Ekrn.exe and quota usage

Discussion in 'ESET NOD32 Antivirus' started by lektem, Jul 7, 2008.

Thread Status:
Not open for further replies.
  1. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    Hi,

    I have an ADSL subscription which is limited to 4 GB / month.

    Last month, I realized that I used 7 GB as of 23rd of June!

    I am sure I did not used my quota that excessively.

    Last week I realized that I had set Nod32 to monitor Emule, Firefox, Internet Explorer etc last month.

    I started tracking my usage closely.

    And Netlimiter showed me that EKRN.EXE downloads as much as web browsers and P2P programs.

    I unchecked all browsers and P2P stuff from HTTP monitoring settings of Nod32 and all returned to normal. Now both Netlimiter and my ISP's quota monitoring page shows normal usage.

    please see the image that displays quota usage of ekrn.exe - before and after.

    So, what should I or ESET do to use Nod32 effectively but without consuming bandwidth quota?

    I assume that Netlimiter and ISP's system is right and ekrn.exe is actually using those GBs. Or am I wrong?

    Virus signature database: 3244 (20080705)
    Update module: 1024 (20080514)
    Antivirus and antispyware scanner module: 1129 (20080703)
    Advanced heuristics module: 1071 (20080509)
    Archive support module: 1079 (20080509)
    Cleaner module: 1031 (20080630)

    http://quick.holdthatpic.com/264605
     

    Attached Files:

    Last edited: Jul 7, 2008
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    That's because all HTTP and POP3 traffic is redirected through ekrn so that it can check it for threats. You can, however, exclude desired applications from being redirected through ekrn and scanned.
     
  3. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    So Marcos,
    You say that EKRN.EXE is actually making downloads and using the quota.
    For example, when I visit a web page which is 1 MB, Firefox uses 1 MB and EKRN.EXE uses another 1 MB of quota. Is that right?


     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Any HTTP traffic initiated by a web browse is redirected through ekrn by default. You can exclude a particular application (browser/email client) from scanning so that the HTTP traffic it generates is not redirected through ekrn. As a result, the HTTP traffic will not be checked for threats, but your 3rd party application will detect the browser correctly then. You wouldn't probably see any traffic from Firefox in Netlimiter as all HTTP traffic would be redirected through ekrn unless Firefox is excluded from scanning. If you have Windows Vista or newer, this redirection won't be a problem as of the next major program update.
     
  5. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    When I check EKRN.EXE to monitor HTTP connections, my quota given my ISP quickly ends up. So, unfortunately I have uncheck all programs in monitoring sections including web browsers.

    But I pay money for protection and I cannot get it.

    :'( That's sad, indeed.

    Thank you for the response! :thumb:
     
  6. The Nodder

    The Nodder Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    296
    Location:
    UK
    In my ISP there are users with the same problem and they use more than their quota. In this ISP they are charged extra for it, my charges went up a lot for the same reason, now I know the source of the problem I'll have to get it sorted one way or another.
     
  7. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    I, too, pay for even extra 1 MB if it exceeds 4 GB a month limit.

    ESET must find a solution. This is a serious concern.

     
  8. anda

    anda Registered Member

    Joined:
    Oct 24, 2008
    Posts:
    7
    Location:
    Budapest
    Hoola to all!

    I've found this thread when searching the solution of the same behaviour described in the opening post. I've installed Netlimiter to simulate an optional downgrade of my bandwidth. After installation i've - of course - checked the result, so went to speedtest.net and did tests without and with Netlimiter. In the 1st case i've got what expected: the nominal bandwith of my current package, 5 mbit/s. In the 2nd case i've set Netlimiter to decrease bandwith to 2 mbit/s and the run gave me strange result: only 1 mbit/s! Not 2 but 1! OK, ran it again, and during the process see the Netlimiter window. I saw that ekrn.exe use the half of the 2 mbit/s and the browser use the other half. At the first sight it seems that it means that the amount of the downloaded data is double what i want. But it is impossible to imagine if we know that ekrn.exe just redirect the transfer.

    BTW it is much more strange that we can't see a straight official answer to very simple question. It was this: "So Marcos, You say that EKRN.EXE is actually making downloads and using the quota?" and the answer wasn't "No" or "Yes", but "Any HTTP traffic initiated by a web browse is redirected through ekrn by default.". The only reason for the birth of this answer is that the moderator doesn't speak this language (english). If he speaks the answer must be "No, ekrn.exe does not make download using the quota, just simply redirects the data transfer". Am i right (beware! another very simple question shout for a very simple and straight answer)?

    Now to the original poster. Test the situation with a simple download in your browser with a simple metering. Find a downloadable file with a known filesize, and counter the time of the download (stop any other bandwith usage during this). After the download, do the math! In my case: 00:19 sec and 605,55 KB/s (know the exact value because i have the Download Statusbar addon for Firefox) gives 11,5Mb and this is the size of the file what i downloaded. No other data transfer happened during this. I've stopped the statistics in Netlimiter before this download so it started to measure from zero. And what does it show now? Received: 23Mb!! Double the size of the downloaded file, the all downloaded data i know about.

