Real-time file system protection pegs CPU

Discussion in 'ESET NOD32 Antivirus' started by pmabee, Mar 23, 2009.

Thread Status:
Not open for further replies.
  1. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    Having some issues on one specific system so far. Was a fresh install of Windows XP SP3 with a clean install of NOD32 v4 Business. At startup ekrn.exe jumps to 45-50 percent CPU usage and would not back off unless you uncheck heuristics and just leave signatures and spyware/adware/riskware under the Threatsense engine parameter setup. I tried disabling and enabling things piece by piece and then enabling RTFS protection until I found it. Any reason why this should be happening?

    FYI, I uninstalled v4 at some point and went back to 3.0.684, same problem, same fix.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Does this happen with default settings, ie. advanced heuristics enabled for newly created / modified files only?
     
  3. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    Yeah, before even applying a config it starts pounding the CPU, so yes, whatever the default settings are at install.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So it means that some exe/dll files are being created or continually copied elsewhere. Could you check the statistics for real-time protection and watch what files are being scanned? Also you could use Process Monitor from Microsoft to monitor files that are being accessed by ekrn.
     
  5. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    i don't think there is a cure to this, besides them analyzing each file that causes the 100% cpu BUG, which is great if you never going to update your PC or install any new software, otherwise you will be stuck in "OOH another file to send to ESET"....it's all good untill you begin hitting propitiatory software and files that you can't share and then you are borked.

    This bug has been around since version 3.0 so it basically now became the feature of the New Advanced Heuristic Engine, it was the main reason what kept me in 2.7 land....I hoped that it would be fixed in 4.0 but it looks like it's here to stay.

    The only way is to disable Heuristics (which would severely cripple Nod32 detection) or play the cat and mouse beta tester game and keep submitting the "slow files" to eset.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I repeat again, this IS NOT A BUG. The advanced heuristics module IS SAME for v2 and v3/v4. However, v3/v4 have brought a BRAND NEW option that allows the user to enable AH on file access and this option DIDN'T EXIST IN V2 WHATSOEVER. With default settings, there should be basicly no difference except certain archive limits that existed in v2 and didn't in V3/V4. However, these limits can be configured by the user in v4.
     
  7. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    What are the archive limits in 2.7?
    Since I keep getting the 100% with default install.
    I want to bring it as much back to 2.7 as I can.
     
  8. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    Sorry, i can't actually do anything right now on this guy's machine. He is a new hire and getting oriented.

    Keep in mind, I turned off Heuristics, the AH check box was never selected to begin with.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I think the archive limits were pretty bad, if I remember, downloaded files was 2mb.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you check the statistics for real-time protection to see if the number of scanned files is rising while the last scanned file is stuck on a specific file or if certain files are continually being scanned?
     
  11. bradtech

    bradtech Guest

    Grammaton, I had the same 100% cpu usage after extracting .rar and .zip files in verson 2 of NOD32 off and on.. It is nothing new to V3 or V4.. That being said, it is not a make or break if it takes 5-10 seconds.. At least it is doing it's job ;)
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Should this be a problem for someone, it's possible to limit advanced heuristics to scanning files on execution only. V4 also enables the user to set limits for scanned files.
     
  13. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    So, what is the consensus here? Is it better to untick "Advanced Heuristics" for real-time protection? I have the same problem when dealing with certain executables; the CPU would go to 40-50% for several seconds (depending on size) and makes my computer a bit unresponsive.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Does this happen only when you copy these files or when you execute or access them?
     
  15. bradtech

    bradtech Guest

    If this is unacceptable for this to happen once in a while on certain types of files then yes.. As long as you want to give up some protection.. I believe some people have had success modifying some parameters on file execution scanning in whatever they call AMON now in the V3/V4. *threatsense*

     
  16. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    By default, it happens when saving/modifying a new file. If I tick the "Advanced Heuristics" on the real-time settings (not Advanced Setup), then executing the file produces the exact same thing.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's correct. But why are you saving/modifying executables? If that causes a problem for you, disable AH for newly created/modified files and leave it enabled on file execution only.
     
  18. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Let's see... how do I explain it. Well, let's say there's a new version of a program I am using. I always keep a copy of that program's installer in some folder. When a new version is released, I just overwrite the executable I have with the newer one. Does that count for saving/modifying an executable? Also, note that it only happens with certain executables; it doesn't always happen.

    EDIT: What difference does it make if I enable the real-time Advanced Heuristics? Does it override the settings in the Advanced Setup? I just want to clarify this.

    Thanks!
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    By default, AH is enabled for newly created / modified files only. This setting is recommended as it shouldn't affect system performance unless runtime packed / protected files are often copied or modified for some reason.

    If you often copy or create files that take time to get emulated by AH, you can enable AH on file execution only.

    The ThreatSense setup section provides an option to enable AH on file access which means it will be used for newly created / modified files as well as on file execution or access. So yes, it will actually override the other settings.
     
Thread Status:
Not open for further replies.