secure, but these freezes pretty much ruin it for me. :(

    I switched real time protection to only scanning default extensions now as a test, but I'm not really feeling overly comfortable in doing so.
  5. Marcos
    Offline

    Marcos Eset Staff Account

    "Freezes" may occur if you copy a self-extracting archive for instance. In such case, it would be extracted and scanned internally as scanning of sfx archives is enabled for newly created or modified files. Other AVs may not exhibit this issue if they don't perform in-depth code emulation (Adv. heuristics in our case) or scan inside runtime or sfx archives.
    The best would be if you could reproduce the problem easily, then it would be quite easy to log the operations using Procmon and check the log for problematic files that may take time to scan. According to what you say, the freezing occurs randomly so it'll be necessary to narrow it down to the particular file or setting that makes the problem go away when disabled.

    One more idea - when the issue occurs, open the Task manager, make sure the "Show processes from all users" box is selected, right-click ekrn.exe in the list of running processes and select "Create Dump file". Then upload the dump somewhere and PM me the download link.
    Last edited: Apr 24, 2012
  6. freibooter
    Offline

    freibooter Registered Member

    I am not actively handling any files at the time the freezes occur. They happen when browsing, working, writing or gaming. Firefox is open when these freezes occur, but Firefox is always open.

    There is no good reason why NOD32 should ever block all I/O data for over 10 minutes or permanently. Blocking access to the file in question is ok, blocking access to all files and subsequently freezing the system is not.
    In fact, if this were caused by the advanced heuristics and/or archive scanner, it would be an easily exploitable weakness for attackers - they wouldn't even need a real virus to shut down a system, all they would need is a particularly complicated archive.
  7. freibooter
    Offline

    freibooter Registered Member

    Since all kind of HDD access is blocked when the issue occurs, this is simply impossible. No files can be read or written, every attempt by any program to do so freezes it.
    I have been running Process Explorer as a Task Manager replacement and with elevated rights, but switching to the ekrn.exe process (or any other process for that matter) when the problem occurs freezes it because it involves hdd access.
  8. chrcol
    Offline

    chrcol Registered Member

    marcos you read my thread?

    if he does that then the http scanning bug will stop other extensions been scanned?

    acknowledge my bug report please, I wont go away.
  9. freibooter
    Offline

    freibooter Registered Member

    I have not had any freezes since making this change. This may be pure coincidence - I had weeks of stable operation before - but for now NOD32 is running as it should for me.

    There is one thing that rather puzzles me:

    I sent this as an official support request to ESET, shortly after creating this thread.

    I got a ticket number the same day - and that's it, two weeks later and I'm still waiting for a reply. That's shockingly terrible customer service. One of the main reasons I switched from a free product to a commercial one was customer service - apparently I'm not getting any from ESET.
  10. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    Private message sent.

    Regards,

    Aryeh Goretsky
  11. freibooter
    Offline

    freibooter Registered Member

    Thanks Aryeh, this is - unfortunately - rather good timing. After two weeks of flawless operation after creating my initial post and support ticket, my system just locked up again with the exact same symptoms 15 minutes ago. :(

    I'll provide you with my ticket number via PM in a minute, I'd still be rather curious to know why this support ticket was completely and utterly ignored, though.
  12. freibooter
    Offline

    freibooter Registered Member

    ... aaaand it just froze my system for a second time, all I did was click "Supportanfrage" link inside NOD32 to remind myself how I submitted the initial ticket. These lockups apparently happen in waves, two weeks ago my system froze three times before I created this thread.
  13. freibooter
    Offline

    freibooter Registered Member

    ... aaand there was the third freeze, just like last time.

    However, unlike last time this time I managed to disable NOD32's realtime protection before it happened! This is the first time the system froze with realtime protection being (temporarily, for four hours) disabled.

    Despite this, ekrn.exe still locked up with 25% CPU usage (i.e. one full core).

