100% CPU Usage

Discussion in 'ESET NOD32 Antivirus' started by Daegalus, Apr 25, 2008.

Thread Status:
Not open for further replies.
  1. novozhilov

    novozhilov Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    5
    I realized the ekrn.exe has big problems with downloading-programm Offline Explorer (OE).
    During OE runs a download, the memory consumption of ekrn.exe slowly / increasingly goes up 500 mb (!!) and more, depending on the size of downloading project. Also CPU usage very high around 40% here.

    Very POOR programming of NOD32! ekrn.exe just goes up with mem-consumption until it blows!
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Could you please tell me the exact project settings you used so that I can test it myself? I've tried to download the content of www.eset.sk and here's a screenshot from the task manager taken during the download:
     

    Attached Files:

  3. novozhilov

    novozhilov Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    5
    Hmmm, what I am downloading with OE are membership paysites, containing many jpeg-photos and avi-video files.
    It was just very easy to reproduce.
    I even tried to add OE and its cache/temp-dir to excluded folders in NOD, but does not help!
    So I guess it has to do with the files OE is actually downloading and NOD scanning... But still: I also tried exclude any jpegs from realtime-scan and it did not help...

    Well, see attachment for reference. With each second it goes up by another 400 kb or so... The bigger the download-amount, the more essential the problem...

    Add.: After having submit this posting, I watched ekrn.exe task again. Now already 240 MB. Wonderful!

    Add2.: When shutting down OE, the task-size of ekrn.exe will NOT decrease. It only helps to hard-kill ekrn.exe. Then when it restarts, will be again around 35 MB...
     

    Attached Files:

    Last edited: Aug 23, 2008
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Please PM me the settings that I should use to reproduce the same behavior.
     
  5. novozhilov

    novozhilov Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    5
    LOL.

    OK...
    It is only essential that you download a project with big files...
    So, in OE: New -> Project.
    Starting Address: http://www.dreambox.it/dm7020.htm (as an example)
    Disable Level Limit.
    Enable download of any file types including zip, rar etc, to get a lot of traffic.
    In URL-Filters -> Server "Load files only within starting domain". URL-Filters -> Directory: Starting and below.

    Then you can actually start the download. Make sure you have at least 5-10 simultaneous threads.

    As soon as the spider engine reaches really big files (zip's etc), you can see the memory consumption of ekrn.exe going up.

    Again: It is NOT essential which site you download! It is only important that there are many big files! You could also direct it to any server directory with Linux distribution isos ;)

    As for ESET settings, it is not essential which ones are used. I tried factory settings and settings from a board user here (forgot name), but it is always the same.

    Good luck!
     
  6. novozhilov

    novozhilov Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    5
    Now I also realized the following:

    Just downloading a big file in Firefox...
    While it downloads, memory consumption of ekrn.exe is parallely rising with the downloaded amount.
    ekrn.exe is now ~94 MB and still rising while download performs.

    AND: It also happens while "Anti Virus and Anti Spamware" is disabled in NOD32-tray menu! I use version 3.0.672.0

    These memory leaks make it unusable to me. For now I uninstall and switch to another product until this is resolved.
     
  7. dorcom

    dorcom Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    2
    I thought I upgrade ESET Smart Security from V3.0.650 to V 3.0.672 since my previous attempt a few months ago caused a 100% CPU usage rendering my system useless. (See screen shot)

    I followed ESET recommended steps as outlined below however, it did not resolve the issue.
    As soon as V 3.0.672 was installed the problem reappeared again!!!
    for every bloody button I click, scroll, write or download my system comes to a near halt for several minutes! Useless!
    I might as well get a IBM XT running 4.7 MHz!!! :mad:

    ESET wrote:

    1. Open ESET and click the F5 key
    2. Scroll down to HTTP and click the + to expand the folder
    3. Click on web browsers
    4. Ensure that the only box you have checked are the ones for your internet browsers.
    5. Scroll down to Protocol filtering and ensure that the middle radio button is checked for Applications marked as Internet browsers and email clients.
     

