How do I stop ekern from running???

Discussion in 'ESET NOD32 Antivirus' started by Mark_Phelps, Mar 30, 2010.

Thread Status:
Not open for further replies.
  1. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    ekern is running nearly constantly on my laptop now. I've opened the settings dialogue and disabled everything -- and my CPU is STILL pegged at 100%!!

    It was bad enough when this disabled my Win7 Home laptop for several minutes on first boot, but now, this is happening repeatedly throughout the day.

    The following is the stuff in the About panel:
    Virus signature database: 4986 (20100330)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1268 (20100325)
    Advanced heuristics module: 1101 (20100309)
    Archive support module: 1110 (20100325)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1017 (20100204)
    SysInspector module: 1214 (20100127)
    Self-defense support module : 1014 (20100324)

    If I have to run with everything disabled in order to get CPU cycles back, I might as well uninstall this and buy a different product!!
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    If the problem disappears after uninstalling EAV, install v. 4.2.35 again and reproduce the problem. Does disabling real-time protection make a difference? If so, enable it and watch the statistics window for information about the last scanned file. If the number of scanned files is rising quickly and the name of the scanned file remains basically same, try excluding it from scanning in the program setup (F5).
     
  3. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    I installed 4.2.35 hoping that would solve the problem -- but it does not.

    I tried a test downloading a 100MB file this morning. Ekern has been running now for over 10 minutes -- apparently scanning that same file!!

    I tried yesterday turning off ALL the protection and ekern STILL started up and locked up the machine scanning this same file.

    I need to have some way to KILL OFF ekern, if only momentarily, so that I can finish the downloads and then, re-enable it. I thought that turning off all the real-time protection options would do that, but apparently, that does not stop ekern from taking up nearly 100% of my CPU.

    Update #1: I tried repeatedly to terminate the ekern service, but each time, it restarts. I apparently have NO CHOICE other than to uninstall this product. Since there is evidently NO WAY to turn off real-time AV checking do I can download files without the machine locking up due to the ekern service!

    Update #2: As a test, I uninstalled NOD32 and redid the download. This time, there was no delay and no file corruption. So, apparently, NOD 32 is introducing the 10-minute delay when it is trying to scan the file -- and corrupting the file in the process.

    I do remember when I was using Norton AV years ago, that there was a way to disable it temporarily so that these problems didn't happen. Unless there is the same feature available in NOD 32, I will have to switch to a different AV product.

    And, since I'm downloading different files daily, there is no way I can exclude just one file.

    AND, despite the fact I'm running Win7, I really don't want to be using it without ANY AV running.
     
    Last edited: Mar 31, 2010
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    1, ekrn.exe is the most essential process that cannot be terminated. Terminating the process would have the same effect on protection like uninstalling the whole program.

    2, you said you were downloading a 100 MB file. Was it a sfx or standard archive? At any rate, remember that unpacking such large archives and subsequent scan of all the files inside is a time consuming operation. Even unpackers will not extract it in a few seconds. ESET products allow the user to set a size limit for archives / objects so that such large files are not scanned upon dowload.

    3, you can temporarily disable all protection modules or only real-time scanner via the right-click context menu for the tray icon.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hmmm...

    What if you right click the tray icon and disable the real-time system protection temporary, before you download anything next time if you know the file you are going to download is a good one of course.

    Ahhh to late Marcos was to fast :)
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello Mark:

    I have windows 7 as well running on a dell studio 17 in 64 bit and don't experience the problems you have.

    What are the specs for your set up hardware wise? CPU speed, RAM etc. What is the speed of your WWW connect?

    What else security wise do you have running? I have OP FW Pro 2009 and my cpu usage is under 1%.

    I fear you may have some clean up to do of old AV's or other security software from the past. Both McAfee and Norton provide utility programs to do that. Conflicts are common twixt these types of SW.

