Tell me why I shouldn't turn off realtime scanning

Discussion in 'ESET NOD32 Antivirus' started by gmiest, Feb 8, 2010.

Thread Status:
Not open for further replies.
  1. gmiest

    gmiest Registered Member

    Joined:
    Feb 2, 2010
    Posts:
    43
    With our old Symantec Corp 9 real-time scanning was resource-friendly and most people didn't notice it at all.

    With NOD32 4.0.474 It's utterly unbearable. I just installed a video conversion package on a workstation here. I installed the same package on another machine a few days ago and don't remember how long it took to install but it was certainly no longer than 60 seconds and the system was responsive throughout. That was with Symantec Corp 9 installed.

    I just sat here watching it bring the system to its knees. It's an XP system with 2GB ram and a 2Ghz dual core. Not exactly a supercomputer but certainly more than fast enough for most tasks these days. How long did it take with NOD32 installed? 13 minutes from start to finish. 13 minutes! During which the system was utterly unresponsive. I'm talking taking 45 seconds to bring up the task manager with every open application displaying "Not Responding" in the title bar. When Task Manager finally came up ekrn.exe was at 99% CPU throughout the installation.

    Opening an excel file from the network used to take a second or two with our old AV. Opening the same files now takes around 5 seconds.

    Attached is a shot of my settings - they're the defaults. Before I turn off the real-time scanning is there anything I should be tweaking? The documentation is less than useful on this matter.
     

    Attached Files:

  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    760
    Location:
    UK
    for some reason (which isnt been revealed) v4 seems significantly slower than v2, I can only guess they have to do it this slow to keep the detection rates up.

    What I dont understand with eset is why the app isnt multithreaded, make it so it can max out multiple cpu cores at a time and also make it fully 64bit, the ekrn.exe still is 32bit emulated.
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    To be a fair comparison, you're comparing an ancient version of SavCE against a current version of Eset. Back when SavCE was version 9, Eset was version 2.5 and then 2.7....so if you want to compare apples to apples...compare those 2 versions. You'll have found Eset much lighter, and most importantly...substantially more effective. SavCE also couldn't stop malware worth a bean....one of the primary reasons I switched all my business clients away from it, and to Eset.

    Compare Eset v4 to a current version of SavCE. It'll be a little closer. ;) Although I'm not crazy about being stuck with the startup scan of v4 every time you boot up.

    I remove network media from the real time protection, that speeds up getting files from server shares. The server is scanning that, no need for the workstation to also. You can also adjust which types of files are being scanned on both ends.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please provide step-by-step instructions how to reproduce the problem. What software for converting video did you use? Does setting real-time protection to scan files with default extensions make a difference?

    This could be a bug in MS Office which occurs whenever a document scanner is registered in the system (the bug is that the issue occurs also if there's no AV actually installed but it's listed in the registry).

    Try running "regsvr32 /u dmon.dll".
     
  5. gmiest

    gmiest Registered Member

    Joined:
    Feb 2, 2010
    Posts:
    43
    It's not just MS Office - it's everything. Since installing NOD32 every system has been crawling at a snail's pace no matter what application or what files are being opened. Even refreshing a web page causes pauses and stutters.

    I would remove network scanning but after seeing what it's done to the performance of our workstations I'm hesitant to let it anywhere near the file server. Is it really all or nothing - there must be some settings I can tweak?

    What do you mean by "setting real-time protection to scan files with default extensions"? All the settings are at their defaults already. Where is this option?




    The conversion software was Super from eRightsoft. I just reproduced it on a test VM here. Bear in mind this VM probably has more horsepower than the physical machine I experienced the problem with. Here are the results:

    Without NOD32:
    Super Installation - 9 seconds.

    (uninstall Super, push NOD32 to client, wait for it to update)

    With NOD32:
    Super Installation - 5 minutes, 42 seconds.

    (uninstall Super, uninstall NOD32)

    Without NOD32:
    Super Installation - 8 seconds.

    The attached image was taken 2 minutes into the install. The system is almost totally unresponsive throughout the installation process.

    I don't really care about the Super application itself - I only needed it for a couple recent jobs. The main thing it illustrates is just how much NOD32 has killed performance of anything it's installed on, and after spending thousands of dollars on this software I'm frankly appalled.
     

    Attached Files:

  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    This is one of the most bizarre settings in ESET.

    Right at the very, very top of the setup tree (Antivirus and Antispyware) choose Setup, then Extensions, then Default.

    Do exactly the same on the next item down (Realtime Filesystem protection).


    Yes, you've now pressed the Default button to make it so that the settings are not default. Don't ask.....it's truly bizarre.




    Jim
     
  7. bradtech

    bradtech Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    84
    Have you tried adding the file to your exclusions through policy manager?
     
  8. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Unless i missed gmiest's point completely this is a general problem that affect much more than super, but super is just an example do demonstrate the problem. So i don't think exclusion is a solution for this problem.
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    760
    Location:
    UK
    it is a general problem. When I close winamp ekrn.exe goes crazy for about 10 seconds. Since winamp writes to its config when you close I assume nod32 is having a hard time scanning the write.
     
  10. gmiest

    gmiest Registered Member

    Joined:
    Feb 2, 2010
    Posts:
    43
    I'm using ERAC to create the configuration policies so my options are somewhat different to the ones you describe but I think I've found what you mention. I hit "default" and a whole bunch of what look like executable and document file extensions popped into the listing replacing the default value(s).

    Thank you! Also, holy crap, why is this stuff not either a default setting or in the documentation?

    I let that config change propagate to the VM client and ran the "Super Installation" test again. With NOD32 installed and the new exclusions active the installation time was 1 minute 14 seconds. Much better than the previous install time of a shade under 6 minutes but still essentially an order of magnitude slower than without NOD32.

    Marcos, were you able to replicate my issue?
     
  11. gmiest

    gmiest Registered Member

    Joined:
    Feb 2, 2010
    Posts:
    43
    Any news?
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's exactly why there's an option to scan only files with extensions that may potentially carry malicious code. If an application continually opens/closes a text file, this action invokes a scan with subsequent parsing of the file which may take some time. If you prefer not to have all text files scanned for malicious code because you know that some software continually opens/closes its configuration file which is reasonably large, you can either exclude that file from scanning or set real-time protection to scan only file types that are known to carry malicious code.
     
Thread Status:
Not open for further replies.