    Attached Files:

  8. ram130

    ram130 Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    29
    Location:
    Jamaica
    updateso_Oproblem fixed?
     
  9. novozhilov

    novozhilov Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    5
    No remarks, nothing?
    Very very dissatisfying and demotivating!

    It used to be good product, but no more is!

    The competitors have overhauled ESET for too long now! And nothing is done to provide better support! Replies from CS are useless! Many viruses, trojans etc are not found by the pooooor engine!

    Today I uninstalled and changed to a competitor product :)
     
  10. ASpace

    ASpace Guest

    @ dorcom

    Excuse me but you are running 65 different processes under Windows XP . I bet it is some application conflicting with ESET Smart Security (in your case) . There are so many different applications in your machine ...
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    I'd suggest using Filemon or Pocess monitor from Microsoft to monitor what operations are being carried out. It could be that certain application continually writes to a log that is being scanned for script viruses or another application with the http traffic redirected through ekrn utilizes too much cpu resources.
     
  12. Tragard

    Tragard Registered Member

    Joined:
    Jun 19, 2008
    Posts:
    5
    That maybe the issue, in this case however it doesnt solve the problem for the rest of the people who are experiancing the same issue.

    We are currently seeing this issue on around 400 of our business machines, on which we have been forced to disable real time scanning altogether (Just turning off Heuristics doesnt work).

    All machines are built using the same RIS image, however the issue only effects some of them. Re-imaging sometimes resolves the problem, other times it does'nt.

    We like many others are currently trialing other products, and unless Eset suddenly decides the fix this increasingly useless product, new comers to the AV world such as Sunbelt (and there amazingly quick Vipre product) will be laughing all the way to the bank.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    I'd suggest using Filemon or Pocess monitor from Microsoft to monitor what operations are being carried out. It could be that certain application continually writes to a log that is being scanned for script viruses or another application with the http traffic redirected through ekrn utilizes too much cpu resources.
     
  14. dlux

    dlux Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    3
    We are seeing 100% CPU usage on our NOD32 clients. So far, I can confirm two types of files that are causing the problem (verified with Process Monitor).

    The first was a 500MB zip file with several thousand small text files in it which was easy enough to exclude.

    The second file is a bigger problem. The file causing the problem is \Program Files\Java\Jre1.6.0_07\lib\rt.jar. With real-time protection enabled, if you do a right-click Properties on the file, ekrn.exe will go to 100% CPU usage.

    It appears that Internet Explorer can trigger this problem too (possibly when running Java applets).

    Process monitor then shows ekrn continuously reading rt.jar and reading/writing to the TEMP directory. Disabling realtime protection or exlcuding JAR files fixes the issue; however, neither option is a good solution.

    This issue has been confirmed on two seperate Vista SP1 32bit system (haven't tried XP yet).
     
  15. ram130

    ram130 Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    29
    Location:
    Jamaica
    way to go yo. When I'm at the studio today i'm gonna run some test. Finally we are getting somewhere. Instead of marcos keep saying the same thing over. Its better yall be quiet and stop act like you care about the customers. If you did, a fix would be available already. Please understand, Eset was GOOD until you ignore our complains by telling us BS...
     
  16. reelmccoy

    reelmccoy Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    4
    I've been experiencing strange behavior with ekrn.exe just about every Friday which is when I use VirtualPC 2007 to run an XP image to VPN to work. While that's going on, I may be using FireFox locally with periodic downloading. For whatever reason, something happens and ekrn.exe is doing as dlux describes in that it seems to be scanning something (today it was a jar file but it's been zips before). In my case, I see 25% or so utilization (quad processor) but every so often, the system appears locked and comes back. I still haven't pinpointed it to anything specific that I'm doing at the time but I sure as heck notice when it's freaking out.
     