    So what I would do is:


    By clean I mean:

    1) un-installed Eset and any old AV's, FW;s etc & reboot
    2) run utility programs CCleaner including register clean
    3 run a defrag ,reboot
    4) turn on windows FW
    5) test your CPU % and download times record those
    6) download a clean install from eset, install and reboot
    7) Try again with default settings
    :cool: Please report back
     
  7. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    Reply to all:

    Disabling: Have tried both right-clicking the tray icon and choosing to disable real-time protection, and going into setup and disabling the real-time options individually. Have tried disabling each option in turn, and all three.

    Same result -- download nearly finishes, CPU ramps up to 100% -- stays there for 15 minutes or more, does not indicate any viruses found. When I open the archive (.rar file) using WinRAR, says the archive is corrupt.

    this is a seven-part archive, consisting of six 101MB part and a final 95MB part. As such, an extract will not work until all seven parts are available. I even tried downloading the other six parts and redownloading the first part. Same problems.

    Machine specs: Win7 Home 32-bit, 2GB DDR2 memory, running 1.73GHz Centrino processor.

    While not exactly a powerhouse system, once I was able to download all seven part of the archive (after uninstalling NOD 32), I extracted it, and the whole extract process took less than a minute -- for 700MB total! So, there's no way an extract of only one part would go on for 15 minutes!!

    Remnants: No other AV apps were ever installed, nor any prior versions of NOD 32. Installed NOD 32 (v4) immediately after initial Win7 installation.

    Don't have any other security apps running. Disabled Windows Defender before installing NOD 32. Haven't installed (and don't intend to) new MSE app.

    Despite suggestion, am NOT going to run CC Cleaner (or any other registry cleaner) because I've done such in the past and had to restore my OS due to registry damage.

    OK, so maybe someone can tell me why, with NOD32 installed, and ALL the real-time checking disabled, I get 100% CPU (with 90+ % of that being ekern) when I do a file download??
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Sorry Mark:

    Didn't mean to upset you further. What does the vendor say on this issue?

    PS: CCleaner has NEVER destroyed my OS or registry. So I would reconsider this and the defrag. Your set up is damaged in some way.
     
  9. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    If you have advanced heuristics enabled on real time scanning, then disable it.

    You might also try a complete clean uninstall then download 4.2 again and install.

    When I say a complete uninstall, run the uninstall program, reboot, delete the Eset directories found in Program Files & Program Data.
    Then reinstall.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    With both real-time and web protection disabled it's impossible that the files you download would be scanned by EAV. If you navigate to Setup -> Antivirus and antispyware, is there actually a red point next to each of the modules with the status "Disabled"? If so, reproduce the problem, generate an application dump by right-clicking ekrn.exe in the task manager and selecting "Create dump file" at the moment you're seeing ekrn spiking the cpu. Let me know when done so that I can provide you further instructions.

    Just out of curiosity, could you try disabling HTTP checking in the setup (F5) to see if it makes a difference?
     
  11. Waterfox

    Waterfox Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    118
    Location:
    Sweden
    Take a look in the scheduler and see if you have automatic startup file check activated. Maybe it will help if you tweak them to run when idle, or even disabling the one that starts after every update.
     
  12. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    OK, maybe I mis-spoke. I don't know for a FACT that NOD 32 is scanning the file, but when the download is nearly finished, the following is true:
    1) CPU suddenly spikes to 100%
    2) Task Manager shows that the ekern task is utilizing 90+% of the CPU -- sometimes as much as 97%.
    3) Nothing else in Task Manager is showing any CPU usage
    4) CPU stays pinned at 100% for over 10 minutes
    5) During the entire time, task manager list is sorted by CPU usage, and ekern stays at the top of the list with 90+ % of the CPU.

    Eventually, the following happens:
    1) Download finishes
    2) CPU utilization drops to 10% or less
    3) Task manager shows System Idle as taking most of the CPU
    4) Viewing archive file in Windows Explorer shows less than 100% of the file present
    5) Opening the archive file in WinRAR shows the file as being corrupted

    So, while I can not CONFIRM that ekern is actually scanning the file the whole time, it is the only task that is using any significant CPU resources, it stays above 90% usage the entire time -- and after I have uninstalled NOD 32, there is no repetition of any of this, implying, that no other tasks are involved in the problem.

