Real-Time file protection on Win2K3 R2 SP2

Discussion in 'ESET NOD32 Antivirus' started by Marv Gordon, Jun 9, 2009.

Thread Status:
Not open for further replies.
  1. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59
    I have "Scan all files" unchecked in ThreatSense parameter setup for realtime. However, watching the Antivirus and Antispyware statistics graph I see C:\windows\system32\wbem\logs\wbemcore.log continually scanned.

    I shouldn't need an exclusion. Anyone else notice this?

    V4.0.437
     
  2. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
    Hello Marv Gordon,

    Since this is a server, my first thought to restart is not really an option for some people. However, it is a first step to see if this will resolve the issue you are having. Please try that and let us know if it works.
     
  3. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59

    Rebooted...same issue..
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file name shown in the statistics section is the name of the last file processed by real-time protection. This feature is intended mainly for troubleshooting purposes and thus it currently shows all files, including those that are excluded and not actually scanned, and only "flow" through real-time protection. We'll consider changing the behavior and displaying only files actually being scanned, but then the feature won't work reliably for troubleshooting purposes.
     
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Marcos, that would be a BIG improvement. Or an even better one would be some kind of audit list of all scanned files - even a plain text file!

    Only last week I had to firefight a new install where Sage Accounts was running dreadfully slowly. We eventually traced it to a .EXE that was doing strange things but we had no idea that it was even being scanned. A log file would have shown that it was getting scanned 4 times per second, which it was....



    Jim
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately that won't be possible. Logging files scanned by real-time protection would either slow down the system performance to such an extent that the system would become unusable or would cause a complete lock up by continual writing to the log. Needless to say that text logs might easily grow up to hundreds or thousands of MB.
     
  7. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59
    This really needs to be changed in some way because there is no way to tell if a file has actually been fully read via RTP. Stats really needs to be expanded to show total # of scanned objects and # of processed objects (those that RTP did not skip for processing), as well as the name of the last file processed.

    It would certainly raise the trust level of the exclusion process...

    I'm noticing strange server based behavior for V4. Much longer file open/save times (vs. v3) as well as an increase in problems with our Legal Case Management system (currently troubleshooting)
     
  8. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59
    I've had to remove V4 from all of our "file servers".

    Symptom: Any client opening a file on a "share" experiences significant delays because of RTFP.

    Excel users seeing ~10 second delays opening and saving files.

    Performance on our legal case management system (uses Word) was also this bad.

    Re-installed V3 on these servers with the same RTFP settings and files open/save with no apparent delay. Removing DOC and XL? settings from V4 also works.

    Anyone else find a permanent solution? (V3 install and DOC/XL? removal are only temporary workarounds)
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just to make sure, you don't have a Novell client installed, right?
     
  10. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59
    100% Microsoft. No Novell involved. V4.0.437 and made sure we did clean installs (removed any previous NOD32 installs when changing versions). Windows 2K3 SP2 R2 Enterprise.
     
  11. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59
    ..also...on the client side no scanning of "Network Drives". We let the servers handle that....
     
  12. lumpeh

    lumpeh Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    13
    Seems its best to have a copy of Process Monitor installed on every pc with an ekrn.exe include filter at hand then?
     
  13. Marv Gordon

    Marv Gordon Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    59

    Seems to be directly related to the server settings. I can mitigate the problem by adding/removing the DOC or XL? values in the ThreatSense Extensions for RTFP on the server.

    We also tested with the same files opened/saved from a the local c: drive of a client. No problems at all.
     
Thread Status:
Not open for further replies.