high cpu usage question

Discussion in 'ESET NOD32 Antivirus' started by Cosmin3, Jun 2, 2010.

Thread Status:
Not open for further replies.
  1. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    Hi.
    Sorry for my english.
    I'm new here so please be patient with me if I'm doing something wrong.
    I searched before posting but I couldn't find an answer to my question. But if it exists please show me the post...

    Currently I'm evaluating Eset Nod32 Antivirus 4. I noticed the same problem that I had with 3.x versions (on another computer): sometimes it takes 100% CPU (one of the 2 processors) for a long time (dozens of minutes).
    It's not a virus - I checked the computer with 3 other antivirus programs and found nothing.
    It's not something that comes from the internet connection - even with internet connection closed does the same.
    And also it's not from my actions (opening a folder, renaming a file etc).
    In the interface it's showing all normal (no scanning or other actions).
    OS is XP SP3 newly installed.
    In the posts found when searching this forum someone suggested a problem with update module. But I'm not sure...
    With 3.x versions I solved the problem manually: forcibly closing ekrn.exe. With 4.x I can't do the same (because of the protection)...

    My question is: how can this problem be solved..? Because in these conditions I will not buy a license...
    Thank you for any reply.

    Best regards, Cosmin3
     
    Last edited: Jun 2, 2010
  2. pinjoa

    pinjoa Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    74
    Location:
    Braga, Portugal
    hello,
    can you find what proccess is using high cpu time?
    • if the answer is "ekrn.exe" you need to find what files are in the scanner list
    • with procexp tool from sysinternals you can see what files "ekrn.exe" are opened
     
  3. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    Yes, it's ekrn.exe.
    I downloaded Process Explorer. I found ekrn.exe in the tree.
    Where specifically in this program I can found informations about currently opened files (by ekrn.exe)..?
     
  4. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    might be better to use process monitor, procmon.exe

    there you can set also a filter for specific processes. perhaps also an idea to keep an eye on explorer.exe for that part, not just ekrn.exe
     
  5. jedi_m

    jedi_m Registered Member

    Joined:
    Jan 28, 2008
    Posts:
    93
    Location:
    Toronto, Canada
    Cosmin, I believe you have other program(s) that has compatibility issues with NOD32, not just Windows XP SP3 (fresh installed). I had the same experience with NOD32 and Autodesk Inventor 2008, but I've excluded this program from scanning and everything was OK. A Sysinspector scan log send to ESET could help, or maybe other guys here could find the problem if you post the scan log.
    jedi_m
    btw, your english is good
     
  6. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    Here is the Sysinspector scan log: http://www.mediafire.com/?omymdkoqdjl
    By the way, you'll notice some unusual programs: DelTempFiles, Intermediar, W2Click etc. They are programs made by me (I'm a Delphi programmer).

    A friend told me a way to solve this problem (worked for him anyway):
    Setup >> Enter entire advanced setup tree >> Real-time file system protection >> deactivate "Removable media" and "Network drives".
    Is it ok to do this..?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you open files from network drives frequently?
     
  8. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    No, I don't. I don't use/access network drives.
     
    Last edited: Jun 3, 2010
  9. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    I think it happened again, but I can't be 100% sure that it's the problem that I mentioned.
    Here is the log file from Process monitor: http://www.mediafire.com/?y4ymahewjam
    It shows only activity from ekrn.exe for a period of few minutes.
    A strange thing: most of the time is reading/writing from "D:\Sistem\Temp\NODF70.tmp" file. It's like is in a loop.
    By the way, "D:\Sistem\Temp\" on my OS is %TMP% and %TEMP% variables (current user and system).
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, Open the main setup, navigate to Real-time file system protection -> ThreatSense parameters setup -> Objects and make sure Runtime packers are disabled. Likewise, under Options disable Advanced heuristics.

    2, should the problem persist, create another Procmon log but this time with ALL applications logged, not just ekrn.exe/egui.exe.
     
  11. Cosmin3

    Cosmin3 Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    29
    Ok, I will do that. I'm just curious why, since disabling them decreases the protection...

    I logged only ekrn.exe because:
    - I wanted to see clearer which files opens;
    - I never use Explorer as a File Manager;
    - only ekrn.exe generated a 39MB log file (!). I think that when all processes are logged it will be hundred of MB...

    But I will try to log all...
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    With default settings, it's almost impossible that you could get infected with a threat that is recognized either by a signature or heuristics.

    If you log only operations during the time needed to reproduce the problem and subsequently zip it, it should be reasonably small. Memory dumps are sgnificantly larger.
     
Thread Status:
Not open for further replies.