AMON Constantly Counting

Discussion in 'NOD32 version 2 Forum' started by COSMO26, Sep 28, 2004.

Thread Status:
Not open for further replies.
  1. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    I've noticed that AMON constantly is counting files @ about 1.5/sec with no applications running other than AV, etc protection.; Was at 190K+ awhile ago and now at 254K+ . PSAPI.dll is the File Name in the Window then & now. I'm (Me OS) 2.1.2 Up-to-date & set-up like Blackspear Minus the MAPI intface. Spybot/AdAware SE/Spyware Blaster seem OK ( AdAware showed MS Alexa and I just Quarantined (6) Tracking Cookies with a 3/10 severity rating)- HELP implies a File Count increase only if something happens in an application. Any ideas?
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That is normal behaviour

    Amon is constantly scanning everything running on the computer

    You will always have lots of "programs or applications" running when you are using windows even if you haven't started them yourself they are different parts of windows
     
  3. markpl

    markpl Guest

    It's not normal behavior - I have experienced the same problem. I think it was related to frequent standby/hibernation switching (notebook). My counter was incrementing about 50 files per second. The funny thing was that system was fully usable and it was visible only with this "speedy" counter. After rebooting computer everything is OK (1-2 files per second max).
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suggest this is normal behavior for AMON, you will see varying count speeds...

    Cheers :D
     
  5. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    FWIW, my AMON count currently stands at a little under 11 million in 8½ days
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Mine is at 43,000 in 1 1/2 hours. Your computer has been left on for 8 1/2 days I gather...

    Cheers :D

    BTW, how do you get you 1/2 to look the way it does?
     
  7. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I use Character Map for the ½ :)
     
  8. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    No, excessive AMON counts are not what I would consider to be "normal" behavior. My Win XP laptop has been on for 9 hours and my AMON count is only at 34,939, however I use the default on AMON and only scan all files and in-depth during on-demand passes.

    Normally, "psapi.dll" refers to the Process Status API that helps enumerate details about running processes and device drivers. The unusual thing to me is that I understood you to say that you are running Windows ME. WinME does not normally include psapi.dll, it is really only part of Win2000, WinXP, and Windows Server 2003 (and can be redistributed for use on WinNT 4.0). On Win9x and WinME similar information is gathered using the ToolHelp32 library of APIs. (See here for methods of enumerating processes.) I would recommend downloading and using Sysinternal's Filemon to see process is trying to continually open and use the psapi.dll.
     
  9. QuinnK

    QuinnK Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    47
    No, excessive AMON counts are not what I would consider to be "normal" behavior.

    I guess the thing would be to define 'normal behavior', and to differentiate between Amon behavior and PC behavior. I think some have been saying the counting is normal behavior for Nod. Whether what is being counted on the PC is normal, or desirable, is another question. If you have a particular program constantly polling in windows, or something like a constantly changing ini file running up the Amon count excessively, it can be excluded... if you trust in no 'nasty' infiltration in that area.

    Take care... Quinn
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Exactly. AMON is not going out of its way to count, or scan files on its own and no one can say what is normal for someone else's computer because they don't know what programs are running on those other PCs. If some program, or Windows itself is accessing some file or files in the background, then unless you exclude them, AMON will scan them and thus the count goes up. That is AMON's job, to scan files being accessed, even if those accesses are occurring because of some background service or other program activity. It does not have to be some foreground program you are running deliberately.

    Now certainly, if you have excessive scanning going on and you don't know what other program is doing all that accessing, then that is worth investigating to determine what program is doing it.

    By the way, the ALT key is a good way to enter special characters, too. Hold down ALT and press the numbers 0189 then let ALT up and this will appear: ½. And then there is ALT 0178 being the: ² character. :D
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Agreed :D I was just trying to get to some sort of average, thus 8½ days = 204 hours, divide this into 11 million, equates to around 53,000 files per hour, and this is all dependant upon what programs were being used and what AMON is set to scan... now I'm outta breath from writing that one... ;)


    Boy I sure would like to know the logic behind getting 189 to look like ½ I’d scratch my head if it didn’t make it hurt so much… ;)

    Cheers LWM :D

    :D :cool: :D :cool: :D
     
  12. kblist72

    kblist72 Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    21
    Location:
    Oklahoma, USA
    Just be thankful we have letters and numbers on our keyboards instead of remembering all 256 character (ANSI/ASCII) combinations.. if you use charmap, you can use the ALT/code as long as its not Unicode numbers..
    (Cyrillic.. uffda) Or worse still, binary/bit data type entry..

    Of course, MS made it easy for us.. we just need to translate the
    HEX code to decimal and tack on a zero. :)

    Like 2C in Courier = 2*16+12=32+12=44 (ALT+044)
    Well, anyway, that's my .02¢ worth. :)

    I used to know the IRQ for keyboard.. think its 1..
    Ah.. the electronics days are all coming back to me.. *sigh* :)
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, like I said, "I’d scratch my head if it didn’t make it hurt so much…" ;) :D

    I Loooooove Windows, it makes is sooooooo much easier... for the average user to screw up, it's not just left to the experts... ;)

    Cheers :D
     
  14. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Agreed. I apologize for not being more precise in my response. NOD32 is doing precisely what it was designed to do, namely scan files that are being accessed with create, open, or execute rights (and meet whatever extension filtering criteria, if any, you have configured in settings). What I meant to say, though, is that » I «, personally, don't think that such constant file accessing is normal behavior for the underlying PC. Certainly, what is or is not normal depends upon what processes you have running; but such constant filesystem activity is somewhat suspicious to me and even if it is benign I'm not sure that I would want the overhead such a background process may be causing. It is worthy of further investigation, IMHO, is all I was really trying to convey.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nicely said Alec, and a good point...

    Cheers :D
     
  16. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Thanks for the feedback. "paspi.dll" showed in Windows System, Temp, and Program Files\Diskeeper Lite(upper case "D" in .Dll vs others .dll/ it's defrag tool). I looked at Process Explorer screen and while not seeing anything obvious, am not proficient enough to really know what I'm seeing if "I'm the problem" sign is not painted on it. Will network around locally and advise if anything found worth your knowing.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for that COSMO26...

    Cheers :D
     
  18. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Hi Folks.

    I have checked my system and my psapi.dll is scanned all time because I´m using Tauscan.If I disable it, NOD32 is back to normal.

    Best Regards,

    DonKid.
     
  19. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Got around to researching AMON constant counting of PSAPI.dll files and ESET Sppt said a similar issue ended with removal of a program. My First "turn off" attempt was Spybot S&D TeaTimer. AMON STOPPED counting. 1.5 files per second doesn't seem to affect performance so I'll reactivate TeaTimer & truck on. Thanks to ESET Support.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for the update Cosmo26.

    Cheers :D
     
  21. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Hello, fwiw, it is also worth excluding your firewall from the amon scan - this should cut down on the number of files scanned...

    Toby
     
Thread Status:
Not open for further replies.