system lag due to scanning of entire folder on open in explorer @ WIN 7 64 bit

Discussion in 'ESET NOD32 Antivirus' started by vtol, May 19, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    why is NOD scanning the entire folder when opening such in explorer? it is not like that files in the folder are being accessed when opening the folder in explorer. this behaviour causes in particular folders (such as downloads with large number of files and files with a large size) the system to lag (i7 core with 6 GB DDR3 ram)
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you use default settings (ie. advanced heuristics and runtime packers disabled on file access) it shouldn't happen. It is very likely that the oper. system enumerates files in the folder and thus triggers scanning of files inside which should be quick with default settings.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Though appreciate feedback with terms 'very likely' there is not much of help here. Eset is coding NOD and not the user, hence Eset should know whether WIN 7 is doing so or not. And if such enumeration is happening NOD should handle it differently by not scanning all files in the entire folder, the files are neither being opened nor executed nor created. I do not see an option of 'access' - if you would point me to?

    I trust this is all the trouble with the frozen downloads, that NOD is scanning all files inside the download folder when a file is downloaded there.

    IMO NOD should do scan files exactly as available in the option, be it on opened, executed or created, certainly also on demand scan too. But not when opening a folder in explorer, there is from my point of view absolutely no need to scan every single file in a folder when opening in explorer. Then probably also the issue with the download freeze would just go away.

    Now, this is where the NOD settings are also confusing, because advanced heuristics and runtime packers showing up twice:

    clustered in the TS engine parameter setup

    19-05-2010 18-57-38.png

    and then again on the additional TS parameters, once for newly created/modified files and again for executed files.

    19-05-2010 19-04-13.png

    even an advanced user gets lost there. why so complicated? which one is now applicable for 'accessed' files when opening a folder in WIN 7 explorer - TS engine or additional TS?
     
  4. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    oh boy, before I forget, there is a third NOD option having an impact on advanced heuristics and runtime packers

    19-05-2010 20-55-151.png
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    hmm, Marcos - where did you go?
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    hello, somebody from Eset looking into this issue or it just being deserted?
     
  7. The PIT

    The PIT Registered Member

    Joined:
    Sep 4, 2008
    Posts:
    185

    I think you've asked too many questions about buggy software and poor interface design. :blink: :blink:
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Files that are accessed by the oper. system or another application are scanned by real-time protection. That said, files contained in a folder would also be scanned upon opening the folder as the operating system creates previews (thumbnails) of the files.
     
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    thumbnails of zip, exe and so forth? first time I am hearing such nonsense. WIN 7 64 bit does not such thing, or point me to a documention as such.

    moreover you did not point to the option 'access' in NOD. files are not being opened, executed or created when explorer is opening a folder! stop NOD from scanning every single file in a folder, so many problems would just go away as well as the abuse of system resources!

    waiting your explanation, but please not such nonsense again!
     
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Just thinking; is it silly though, as the thumbnail is created (even if it is to check whether it can be created) the first time surely the AV would scan such file(s)?
     
  11. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    it probably would scan a thumbnail on creation, yet and talking hypothetically thumbnails would be very small and just lightening to scan, however NOD is scanning all files in a folder when folder opened in explorer, ever and ever again. that makes the system lagging if just enough and big files in such a folder, wasting system resources as the files are not being touched (opened, executed or created).
    that probably causes also the reported lags during downloads, where users would have just enough and big files in the download folder.

    and if anybody could just point to the 'access' option in NOD I would happily switch it off

    also appreciate to learn about thumbnails for exe, zip files and the lot in WIN 7 64 bit
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    File access is the very same event triggered by the system than file open. You'll find this setting in the main setup -> Antivirus and antispyware -> Real-time file system protection -> (Scan on: ) File open.