    What does this mean? The problem is in Netlimiter, but not in Eset Smart Security! Somehow Netlimiter detect the redirection of ekrn.exe as a separate data transfer and use this information in any of its depending processes. This cause not just false statistics, but worst: false behaviour. When limiting the complete bandwidth of my computer to 2 mbit/s and using the browser, this one get only half on the available bandwidth, because ekrn.exe get the other half (if no other usage exists). You can measure this the same above way: download a known file and count the average speed from the size and the time. I saw that when the 2 mbit/s limit is active the browser works only with 1 mbit/s. And it is simply the fault of Netlimiter. An opposite test: watch the total bandwith usage without any limiting! I've got 10 mbit/s, but i know that only have an ADSL line with maximum 5 mbit/s speed. Netlimiter doubles my available bandwidth!? No, it simply can't handle the mentioned redirection. So this question belongs to a Netlimiter forum, and not this one :)

    Thanks for your attention (and once again: if i can suggest to the moderators, i suggest answer simply and straight to the question).
     
  9. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    But Anda, Netlimiter is a small problem here. The biggest problem is that the quota calculating software of my ISP acts just as Netlimiter does. It calculates the traffic passing through EKRN.exe and sends me a huge bill, because I always exceed my quota.

    In simple words, I visit a web page which is 100 kb. EKRN.exe monitors this traffic. And My ISP says "You consumed 200 kb of your quota." And you cannot tell them my antvirus does this, and it does that, etc etc.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Netlimiter 1 shows double amount of transferred data with EAV/ESS installed. You can always check the system network statistics where you'll see half of the amount showed by Netlimiter.

    Netlimiter v2 seems to work just fine, at least I didn't find any discrepancies in the statistics.
     
  11. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    Please somebody understand me!

    My ISP!

    They calculate quota usage just like Netlimiter v1.

    They multiply actual quota usage by 2.

    So my bill gets higher.

    I cannot tell my ISP "Correct your something, and this thing and that thing."

    They won't listen.

    So, ESET should fix its EKRN.exe.
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    LOL. Then switch your ISP. This is no way a bug with ESET products. :rolleyes:
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    It's not a bug in our product, it's the way Netlimiter1 works. If it was a bug, then why Netlimiter2 produces correct statistics?
     
  14. anda

    anda Registered Member

    Joined:
    Oct 24, 2008
    Posts:
    7
    Location:
    Budapest
    In this case the calculator of the ISP is faulty as Netlimiter is faulty. I don't want to protect ESET but remember what i wrote the total bandwidth! Regarding to Netlimiter i have 10 mbit/s, but i know i have only 5 mbit/s. I'm really curious what we can see at your ISP when measure this value to find what is your bandwidth. Try to point their attention to this "fact".

    BTW do you really know how the calculator of the ISP works? Have you got exact metering of complete months and have you got the bill of that month contains exactly the same amount of data you have measured?

    Regarding to my measures we must concede that Netlimiter gives false values. I've downloaded a 11,5 Mb file and it shows that i did 23 Mb. So Netlimiter lies, it's deadly simple. In this case we must say that the (calculator of the) ISP lies too. You must talk with your ISP about this, showing the above facts to their support person.

    Marcos!

    This is what we all talk about! Netlimiter 2 doubles the value of the transferred data. The very strange thing is that the ISP of lektem doubles too! It seems a hard task to argue with the ISP about this value. What to show oppositely to their measured data? Maybe the problem is really inside the software of ESET? I will try to get monthly values from my ISP, just for testing it.
     
  15. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    Marcos, oh my friend! We are not talking about Netlimiter anymore.
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    And to be blatantly clear here - if they won't listen to you, they perhaps will listen to your lawyer. Using broken tools for traffic accounting and double-charging your customers because of that is a serious breach of contract and constitutes unjust enrichment; you cannot legally do that.
     
  17. anda

    anda Registered Member

    Joined:
    Oct 24, 2008
    Posts:
    7
    Location:
    Budapest
    Maybe that ISP uses Netlimiter to control the bandwith of the limited users? :D
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Apparently; and as I said above, charging customers for their screw-up is clearly illegal.
     
  19. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    Anda, yes. I checked my actual usage. When I enable EKRN.exe, my ISP calculates wrong usage. Netlimiter does this too. I did enable EKRN.exe only once in my lifetime. When the bill literally doubled thanks to over quota usage, I had to disable it.

    My ISP is not a private company. It's a state-run one so they never ever believe what I might say.

    So I now go on with EKRN.exe disabled.

    I have to.

    This is a bug in Nod32.



     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    No, it isn't, as clearly proved above. Your ISP using sucky broken tools for traffic accounting and having horrible attitude to their customers is nothing ESET could solve.

    You can install any antivirus that uses identical approach to HTTP/POP3 traffic scanning and you'll get exactly the same problem.
     
  21. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    Law works very slowly here and it is also an expensive method to clear things up! :)

    Look at my Mayis (May) and Haziran (June) statistics! It's a nightmare!

     

    Attached Files:

  22. anda

    anda Registered Member

    Joined:
    Oct 24, 2008
    Posts:
    7
    Location:
    Budapest
    Have you ever try to talk with Netlimiter support? Just for curiosity. If the ISP simply don't listen to you, do what you can do: lawyer or change, fight or give up.
     
  23. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, once again - how's that ESET problem? There's nothing broken with their product.
     
  24. lektem

    lektem Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    14
    No, I have not talked to them. Because it is not a big problem. When I look at Netlimiter's results, all I have to do is divide it by half. No extra charges for me. Divide and go. :)

    ESET should check its product and make it compatible with all major calculation software in use.

     
  25. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Wonderful... So, you are asking ESET to remove their proxy feature that protects lots of users just because an obsolete version of a third-party product is clearly broken (since the problem here is apparently fixed in v2) and your ISP is using such tool... Hmmm, makes lot of sense; good luck. o_O
     
Thread Status:
Not open for further replies.