    Other than all the previous times, I didn't completely block and freeze everything, but simply slowed everything down to a crawl. It froze Firefox like usual, but unlike any time beforehand I was able to force close firefox.exe it via process explorer - this was impossible when realtime protection was enabled.

    I even tried to run process explorer elevated, however, this gave me a time-out message after a while - the UAC dialog could not be displayed. I managed to open an explorer.exe window - it took about 5 minutes to finally open - but it remained unusable.

    In process explorer I was able to see that svchost.exe repeatedly tried to open WerFault.exe - but I was unable to get any more information about the service that did it. The system eventually slowed down so much, that it was impossible to do anything other than a power-cycle.

    So, yeah ... new symptoms, a slightly different system freeze when realtime protection is off (but HIPS etc. is still enabled) ... but the same frustrating result.
  14. Marcos
    Offline

    Marcos Eset Staff Account

    The best would be if we get a complete memory dump from the point the issue occurs. To find out if ESET was scanning something at that point, it should suffice to provide a complete dump of ekrn for perusal.
  15. freibooter
    Offline

    freibooter Registered Member

    Again, for the umpteenth time, and I really don't know how to make this any clearer: there is absolutely no chance to do anything when the freeze occurs ... how and where do you dump the memory if any form of I/O access is blocked? There is no BSOD, there is no automated memory dump.
    I cannot use anything that isn't loaded in memory at the time the freeze occurs and as soon as any of those in memory programs accesses a hard drive in any form, they freezes.

    If you have read my previous post you know that this also occurred when realtime protection was temporarily disabled via the right click menu. ekrn.exe still managed to completely freeze my computer.
    Since the freeze is very slightly different, there may be a very, very slim chance to successfully create a memory dump, but that's not only unlikely, it would also mean that I would have to keep my realtime protection disabled, possibly for weeks and catch the freeze in the act and then try to somehow execute all the right steps before it is too late - that's simply not feasible.
  16. freibooter
    Offline

    freibooter Registered Member

    ... it just happened again. :(

    And despite sending you all the information regarding my ticket, several weeks later I still haven't received any form of help through the official support channel, Aryeh.

    This bug is severely frustrating, but not receiving support for it is even worse ...
  17. freibooter
    Offline

    freibooter Registered Member

    And it happened again, three times - each times a few minutes after reboot.

    Making it four times total, and going back my previous posts in this thread - a pattern emerges.

    So, apparently the freezes happen every Tuesday after 19:00 local time, and three times in a row - and then everything is fine until the next week.

    I went through all of the system logs and the Task Planner and simply couldn't find anything that corresponds to this ... there is nothing planned for this time!


    ... except for one possible culprit:

    Log Maintenance ("Log Wartung" in my German build of NOD32).
    It is scheduled to run daily at 3:00 am. It did, however, run at 19:10 today which is when the very first freeze occured.

    But at least the visible entries of my log are very short, nothing that should cause a freeze. It's also scheduled to run daily and not just every Tuesday.

    Great, it just went up to 25% again .... for the fifth time. So far I can at least use the browser (real time protection is disabled) ... I'll send this now if I can and do something else, giving the process some time to recover.

    I hope I'll finally get a reply or some help form someone official by the end of the week - if not, I'll have to remove NOD32 and find another solution. So far I'm severely disappointed in ESET's support. :(
  18. freibooter
    Offline

    freibooter Registered Member

    ... and this time it recovered!

    After ~7 Minutes of freezing my PC and all its processes, ekrn.exe finally went down in CPU usage again and I can use my PC again - that will probably be it until next week.

    I still have no idea what it causing this, but I would really, really, really finally like some real assistance, please! :(
  19. armadillo33
    Offline

    armadillo33 Registered Member

    Have you tried This knowledgebase article for a registry change to allow creating a dump by RIGHT CTRL + SCROLL LOCK + SCROLL LOCK?

