NOD32 3.0 High CPU after 4292 signature - bad archive module

Discussion in 'ESET NOD32 Antivirus' started by sd_mark, Aug 1, 2009.

Thread Status:
Not open for further replies.
  1. sd_mark

    sd_mark Registered Member

    Joined:
    Feb 14, 2008
    Posts:
    27
    Location:
    San Diego, CA
    Yesterday I came back from lunch to find that NOD32 32-Bit Business Edition 3.0.684 was using 97% of the CPU on my XP SP3 machine. Signature 4292 had been applied at 12:28pm. Other XP and Vista machines didn't seem to be affected.

    I finally uninstalled and re-installed NOD32 from the ESET Remote Administrator Console on the server. That seemed to fix the problem--until the virus defs updated and I logged in again.

    Today I called ESET support. They said it's a known problem caused by a software component released with yesterday's virus signature. (Under Program Component Update, I selected "Ask before downloading program components," but apparently it just updates without asking.) There is no ETA for a fix but they will email me when one becomes available.

    Support advised me to uninstall NOD32 3.0 and downgrade to 2.7. When I balked at that, they said I could turn off updates and download the month-old version of 3.0 from their web site. I didn't like that option either.

    I used a backup to restore yesterday morning's NOD32. After comparing component versions, I discovered that the only one that changed was the Archive support module--it had gone from 1098 to 1099. After that test, I restored the newer NOD32 (sig 4295).

    Here's my workaround, assuming 4295 is running:

    1. Disable antivirus protection so it will stop hogging the CPU.

    2. Disable the HTTP server on the NOD32 server to prevent further updates.

    3. Rename the Archive support module as follows:

    C:\Program Files\Eset\ESET NOD32 Antivirus\em003_32.dat.bad

    4. Copy in the previous em003_32.dat Archive support module. Here are the specs on the "old but good" module that I'm using:

    Name: em003_32.dat
    Version: 1098 (20090721) - visible if you open the .dat file in Notepad
    File date: 07/21/2009
    File Size: 285,507 bytes

    5. In Windows Task Manager, kill the ekrn.exe process (it restarts automatically).

    5. Re-enable antivirus protection. CPU should be "normal" again.

    I have no idea if this is going to crash my system, create a viral loophole, or otherwise wreak havoc in the world. Use at your own risk, your mileage may vary, batteries not included! But I hope it helps someone :). Don't forget to re-enable updates once this is fixed!

    Meanwhile, ESET: how about a little proactive notification when a known NOD32 bug is in the wild? By "proactive," I mean a thread here and a posting on your web site/blog. I see you had time to blog today about Adobe vulnerabilities, but today the more imminent risk is NOD32, not Adobe! Of course NOD32 bugs aren't intentionally malicious, but it is frustrating when anti-virus programs behave like viruses, and the vendor stays mum.

    Mark
     
  2. Hydro

    Hydro Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: NOD32 3.0 High CPU after 4292 signature - bad Archive support module 1099

    Hello Mark,

    As member Hydro points out, We have an ongoing thread from a day ago concerning this issue and Eset support has been responding to that thread from the get go in regards to recommendations. Please do visit that thread for further updates\input.

    That being said, We'll bring this thread to a close in order to minimize duplicate discussions.
     
Thread Status:
Not open for further replies.