    If you want to troubleshoot the issue (probably related to specific files you have in that folder), I'd suggest contacting the customer care. They'll need to get:
    - a log from SysInspector
    - exported configuration of EAV
    - a log from Process Monitor from the moment you observe the delay when opening a folder
    - probably a couple of files from that folder so that they can try to replicate it on their end
     
  13. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    now, that needs a bit of explanation, how is opening a folder in explorer actually opening a file, none the zip or whatever files is being opened! and it is not triggered as such by the system as you try to imply, it is by the very own definition of Eset, which is not correct and causing so much trouble. And again it is not specifically related to any file, it is caused by NOD doing a full folder scan when it should not. Get it fixed and a lot of problems mentioned in the forums will just vanish.

    and why you do paddle so much around this issue, first system enumerates files, then thumbnails and now this?
     
  14. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    I had the same type of issue in Windows 7 64-bit. It was a power saving issue on the hard drive (not ESET). Turned off the power save function and now all folders open as expected. This may be the same type of issue. HTH

    PowerOptionHarddisk.jpg
     
  15. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    quite interesting, but not be the case my end, removing NOD was the cure though
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Eset, care to explain why wasting system resources by having NOD designed to scan all files in a folder when opening a folder in explorer?
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Below is a proof of Explorer opening executable files in generic read mode when opening a folder which subsequently triggers scanning.

    For further investigation, we'd need to get:
    - a log from Process Monitor from the moment of opening a folder when the delay occurs
    - a screenshot of the explorer window so that we know what view mode is used
     

    Attached Files:

  18. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    appreciate that it has been decided to continue this thread.
    reckon that it is desired by design that the explorer is reading files, else they probably would not be viewable.

    on the other hand there might be a bit of misunderstanding, what is the actual difference of opening and executing, say three examples:

    - archive files like zip
    - exe files
    - png files

    perhaps that would shed a bit of light of how NOD is acting on files. And what is the achievement of scanning files when opening a folder in explorer? if set in realtime options (by default open/execute/create are on) files would be scanned anyways when being executed (which then supposedly is different from opening) and when created. I do not mind protection but that sounds like total overkill, wasting system resources for no added protection.

    First NOD is scanning all files in the folder when explorer is opening and then again when opening/executing (not sure anymore which term it refers to) the file, making it twice. From my point of view scanning once is just sufficient.
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It all depends on how Windows (Explorer.exe) handles those files. Scanning on open is triggered when the OS/an application calls the system function CreateFile for opening a file. We did not see Explorer calling this function for archives when a folder was opened in Explorer.

    Files are scanned only once, not repeatedly, unless a specific event occurs (the file has changed or the antivirus has been updated).
     
  20. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    what happens to the file when explorer calls 'open' for a generic read, is there any actual danger that NOD needs to scan then?
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's the basic functionality of antivirus programs to check files on open / access. A file doesn't need to be executed in order to perform malicious actions (e.g. the case of opening a special crafted image in a viewer affected by a vulnerability). The user has the option to choose events that trigger scanning but these should only be changed by expert users who are aware of the potential consequences. Scanning files on open / access is very fast except large text files that take more time to get parsed.
     
  22. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    aehm, special crafted image in a viewer is way different than explorer's call 'open' for a generic read of an exe file, isn't it? In particular when view is set to detail and preview pane off

    27-05-2010 13-48-29.png
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Generally any files are open via the CreateFile function so it makes no difference if they are open by Explorer for whatever reason or by a particular application to work with the file's content.

    Please create a Process Monitor log with file operations captured while opening the folder. The log will reveal what is actually happening.
     
  24. Tannor

    Tannor Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    22
    I am having this same issue, I just formatted my machine and installed Win 7 64 bit, and right away i put on the latest NOD32 software

    I noticed my machine is very slow, and sluggish especially when opening explorer

    Only way to fix this is to disable NOD32
     
  25. Waterfox

    Waterfox Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    118
    Location:
    Sweden

    Try deselecting scan all files in real-time file system protection threatsense setup and see if it makes any difference.
     
Thread Status:
Not open for further replies.