    I have had the XP freeing problem with USB external drives. The entire OS froze, preventing me from opening Windows Explorer, Process Explorer, Task Manager or any program. But the method of that knowledgebase article still succeeded in generating a dump file.
  20. Shermbo
    Offline

    Shermbo Registered Member

    Freibooter, any anyone who can help....

    I have the EXACT same issue. Maybe with another "incident" this can get resolved.

    Identical symptoms with a few added items:

    1. When the "freeze" occurs for me it rarely resolves itself in minutes. I did leave my machine running in the "frozen" state overnight and it did recover.

    2. I run TaskMan BEFORE it freezes and note the CPU/Memory consumption. ekrn.exe ALWAYS hits 25% CPU (100% of one core - I have a Core2 Q6600) and the memory usage starts to balloon up from the "stable state" of about 75,000 K to upwards of 500,000-600,000 K.

    3. This has been going on for a while (last two program updates? or more?) and tends to "resolve itself" after I've rebooted 6 - 8 times and/or wait a day or two..... (not fun...). I can go upwards of 2 weeks between.

    4. It does seem related to a weekly scan. It does seem "real-time" related too. The freezes tend to come just when I start some file-intensive activity (opening a large file, hitting a web site where the cache is getting "hit", etc.)

    I just had a rash of these "freezes" and decided to totally un-install NOD32. I am naked and unprotected....

    I have been a long-time customer - purchase licenses for all my computers, and would really like to get to the bottom of all this!

    If there is any information I can share, please let me know!
  21. armadillo33
    Offline

    armadillo33 Registered Member

    The best thing you can share is to generate a full memory dump when the freeze occurs. There are instructions within this thread for setting up the computer so that this can be done even when it is frozen.

    I doubt that Marcos will post to this thread again until you have done that.
  22. Marcos
    Offline

    Marcos Eset Staff Account

    Scanning files will always have certain impact on performace, that's a matter of fact. However, there's always a chance we could make some optimizations with your assistance providing we know what files take long to scan. When you experience performance issues, narrow it down to the particular protection module first and then you can try disabling particular settings in the module setup. A Process Monitor log or a process dump of ekrn.exe or a complete memory dump should help us determine what's causing the performance issues.
  23. Shermbo
    Offline

    Shermbo Registered Member

    Marcos, all,

    I appreciate the help and suggestions. But as a user, it is far easier for me to un-install the product, install another, and go from there.

    I don't think this is a performance issue. These "freezes" are temporary and not crashes. Somehow NOD32 is maxing one core, blocking all I/O (maybe more than I/O?).

    If I get back to NOD32 at any point and see the issue again I'll try to capture a "dump". But for now, please note that you've two customers with very similar issues and you might want to be one the lookout for more.

    Thanks, Sherm
  24. webyourbusiness
    Offline

    webyourbusiness Registered Member

    I think it is memory related - how much memory was ekrn.exe showing in Task Manager - Show processes for all users.
  25. cascara
    Offline

    cascara Registered Member

    Hi all, just registered here because of this (or a similar) problem. Specs: Windows 7 x64, NOD 32 v5.2.9.12, 7227 / i7-2600, 16GB RAM, System on SSD

    System comes to a halt, it gets unusable, changing tabs in firefox takes forever (not seconds, minutes), starting programs (over 1 minute for ProcessExplorer, well, at least it starts, two days ago i had to restart the system via the reset button) etc.

    Thought it was a program I installed lately, but while reading this thread, well...it IS NOD32! System got almost unusable ten minutes ago, tried to disable NOD32 temporarily and... everything back to normal. Enable NOD32, again not useable... disable, everything as it should be.

    When the System freezes there is no high cpu usage, not in ekrn.exe (0.20% according to ProcessExplorer) or anywhere else. But ekrn.exe takes a lot of RAM, 1.448.396K at the moment and it's increasing. When i started writing this it used about 1.040.000K...

    And while NOD32 is diabeld at the moment, ekrn.exe is at 1.618.xxxK and still increasing. What can i do other than uninstall?
Thread Status:
Not open for further replies.