    There is a red point next to each of the disabled modules.

    Also, I did disable HTTP checking -- and that had no affect.
     
  13. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    That was checked, yes. But disabling ALL the real-time activities seemed to have no effect on the 90%+ CPU used by ekern.
     
    Last edited: Mar 31, 2010
  14. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    Vendor is saying that what I'm claiming is impossible -- that with all the real-time options disabled, there's no way that ekern is scanning the downloaded file. But if you read my detailed responses, you'll see that the ekern task is the one using all the CPU -- plus, after I uninstalled NOD 32, the problem does not repeat.

    I will have to do an image backup before I run CC Cleaner. So, it will probably be tomorrow before I do that.
     
  15. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  16. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
  17. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    Unfortunately, the file that was being scanned is no longer available for download, so I can't be certain this is fixed ... however ...

    I took Cudni's suggestion and disabled the Browser.download.manager.scanWhenDone option in FF v3.6.2 -- and after that, no downloads were scanned anymore!!

    There was no indication of scanning in the FF download panel, and with Task Manager open, there was no increase in ekern CPU usage.

    And -- this is even with all three real-time options turned on!

    So, Marcos, you were right after all! It appears that FF was invoking the Scan function even though the real-time options were disabled in NOD 32.

    So the culprit is NOT ESET, but is FF's default setting for this option.

    Marcos: I think you might want to "pin" this fix to the forums. I wouldn't be surprised if other FF users will encounter the same problem and, like me, presume it is an ESET problem, when in fact, it is a FF problem.

    Thanks again, Cudni, for your link. I would never have figured this out on my own.
     
    Last edited: Mar 31, 2010
  18. dueceswild

    dueceswild Registered Member

    Joined:
    Sep 3, 2008
    Posts:
    184
    I had a problem similar to this with FF, but didn't experience it nearly to that extent. Since switching over to Chrome, I haven't experienced any issues with downloads.
     
  19. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    Update: I thought this had been "fixed" by the FF config change, but I have since been proven wrong.

    I saw a more recent thread on the same problem, downloaded the CCCleaner install file -- and NOD 32 scanned it!

    The one option in NO32 that made the difference (one that others had already discovered) was turning off advanced heuristics in the advanced setup for real-time file system scan.

    So, unfortunately, changing the FF config setting only fixes the problem some of the time.
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Your post is here

     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Nod32 should scan downloaded executable files like CCleaner. It is after all a freebie. :D
     
  22. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    Well ... the problem's BACK! I started up my machine over 45 minutes ago -- and ekern is STILL hogging the CPU.

    This kind of problem is why I dropped another problem a couple years back and went to NOD 32 in the first place.

    If I have to disable all real-time stuff to stop ekern from taking over my CPU, then I might as well NOT have NOD32 installed.
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Check what files are being scanned under Protection status -> Statistics. Is the number of scanned files rising quickly?
     
  24. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Hi Marcos, the one flaw I have noticed with this statistics is that the counter will not rise when ekrn is scanning inside compressed files/runtime packers. Especially those that got downloaded by IE/FF. So the statistics on what file it is scanning can easily be wiped out by the next file it is scanning in real time, and it is not realistic.

    Is there anyway this can be fixed in future versions?

    --Edit
    The expected behaviour I believe would be to have the original file, separated by a chevron, proceeded by the scanned file in the compressed file, much like the on demand scanner does it.

    "C:\testfile.zip > eicar.com"
     
    Last edited: Apr 7, 2010
  25. Mark_Phelps

    Mark_Phelps Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    38
    I don't know what you consider "rising quickly", but since I posted earlier today, I have disabled ALL the real-time scanning and, nonetheless, the stats now report over 300 files scanned by real-time scanning.

    So, NOD32 is still launching and scanning files. I can tell because the fan powers up, the CPU meter hits 100% (and stays there), and the task manager shows the ekern task taking 90%+ of the CPU.
     
Thread Status:
Not open for further replies.