New update (3532) hangs my PC

Discussion in 'ESET Smart Security' started by tnovak, Oct 17, 2008.

Thread Status:
Not open for further replies.
  1. tnovak

    tnovak Registered Member

    Joined:
    Oct 17, 2008
    Posts:
    15
    New AH update hangs PCs with The Bat! installed

    Hi!

    I'm new here. I'm using ESS 3.0.672 on Vista PC and today released update 3532 caused my PC to hang - all applications are starting many minutes, system doesn't responding and ekrn.exe process CPU usage is still about 50% on quad core, and in logs every 10 seconds are messages:

    17.10.2008 17:17:19 Amon: released file: PortLoop NT AUTHORITY\SYSTEM or
    17.10.2008 17:17:42 Amon: released file: \Device*** NT AUTHORITY\SYSTEM

    BUT when I disabled advanced heuristics for real time protection everything went back to normal...

    So I think something is wrong with the new update and /or with the new advanced heuristics module 1078...

    Please can someone confirm it and can ESET fix it :)

    Regards

    Tom

    P.S.: Sorry for my bad English...

    UPDATE (18.10.): The reason was probably found - The Bat! mail program is causing this behavior when advanced heuristics is enabled for on-access scanning. ESET is resolving this issue. Workaround - add thebat.exe file to your exclusion list.
     
    Last edited: Oct 18, 2008
  2. Melchi501

    Melchi501 Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    90
    Same problem here. Need a reboot and I disabled, too, advanced heuristics. Back to normal for now.
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I can't confirm the OP's problem as I am not home right now, but if there is a problem with the update Eset will fix it.
     
  4. Melchi501

    Melchi501 Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    90
    Ok I rechecked Advanced Heuristics in real-time file system protection. After I closed Skype, ekrn.exe goes crazy (100% Cpu), computer freeze etc,. Reboot. Disabled Advanced Heuristics and everything back to normal (Skype, Cpu...).:doubt:
     
  5. ASpace

    ASpace Guest

    No problems running Vista SP1 here . No problems on XP SP3 laptops at home .

    No issues with my customers - just checked a few of them with Remote Desktop , all are fine with 3532.

    You guys should NOT touch the default settings e.g. you should not enable AH and RTP for on-access scan - they are enabled only for newly-created and modified files in the real-time file system protection . I would open the user interface , press F5 to open the Advanced setup tree and click on the "Default" button to revert all the settings to their default ones
     
  6. tnovak

    tnovak Registered Member

    Joined:
    Oct 17, 2008
    Posts:
    15
    Hmm, this is part of "EAV 3.0 Tutorial" from Official ESET Support Forum: :D

    and I had NO problems until today, so... :cool:

    But anyway, thank you for your testing.

    Regards

    Tom
     
  7. ASpace

    ASpace Guest

    WARNING: enabling "Advanced heuristics" for "on-access" may cause a slow down

    You are welcome .
     
  8. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    I have the same problem since yesterday too ... massive hangs and lags.

    Does that mean that "Advanced heuristics" for "on-access"-scanning was faulty before and works now? It was always activated here, and i never noticed any slowdown from it. So what has changed now?

    EAV 3.0.672.0
    ---------------------------------
    Virus signature database: 3533 (20081017)
    Update module: 1024 (20080514)
    Antivirus and antispyware scanner module: 1155 (20081016)
    Advanced heuristics module: 1078 (20081016)
    Archive support module: 1083 (20081016)
    Cleaner module: 1032 (20080724)
    Anti-Stealth support module: 1002 (20080723)
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Advanced heuristics is a sophisticated emulator that runs files in a virtual environment to determine whether the actions carried out by the file being scanned are suspicious or safe. The emulation is a time intensive process that may take up to several seconds to complete, hence it's enabled only for newly created or modified files in the real-time protection module by default. The option to enable it on acess was first introduced in version 3 and only those who don't mind delays when running certain packed files should use it. In the next version, a warning will be displayed telling the user that enabling this option might have adverse effect on the performance.
     
  10. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Sure, i understand that, but why did that not happened before? Has Eset implemented new checking/testing algorithms? From "not noticeable" to "massive slowdown" in one day? As i said before: It was always activated here. I dont want to complain, i only would like to know whats going on...
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We've improved AH so that it's able to emulate certain files better than before. As a result, detection should be improved, too.
     
  12. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Ahh, good to hear.

    Thanks Marcos & have a nice ... whatever. :)
     
  13. tnovak

    tnovak Registered Member

    Joined:
    Oct 17, 2008
    Posts:
    15
    Thank you, Marcos, for your explanation. I have now AH disabled and everything seems to be ok. So I will keep it there.

    But, I'm still thinking... Is really possible that the "improved" AH module may cause "if enabled for on-access" that for example The Bat! mail program did not start even after 15 min. and it takes about 2 min. to open Start menu after I click Start button... o_O

    Regards

    Tom
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Tom,
    please send the The Bat's executable in a password protected archive to samples[at]eset.com with this thread's url in the subject. We'll check it out. Does excluding it from scanning actually make a difference?
     
  15. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Yes, it was "The Bat!" here too, what causes that behaviour. I can confirm that.

    When i put "C:\Programme\The Bat!\thebat.exe" on the exclusions list, and re-enable the "Advanced heuristics" for "on-access"-scanning, everything works fine.

    But isnt the pop3-scanning-proxy also disabled then?

    I have done that. The password is "password".
     
    Last edited: Oct 18, 2008
  16. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    (.672) I'm Clk'ing Default (All Settings) everywhere I see it and AH and RTP are Still Chk'd in each module. Has Default changed vs. your instructions or is something amiss here?...... (By "On Access" I presume you guys mean the Web Access part of the Setup tree.)...I'll Manually UnCheck AH and RTP if that's the better Setup.
     
  17. tnovak

    tnovak Registered Member

    Joined:
    Oct 17, 2008
    Posts:
    15
    Good job, The Bat! was the real cause! I can confirm it too that after I excluded thebat.exe from scanning, my PC is running smoothly as before even with AH enabled!

    I did not recognize that only this program is the reason why entire PC is hanging, because the mail program was starting automatically with windows, so it seemed that everything is slow...

    Thank you, b00ze. You sent ESET the file, so I think don't have to do the same...

    Regards

    Tom
     
  18. ASpace

    ASpace Guest

    @COSMO26

    By on-access I mean All Threat Sense settings for the Real-time file system protection .

    AH and RTP are enabled by default for newly created/modified file and also on all modules except from the Real-time file system protection . Click the Default button and enjoy
     
  19. ASpace

    ASpace Guest

    If enabled for on-acces tt has always caused delays especially on older computers . However , something else has changed additionally . All you need to do is to think about it (keep it in mind , I mean) and check . By checking , you'll see what Marcos confirms - AH module was last updated on 16 Oct 2008

    Virus signature database: 3534 (20081018 )
    Update module: 1024 (20080514)
    Antivirus and antispyware scanner module: 1155 (20081016)
    Advanced heuristics module: 1078 (20081016)
    Archive support module: 1083 (20081016)
    Cleaner module: 1032 (20080724)
    Anti-Stealth support module: 1002 (20080723)
    Personal firewall module: 1040 (20080924)
    Antispam module: 1008 (20080708 )
     
Thread Status:
Not open for further replies.