ekrn.exe 100% CPU

Discussion in 'ESET NOD32 Antivirus' started by pcdpaul, Mar 21, 2011.

Thread Status:
Not open for further replies.
  1. pcdpaul

    pcdpaul Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    11
    Today we have a number of staff with ekrn.exe using 100% CPU and slowing their computer down. Nod32 4.2.64.12 - Latest sig database is 5972. It appears that accessing Https websites with IE causes ekrn.exe to hog all CPU, so much so that you can't type in emails etc. After several seconds it comes right until you click on something in IE again.
    If you disable real-time protection your computer works correctly again (without any protection!).
    Could this be a signature issue?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    We are having a similar problem. Any traffic to our Internal SharePoint 2010 website results in ekrn.exe CPU spikes. Depending on the specs of the machine, this can range from a mild annoyance to rendering the machine totally unusable. Wasn't a problem until 5972 came down.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If disabling real-time protection makes a difference, reproduce the problem with Procmon logging all operations, save the log, upload it somewhere and pm me the link please.
     
  5. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    I should add, in our case, it's any HTTP/HTTPS traffic that is causing the problem - but all in relation to SharePoint 2010 (at least that is the main culprit so far). Using Internet Explorer or Chrome, HTTP or HTTPS - the same website is causing ekrn.exe to CPU spike. SharePoint 2010 uses a huge amount of JavaScript, so perhaps that's the issue. Regardless, I need a resolution before tomorrow morning or I'm going to have a boatload of very upset users.
     
  6. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    Disabling real-time protection fixes the problem we are having. I'll work on getting you a log - stand by.
     
  7. veerhossain

    veerhossain Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    4
    Same problem here. 100% cpu utilization by ekrn.exe. It's happening in a MS .Net application we built, turning off Real time file system protection is the only thing that fixes it. (and i just spent 2 hours turning options within realtime off one by one and nothing fixes it unless the feature is disabled entirely) And the issue is only manifesting in IE8 or IE9...even with AV turned on this issue does not occur in Chrome or Firefox. Just started today...I've got 500 really sad users, any thoughts on a fix?
     
  8. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    I have your log, but it won't let me send you a PM. Please advise.
     
  9. nr2134

    nr2134 Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    1
    Count me in too. Have SSL scanning disabled and no combination of settings helps, unless I disable realtime completely.
     
  10. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    Did you have this issue before 5972? I thought our problem persisted despite the browser, but on closer inspection, it looks like you may be right - IE8 is definitely the hardest hit (we don't have any IE9, so I can't speak to that). Right now, Chrome appears to be able to browse our SharePoint site without incident.
     
  11. veerhossain

    veerhossain Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    4
    Nope problem started today with 5972, we started helpdesk getting calls around midday eastern time. It's weird because there doesn't seem to be any one granular option to turn off that fixes this. Is there a way to roll back the virus defs?
     
  12. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    No idea. We're in the same boat as you. Just started receiving random HelpDesk calls mid-afternoon - when 5972 started to hit. I have a support case open with Eset. Last I heard was "We are not aware of any issues with update 5972." I've provided them with a link to this thread.
     
  13. faust1

    faust1 Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    3
    Same thing here. Started about 2 hours ago 5972 is clearly the cause.

    Total process hog, tried to uninstall-reinstall no luck....

    Disable AV fixes the problem, but this is hardly a solution! I plan on checking back in the morning......
     
  14. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Issue is being investigated now.

    If you are experiencing the problem when visiting certain web sites, can you please reply with the following information?
    • ESET Product (ESET NOD32 Antivirus, ESET Smart Security, etc.)
    • Version Number of product (3.0.650, 4.2.71, etc.)
    • Operating System, Version, and Service Pack level
    • Name and Version of web browser (Internet Explorer 8.0, Mozilla Firefox 3.6.15, etc.)
    • URL of web sites you are attempting to visit
    Thank you.

    Regards,

    Aryeh Goretsky
     
  15. faust1

    faust1 Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    3
    ESET NOD32 AV
    Version 4.0.474.0
    Both Windows 2000 SP4 & XP SP2 & SP3
    IE 6 & 7
    URL is a local intranet site
     
  16. ratm160

    ratm160 Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    3
    Hi Agoretsky,

    we are running the below

    Nod32 32-bit Anti-virus V4.2.35.0
    Windows XP Professional SP3
    Internet Explorer 8


    we are trying to access the secure parts of various banking sites such as bankSA (www.banksa.com.au) and ST george.

    Thank you

    Lloyd
     
  17. veerhossain

    veerhossain Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    4

    Eset nod32 4.2.64.12
    Win 7 Enterprise (64-bit) 6.1.7600
    IE9 9.0.8112.16421

    Website is a secure application written with MS c#.net, heavy use of javascript and ajax and telerik controls.

    Issue does not exist when using Firefox or Chrome
     
  18. gdonlon

    gdonlon Registered Member

    Joined:
    Mar 12, 2010
    Posts:
    12
    Add me to the list too.

    After working through the issue for a few hours I noticed some threads using sysinternals causing iexplorer to lock up. Eset was the culprit and it was wreaking havoc on our corporate network today.

    Nod32 Corporate Antivirus 4
    4.2.71 and 4.2.64.12
    XP - Windows 7 - Windows 2003 and Windows 2008. (Many Different SP levels)
    (XP and Windows 2003 didn't recovery nearly as well as W7 and 200:cool:
    IE 8.0 and IE 9.0

    The major website that we were trying to visit was salesforce.com...when clicking on any link with heavy content getting loaded the internet came to a crawl. This is our company CRM so having this issue kills our productivity.

    Is there any way to push out a fix via GPO to stop scanning certain objects when users log in?
     
  19. bachastain

    bachastain Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    11
    I'm in the same boat as of a couple of hours ago.

    Huge slowdowns and long pauses in all activity due to ESET spinning at 100%.

    XP SP3
    ESET Smart Security
    Version 4.2.40.0
    Signature database 5972 (20110321)

    Disabling Real Time Protection cures the 100% CPU usage. I can also just disable the real time checks for File Open and File Creation, then I can leave real time protection enabled without a slowdown.

    One thing of note. It seemed to start around the time I installed the just released Firefox 4.0, but that may be a coincidence.
     
  20. veerhossain

    veerhossain Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    4
    Does anyone know if realtime file open and creation can be disabled via policy? He's (bachastain) correct, the issue goes away when that setting is changed (not a great fix but I can live with a workaround)...but the change doesn't seem tp push from the ERAC...I made a manual change in the installed client on my box. Thoughts? Tips?
     
  21. pcdpaul

    pcdpaul Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    11
    ESET NOD32 Antivirus
    4.2.71.2 (just downloaded; worked fine until I performed an update to 5972)
    Windows XP SP3
    IE8.0
    It appears to be only Https sites so you would need a login to get access to them.
    I tried several and found only some were causing the issue. Our OWA site (we run Exchange 2010 SP1) or SharePoint Sites cause the issue.
     
  22. pcdpaul

    pcdpaul Registered Member

    Joined:
    Sep 1, 2010
    Posts:
    11
    Looks like signature database 5973 just came out...and it seems to fix the problem.
    Thanks.
     
  23. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Ya.I found something wrong with ESET just now.It went up to 100% Cpu usage when I surf Panda blog website with chrome(sandboxed).
     
  24. bachastain

    bachastain Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    11
    Just got 5974 and all seems well again.
     
  25. christx

    christx Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    7
    Same here. In my (limited) testing, 5974 seems to resolve the problem.
     
Thread Status:
Not open for further replies.