Marcos

Please continue as follows: clear the filrewall log enable logging of blocked connections in the IDS setup reproduce the issue post your firewall log records here You can also check the temporary IP address blacklist under Setup -> Network in the main ESS gui to see if the IP address is listed.

The symptoms you've mentioned are typical for svchost.exe spiking CPU after downloading Windows updates. Make sure that Internet Explorer 8 is installed and is fully patched. Especially the following hotfixes must be installed to fix the svchost issue: KB2744842 KB2879017 KB982381 KB2618444 KB2598845 KB2862772

ESET also uses local cache provided that Smart optimization is enabled.

Please open Task manager, right-click ekrn.exe and select "Create dump file" from the menu. When done, compress the memory dump, upload it to a safe location and pm me the download link. The dump should contain information we'll need to determine the cause of the cpu spike.

Please enable advanced pcap logging in the IDS setup, reproduce the problem and then send me the log file "C:\ProgramData\ESET\ESET Smart Security\Diagnostics\EpfwLog.pcapng" compressed in an archive.

Hi tlapse, I was specifically asking about disabling application protocol filtering and IMAP/IMAPS scanning in the advanced setup, not about disabling protection via the tray icon menu. Also I'd recommend upgrading your ESET NOD32 Ativirus to the latest version 7.0.302 which provides better protection against malware than older version.

ESET doesn't support Thunderbird and email received from Gmail is not scanned unless you enable SSL scanning. Does disabling protocol filtering or IMAP/IMAPS scanning actually make a difference?

If you open the main ESS window and navigate to Setup -> Network -> View temporary IP address blacklist, is the IP address listed? If so, does removing it from the list make the issue go away?

This is most likely due to the fact that the IP was already temporarily blocked when you excluded it from IDS. As of v7, it's possible to remove IP addresses from the temporary blacklist in the firewall pane. A computer restart clears the temporary blacklist automatically.

Did you also restart the computer after excluding the IP address from IDS? Alternatively you can remove the IP from the temporary blacklist in the firewall panel but we'd prefer restarting the computer anyways.

Also please try to get kernel or complete memory dumps from BSOD which may include valuable information for our engineers and I will provide you with further instructions how to supply them to us for analysis.

If you can provide an actual example of ESET slowing down your downloads, please do so so that we can investigate why it happens. It could be that it's a large archive that you're downloading and it takes some time to unpack it and scan all files inside.

I don't understand. I haven't seen a single user who would complain about ESET not being light on resources and that the cause of the problem would lie in ESET itself. It often happens that products that appear light in tests have a big system footprint in real life and vice-versa. If you asked ESET's users about their opinion, I think they would completely agree with me.

Please report the file to ESET as per the instructions here. However, the detection names mentioned are never triggered on executable files but on html files.

It's not clear yet what is causing the CPU to spike. If it were on-demand scans running in the background, it'd be normal for ekrn to utilize the CPU more than usual. Try disabling each of the protection modules, one at a time, and see if it makes a difference (start off with disabling real-time protection). Also check if the number of scanned files is rising in the protection statistics. Let us know about your findings. If disabling real-time protection helps, it's most likely another application continually performing operations that invoke continual scanning of certain files.

This is actually an issue of the mbam.sys driver, not ESET's. Our driver used to suffer from the same issue a long time ago but it was fixed in later versions of v5.

It usually takes at least 2-3 weeks before a module is released to all users. Just to clear it up, pre-release updates are not beta updates. They are thoroughly tested even on ESET's production systems for some time before they are made available for users updating from pre-release servers.

The solution is to add all these IP addresses to the list of ignored IP addresses.

The website still contains malware and thus will remain blocked until you remove it and send another request for reviewing the website.

Actually disabling advanced memory scanner is not safe, it degrades protection capabilities to v6 or older. We're planning to release an update of the HIPS module which should improve performance of certain games substantially.

ESET server and desktop products run only on systems with x86/x64 compatible processors.

Does disabling SSL scanning or carrying out the following make a difference? - close all browsers and email clients - disable SSL scanning and click OK - enable SSL scanning and click OK (a new root certificate will be generated and imported into supported email clients and browsers)

What version of the Internet protection module is installed on these clients? Is it 1091 or 1067? Disabling protocol filtering is not recommended as the Web scanner is the first layer of defense when it comes to Internet threats.

Do you have SSL scanning enabled or not?

We didn't release a newer module except some that HIPS and Internet protection module that had been downloaded by millions of users before with no issues reported. Try disabling protocol filtering and see if it makes a difference. If it doesn't, try disabling other protection modules, one at a time, to narrow it down.