3 major issues with ESS v3.0.672

Hello,

I started using ESS about two weeks ago, after being quite disappointed with Norton 360 (the security suite had been overrun several times by Trojans that even managed to change its traybar icon).

I have been using NAV v2.7, so I'm not really a stranger to this great product, so I decided to give this one a try.

While I'm generally pleased with the application's high level of scanning, detection and removal (Norton 360 didn't seem to even scan downloaded files and archives), I have 3 major issues with it:

1. As quite a few people already mentioned, the ekrn.exe process seems to frequently consume at least 50% of CPU cycles (up to 100% at certain cases), usually when a folder is opened (especially if there are archives inside of it). And even copying small files (5-10 MB) from one folder to another can take more time than is reasonable (10 sec), and even after the copy process is finished, the icons of exe files remain unloaded for a long time.

It also seems that when downloading a file via IE7 (not via a download manager) the download process will freeze at exactly 99% for a long time, probably to scan the file before saving it to the HDD.

2. The popup blocker (if there is one at all) is quite lacking. I've been used to having no popups\flash-based commercials in the corners of the webpage for a long time, but after switching to NOD32 I can't get rid of them, even with the help of my browser's built-in popup blocker. imdb.com is an excellent example of this, where at random pages (of actors or movies) the browser will open an infinite number of pages, causing a freeze, which can only be resolved by killing the browser's process via Task Manager.

3. Because of #2, I tried to add a good anti-spyware product - Spyware Doctor (v6.0.0.385), as one of its features is popup blocking.
However, whenever any network traffic activity is made (attempt at browsing, FTP download, P2P software, etc) the PC will seriously freeze up, and at times will even crash.
It clearly means the two products have conflicts with each other, and would like to know if this a known issue and whether there is a solution for it.

 

This is most likely caused by advanced heuristics scanning files upon creation or the web access protection scanning whole files when downloaded completely. You can disable AH for newly created/modified files, but it's better to leave it enabled. In future versions, you'll be able to enable AH on file execution so disabling it for newly created files should be safer.

I've never heard of such a problem. If it wasn't the built-in pop-up blocker but an external tool, I'd say that the tool has problems checking the http content when redirected through a local proxy. Could you provide step-by-step instrucions how to replicate it?

 

Hello again.

First of all - thank you very much for the speedy response!

1. It's great to know that the CPU overload issue will probably be resolved in future versions.

2. I don't use any kind of proxy server.

3. When I referred to the built-in pop-up blocker, I meant the pop-up blocker of SlimBrowser 4.10 Build 15, which is a browser built on the source code of IE6/7.

This pop-up blocker actually works quite well, but while it blocks some of the pop-ups, it won't stop them all, and sometimes the pop-ups it had blocked - just show up in a new window of IE7 (which is logical, since IE7 is less secure then SB 4.10, as far as I've experienced and based on other users' comments, and it obviously runs on the same source code).

The thing is - when I used Norton 360's anti-adware/pop-up module in the past (which was a downloadable add-in, not present by default on the installation CD), I didn't even have to use the built-in pop-up blocker of SB 4.10.

I guess the best way you could try to replicate this problem is by randomely going to some actor's or movie's page at imdb.com, with either IE or any IE based web browser and see if the browser gets flooded with an infinite number of newly opened windows.

I'm sorry, but I can't give you an exact page, because it's too random and can happen at any page, and sometimes it doesn't happen at all. Actually, since about 2-3 days ago it didn't even happen to me at all, which is wierd, since the only thing in ESS which was updated during those few days was the virus signature database (currently at version 3484).
It's also strange that a legit and popular site such as imdb.com will have this issue at all.

4. Also, please note that any flash-based commercials which aren't pop-ups are visible, and will appear on the edges of webpages - something that again wasn't the case with my former anti pop-up product.
For example, check out the top-edge flash banner at the following site: http://www.ynetnews.com/home/0,7340,L-3083,00.html.
In the past I wouldn't even see that banner, it would either be completely removed (and them the rest of the page would've moved up a bit), or, in the worst case - it would appear as an empty white rectangle in a thin black frame.

