CPU usage problem on Windows Server 2003

Discussion in 'NOD32 version 2 Forum' started by bens, Jun 26, 2008.

Thread Status:
Not open for further replies.
  1. bens

    bens Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    Hi,

    We're having problems with NOD's CPU usage on our primary server. The process nod32krn.exe is running constantly at 25% CPU. This is a fairly powerful quad core machine, so it seems like it's maxing out one of the cores, which is much too high surely?

    The strange thing is, if I go into the control center and disable AMON, DMON and XMON, the CPU usage carries on at 25%.

    Is there any way I can find out what all this processor time is being spent on? If it makes a difference, the server is a Domain Controller running Exchange, Sharepoint, file sharing etc.


    Any help would be appreciated,

    Ben
     
  2. mschaffer

    mschaffer Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    7
    Our SBS2003 server has been experiencing similar problems since yesterday.
    Suddenly, the nod32krn.exe is running constantly at 50% (server only has 2 cores) so it is maxing out one whole core!

    NOD32 has always been a resouce hog on this server, but the server wasn't adversely affected. Now, it is really affecting server performance!
     
  3. mschaffer

    mschaffer Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    7
    Ok. Now it's really bad.
    I had to disable XMON and (and kill the nod32krn.exe process) because Exchange is not able to sync with the Outlook clients!

    After disabling XMON, total CPU usage is hovering around 1% to 4%.


    I am particularly irked because I still have the "bad taste in my mouth" from the NOD32 fiasco with some of our Vista workstation in the end of May. I don't have the time to chase down problems with AV software every month!
     
  4. Mauz

    Mauz Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    Same problem here. Seems that, after the False-Positive virus definitions on word documents since yesterday (or the day before yesterday), this problem occurs. I've uninstalled nod32, because my client complains Outlook hangs :S Hopes there will be a solution...
     
  5. bwanner

    bwanner Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    1
    nod32krn has cpu pegged on 2003 exchange server. Killing the process seems to take care of the problem for a while. It appears to reoccur when users login again.
     
  6. elgroper

    elgroper Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    3
    I had the same thing, I had to kill the nod32.
    However, first, you have to run services.msc , do a property one nod32 kernel services, select recover tab, you'll see restart the service in all instances. You'll need to "take no action" on all accounts if you want to kill the nod32 process.
    Then,
    type the following two commands in command prompt.
    taskkill /F /IM nod32krn.exe
    taskkill /F /IM nod32kui.exe

    This will avoid you needing to restart the exchange server, while a fix is being put.
    Please be aware, any attempt to start the service manually again causes a BSOD error 0x0000007E.
    So, a reboot is recommended, and put back all the changes you made to the service.



    Henry
     
  7. Holo20

    Holo20 Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    7
    Same problem here as you all.

    Users started complaining yesterday that Outlook connectivity to Exchange was troubled or nonexistant. Exchange 2003 running on Server 2003, when I got into the server, then Task Manager, saw that nod32krn.exe was hammering the processor with 50 - 60% usage. Killing the process resolves the issue temporarily, but the problem comes back within several hours time.

    In checking the Nod32 logs, I also noticed that there were many false hits on Word docs a few days ago; I didn't know that was an issue that others were experiencing.

    I called Eset tech support this morning, she said she hadn't heard of the issue, but had me manually update the definitions (bringing me to 3222) and restart the server. Problem occured again a few hours later, called tech support again and this time they had me delete all the def updates from the folder, then force the update again. That was about 4 hours ago, and I've just experienced the problem again.

    Quite frustrating!!

    -MA
     
  8. cfSA

    cfSA Registered Member

    Joined:
    Jun 27, 2008
    Posts:
    2
    I have same problem: Win Server 2k3, Exchange 2k3 SP2,
    NOD32Kern ~25% CPU 250+ RAM, and NO RPC activity because of it.
     
  9. bens

    bens Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    This has been pretty frustrating. It brought our server to it's knees yesterday, to the point where we couldn't even remote desktop in. I've now done the following:

    - Added quite a lot of exclusions to the list in AMON for various folders used by Exchange and DNS
    - In XMON, turned off 'Background scanning' under the Scanner page
    - Rebooted the server

    None of this seemed to make a difference until I rebooted the server, when it settled down. It's now been fine since last night, ticking over at about 1-2% CPU. I don't know which of these things has made the difference, or whether the new signature updates have fixed it.
     
  10. elgroper

    elgroper Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    3
    Well it looks like definition 3223 has fixed the high cpu usage. I believe a restart of the server is needed after defintion 3223 has been downloaded.

    Henry
     
  11. mschaffer

    mschaffer Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    7
    Well, after the 3223 update, I just re-enabled the XMON.

    After about 10 minutes, nod32krn.exe went wild again. :thumbd:
    I will wait until tonight when I can reboot and see if that fixes it.
     
  12. AlexS

    AlexS Registered Member

    Joined:
    Jun 27, 2008
    Posts:
    1
    I have spoken with ESET Support staff, they have informed me that they had sent out a bad update on wednesday. The bad update is causing the problem. I may have found a work-around to the problem, it requires Microsoft CLI utilities. You can use the ESEUTIL found in "C:\Program Files\Exchsrvr\Bin\" folder. Use this utility to repair the exchange database, it can take a long time, mine's at 80% after 3.5 hours on 35GB database. Run an integrity check and maybe defrag, it should take care of the problem. I've posted some links below that provide a better understanding on how to use the tool. BACK YOUR DATABASE UP BEFORE YOU RUN THESE UTILITIES!!! I'll post my results, let me know how it works for you as well.

    http://www.msexchange.org/tutorials/Exchange-ISINTEG-ESEUTIL.html

    http://technet.microsoft.com/en-us/library/aa996953(EXCHG.65).aspx
     
  13. Holo20

    Holo20 Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    7
    Earlier this morning I also updated to 3223 and rebooted, but a few hours later the same problem. I'm rebooting now after the update 3224, but I have no hope that the issue will be resolved.

    It wouldn't be so bad if this didn't require constant baby-sitting of the server. I'm not brave enough to run the machine without any virus protection, so I'm half-way tempted to just put Symantec back on until this blows over.
     
  14. mschaffer

    mschaffer Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    7

    Not to mention that well-designed services shouldn't require constant rebooting of the server just to apply an update!
     
  15. Holo20

    Holo20 Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    7
    It has been about 20 hours now since the last episode occurred on my server. The update to 3224 seems to have done the job. Before, I could not plan on more than 2or 3 hours without a problem.

    Are the rest of you seeing the same thing?
     
  16. Mauz

    Mauz Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    I've uninstalled version 2.7 and re-installed 3.0 build 677. Without exchange plugin though. No problems here. After this incident I really don't like exchange plugins anymore. It can ruin your database :S I'm now using virusscanning BEFORE the messages arrive @ exchange, such as cleanport. Much better! I've learned from this "mistakes" from ESET. Just my 2 cents...
     
  17. mschaffer

    mschaffer Registered Member

    Joined:
    Jun 3, 2008
    Posts:
    7
    Not yet, because ESET hasn't said anything official or replied to my case yet.
    Until then, I am reluctant to re-enable the XMON background scanning.


    To ESET: what about case 131959? It has been days since I have contacted you about this, and I have not received a reply! :thumbd:
     
Thread Status:
Not open for further replies.