  17. TBacker

    TBacker Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    6
    I'm getting that sick feeling from talking my CFO into spending good money for a bunch of licenses for an anti-virus package that had good reviews, but has obviously taken a turn for the worse since those reviews (probably for 2.7).

    When support resorts to cut-and-paste responses and no real answers or fixes, I fear I'm going to have to go to the big guys office and eat crow.

    Unfortunately, I'm using this on multimedia workstations due to it's light-weight (if it's not scanning a JAR or ZIP or windows update folder or .......).

    Symantec has a decent detection rate, but try streaming audio or video on a machine with that pig installed on it.

    Was using AVG up until my V7 license ran out. Maybe I need to look at that decision....
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Hello,

    are you having the problem with 100% cpu usage by ekrn? If so, please carry on as follows:

    1, narrow it down to the particular module as follows:
    a) disable the real-time protection -> if the problem disappears, go to step 2a.
    b) exclude all applications from redirecting through ekrn by placing a cross next to them in the Web browsers list (setup -> Web access protection -> HTTP -> Web browsers) -> if the problem disappears, go to step 2b.

    2a, enable the real-time protection and set it to scan files with default extensions instead of all files. If it helps, advance to step 3a.

    2b, enable all applications in the web browsers list by placing a check instead of cross next to each of the applications. Place cross next to each one, one at a time, and reproduce the problem. If you narrow it down to the application whose http traffic needs to be excluded from content filtering, advance to step 3b

    3a, run Filemon or Process monitor from Microsoft (the links can be found on Google easily). Filter out only operations related to ekrn.exe and check what files are being accessed. This may give you a clue as to what file is continually being modified by a certain application and subsequently scanned by ekrn. Save the log, contact ESET Customer care, explain them the problem and provide them with the log as well as all steps you have taken.

    3b, Contact ESET Customer care, explain them the problem and provide them the name of the application that needs to be excluded from content filtering in order for the issue with extreme cpu usage by ekrn.exe to disappear.
     
  19. DMcCoy

    DMcCoy Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    4
    I've have to turn off the advanced heuristics and runtime packer settings for both realtime and the threatsense for new files.

    With these on Java takes around 8 minutes to install from group policy, without it's less than a minute.

    Adobe reader was only slowed by an additional 20 seconds or so, whats so frustrating is the unpredicatability of when everything is going to grind to a complete halt.

    With these options on I simply had to give up and disable real time scanning when trying to install some HP printer drivers (not even from exe, just the files!) After 5 minutes it had not even started to copy the files.
     
  20. dlux

    dlux Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    3
    I did as you requested and the response from ESET tech support was to uncheck 'scan all files'. Obviously that doesn't help when JAR files are listed by default and still scanned. Nor does it help with the occasional ZIP that locks up the scan engine.
     
  21. ram130

    ram130 Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    29
    Location:
    Jamaica
    I normal user who wants good protection shoudnt have to go through this you know. Just imagine, his system keep slowing down. He takes it to a professional they say its the anti virus rather than virus causing ito_O . You get my point. The system should be as fast as Usain Bolt ruining.


    Try to rebuild the kernel at least
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    I have tried to replicate that with the latest version of EAV to no avail. Even with all options in the real-time protection enabled, the property panel always opened in less than 1 sec.

    Could you please create a log from ESET SysInspector and make it available to me somehow (e.g. by uploading it to an ftp server and PMing me the access details). Also I'd be interested in seeing the Process monitor log from the moment when attempting to open the jar file properties. The strange thing is that archives are not scanned by the real-time protection so I assume there could be an interference with another real-time scanner. Well, we'll be wiser after analysing the logs.
     
  23. DMcCoy

    DMcCoy Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    4
    I get a 2 min delay and 100% cpu when opening the java control panel cpl (1.6.07 too)
     
  24. dlux

    dlux Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    3
    It looks like private messages are disabled on the forum, so I'm not sure how to get a hold of you directly. My case number with Eset is 159093 and I will send an email updating the case with links to the files on my FTP server.
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Now you should be able to PM me.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.