 

I am also experiencing the described symptoms while using ESS v3.0.672. I have - for myself at least - been able to narrow down the start of the problem to a time near a particular virus database update push. For details, see the abridged email thread of the support case I currently have open with ESET inserted below:

Sent Wed 9/24/2008 8:31 PM Support Placeholder wrote:

Symptoms occur generally and to differing degrees with intermittent 50-100% CPU usage after virus signature update from 20080821.
The following files were created after initial reinstall of WinXP, ESS and applications but BEFORE UPDATE to latest virus db:
ESS TEST Installed Components 080924 1932 PDT.txt
SysInspector-XXXXXXXX-080924-1936 PDT.zip
Various applications including Windows Explorer, Task Manager and ImgBurn were launched without ekrn.exe high CPU usage.
UPDATE of ESS was run and then these files were created:
ESS TEST Installed Components 080924 1949 PDT.txt
SysInspector-XXXXXXXX-080924-1951 PDT.zip
Various applications including Windows Explorer, Task Manager and ImgBurn were launched with ekrn.exe high CPU usage.
The Real-time File System Protection - ThreatSense engine - Extensions - Scan all files was unchecked and the following file was created:
SysInspector-XXXXXXXX-080924-2004 PDT.zip
Various applications including Windows Explorer, Task Manager and ImgBurn were launched with ekrn.exe high CPU usage.
Screenshots of Task Manager
1) After Task Manager launch:
ekrn.exe high CPU usage Task Manager launch 080924 2006 PDT.jpg
2) After ImgBurn launch:
ekrn.exe high CPU usage imgBurn launch 080924 2009 PDT.jpg
Symptoms again observed when browing disks with Windows Explorer.
Please advise.

[Contact information removed for this WSF post]

~All private correspondence removed. Please read the Terms Of Service concerning the use of these forums - Ron.~



From: Support Placeholder
Sent: Sunday , September21, 2008 11:13 am PDT (GMT-07:00)
Subject: Update cause ESS 100% CPU

Further investigation taken since receiving ESET Case Update of 09:54
09/21/08:
Loaded fresh copy of Windows XP PRO SP3
Installed only the following:
Intel PRO v13 network driver
ESET ESS 3.0.672.0 with Signature Database 20080821
Microsoft .NET v2.0 SP1
ImgBurn v2.4.2.0
Test: Launched ImgBurn before ESET virus signature update
Result: No Problems with CPU usage
Updated ESET ESS Virus Signature database
Test: Launched ImgBurn after ESET virus signature update
Result: Extremely high CPU usage
Made change to "Real-time file system protection" suggested below.
Test: Launched ImgBurn after ESET virus signature update
Result: Extremely high CPU usage
Symptoms of up to 100% CPU usage still recur.
Symptom also observed when launching Microsoft Outlook 2002.



From: Support Placeholder
Sent: Sunday , September21, 2008 08:51 am PDT (GMT-07:00)
Subject: Update cause ESS 100% CPU

Problem behavior occurred at times other than just when running ImgBurn.


From: Support Placeholder
Sent: Friday , September19, 2008 08:07 am PDT (GMT-07:00)
Subject: Update cause ESS 100% CPU

ekrn.exe now runs to 100% CPU when running the program ImgBurn from LightningUK. This behavior first observed near the time of the v.3452 signature update push. Prior to that time, the problem did not occur.
The symptoms were duplicated and verified by a fresh install of Windows XP PRO SP3, ImgBurn and ESS v3.0.672 with a signature database of Aug 2008. After the ESS install with the older database, ImgBurn runs fine. However, upon ESS update to latest database, 100% CPU symptom occurs.
This behavior observed on 2 independent machines.
Please advise.

 

UPDATE

With a virus database update push occurring either late 9/30 or early 10/1 PDT (GMT-7), the symptoms seem to have abated. However, I have not yet been contacted by ESET Support as to whether my case is considered closed.

To aid others in following my communications with ESET Support and as the actual responses from ESET have been edited out, I will summarize them (all times PDT):

08_0919 0807 Request submitted to ESET Support with descriptions of symptoms

08_0919 0808 Request acknowledged by ESET Support

08_0921 0851 Informed Support that symptoms occur generally

08_0921 0954 Received instructions to modify ThreatSense engine parameter setup: Advanced->Real-time file system protection->ThreatSense engine parameter setup->Extensions->Uncheck Scan All Files
Restart Computer

08_0921 1113 Description of diagnostic steps/tests taken and results sent to Support

08_0922 0836 Support requests Full System Inspection logs - Instructions here:
http://training.eset.com/kb/index.php?option=com_kb&Itemid=29&page=articles&articleid=762

08_0924 0706 Support requests status update

08_0924 0831 System logs and Installed Component listings sent to Support