[ekrn.exe consume 40% CPU since 3 days]

Does it look ok like this ? I prefer the last workaround. Deploying the patch for Windows Filtering Platform can't be automated easily. I run into the issue at the beginning of v6, where the Agent was freezing my W7 with EES and I had to take a look at this MS HotFix.

[ekrn.exe consume 40% CPU since 3 days]

Thank you @Marcos , I'll check your solutions.

This is an history for you.

When I 1st installed the EFSW on all my servers, I had 80% of them taking 100% CPU Friday afternoon starting almost the same time. I deployed EFSW during 2 or 3 days during this week. It took 1 hour to the entire week-end the get all servers CPU return to normal. Some weeks later EFSW did the same thing, and take again the entire system unresponsive. I had no choice than uninstall it.

When ESET release a new version I deploy it on test servers and every time I'm getting problems with the CPU, but they don't start this together anymore. That's a good improvement.

We had a security audit and the most important problems is the antivirus on servers and Web application using HTTP. They broke through the Windows security and stole all domain admin password because of no antivirus. HTTP is not related to you, but they stole credentials using man in the middle.

We are deploying new hardware at this time and I have 5 Windows 2012 R2. They are not in production for now. I installed EFSW on them. There is no problems.

[Win10 lock screen enable presentation mode]

I am replacing Windows 7 by Windows 10 and the more days pass, the more urgent it becomes.

I can disable the presentation mode, but if I do this, what is the purpose of such a mode? I think it could just be a temporary workaround.

[ekrn.exe consume 40% CPU since 3 days]

I really need to protect my servers with an antivirus solution. For now I can't use EFSW.

There is no such problem with EES on Windows 7/10. This is working great.

For administration purpose, I prefer to use the same antivirus editor on PC and servers.

Today I'm challenging you to achieve this goal : Make an ESET antivirus compatible with live environment without breaking my whole server farm at a random time.

[ekrn.exe consume 40% CPU since 3 days]

Any news ?

I'm still at 100% CPU.

[Automatic update ESET component]

Thank you @Marcos.

I'll work like this until v7 is released.

[Automatic update ESET component]

Thank you for your anwsers.

Do you confirm that the configuration option for PCU are not working ?

I think updating with dynamic group is a bad idea for those reasons :

• When v6.5 is out, I have to change my dynamic group by hand to change version number and change by hand my installation task to select the latest EES version. This is not really automatic.
• Task are executed on dynamic group when the computer is 1st added to this group. If for example I had Windows Update, the installation will fail saying that the computer is waiting for a reboot and will not retry to update ESET product.

Am I right ?

[Automatic update ESET component]

Hello,

Since v6 ESET product don't update component automatically.

It was a bit hard in v5 to update "PCU", but that was working well in automatic.

I can't do the same with v6. I have to push new install every time.

I still have some EES v6.2.2021.1 on my network. I would like to stay up-to-date as I did with v5.

I don't have this problem with ERA Agent because I do GPO software installation.

Application name	Application version	Count
ESET Endpoint Security	6.2.2021.1	4
ESET Endpoint Security	6.2.2021.2	62
ESET Endpoint Security	6.3.2016.2	8
ESET Endpoint Security	6.4.2014.2	12

[Win10 lock screen enable presentation mode]

Hello,

How can I prevent ESET Endpoint Security 6.4.2014.2 to start presentation mode when Windows 10 lock screen is displayed ?

I would like to keep automatic full-screen switch for presentation mode.

[ekrn.exe consume 40% CPU since 3 days]

ekrn.exe is opening the folder "C:\ProgramData\ESET\ESET File Security\Diagnostics" 10 time per seconde.

It is not doing such a thing on a fine running server. It read the disk punctually.

Quote

IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.tis.log
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.dmp
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.mdmp
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics\Modules
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics\Modules
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security
IRP_MJ_QUERY_VOLUME_INFORMATION	C:\ProgramData\ESET\ESET File Security
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.tis.log
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.dmp
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_DIRECTORY_CONTROL	C:\ProgramData\ESET\ESET File Security\Diagnostics\eset_*.mdmp
IRP_MJ_CLEANUP	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CLOSE	C:\ProgramData\ESET\ESET File Security\Diagnostics
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics\Modules
IRP_MJ_CREATE	C:\ProgramData\ESET\ESET File Security\Diagnostics\Modules

 

[ekrn.exe consume 40% CPU since 3 days]

The 2nd server is still at 100% CPU.

This is the one where I can't collect the ESET logs.

Tell me if you want to do further analysis on this server before it crash.

[ekrn.exe consume 40% CPU since 3 days]

Here is the ESET logs for the 3rd server.

@MarcosPML is on PM (3,7Gb unpacked)

efsw_logs3.zip

[ekrn.exe consume 40% CPU since 3 days]

Different error on ESET log collector for the 2nd server :

[16:37:21] === Network configuration ===
[16:37:21] Exporting...
[16:37:31] ERROR: Failed to execute IPCONFIG command

I am sorry but I can't provide you the Eset logs for this server.

I will try with the 3rd server.

[ekrn.exe consume 40% CPU since 3 days]

Another server have ekrn.exe at 50%.

Same configuration : latest EFSW and Win2008R2

I am also collecting logs for this server.

[ekrn.exe consume 40% CPU since 3 days]

It failed again :

[16:17:23] === Running processes (open handles and loaded DLLs) ===
[16:17:23] Exporting...
[16:22:23] ERROR: Failed to execute the 64bit process info dumper executable
[16:22:23]

[ekrn.exe consume 40% CPU since 3 days]

Both procmon logs and ESET log collector have been running while ekrn is about 50% CPU.

PML is not corrupt. I PM @Marcos

ESET log collector failed. I try again with realtime process priority on log collector.

[ekrn.exe consume 40% CPU since 3 days]

We did not have to wait long.

Another server is using 100% CPU (~50% ekrn.exe).

@filips this is the last version EFSW 6.4.12004.0 also on Win2008R2

I am collecting the logs but it is hard to work with 100% CPU...

[ekrn.exe consume 40% CPU since 3 days]

Marcos,

This is the Eset log collected for the last 5 days.

I pm you with the procmon link.

efsw_logs.zip

[ekrn.exe consume 40% CPU since 3 days]

I found this in event log "System"

The ESET Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

That explain why the CPU is back to normal and the RAM drop.

[ekrn.exe consume 40% CPU since 3 days]

My pc crashed (Win10) and after all the windows update the ekrn.exe on the server was back to 0% when I reconnected.

I had the time to capture the procmon log (1 minutes = 1Gb) during the issue.

The ekrn RAM went from 200Mb to 125Mb.

I will collect the ESET logs.

[ekrn.exe consume 40% CPU since 3 days]

This would make my day

[ekrn.exe consume 40% CPU since 3 days]

Thank you filips but I have this issue since I upgraded from v5 to v6. Something must be wrong with my OS 2008 R2.

It appear to run fine on 5 servers with 2012 R2 that we installed last November.

None of my 30 servers 2008 R2 are running fine.

I really doubt that the last version will fix it.

[ekrn.exe consume 40% CPU since 3 days]

Thank you Marcos for your fast reply.

There is no on-demand scan running.

If I turn off the real-time protection and the CPU go back to 0%, how will we find the root cause ?

[ekrn.exe consume 40% CPU since 3 days]

Dear support,

I am using EFSW 6.3.12010.0 on Windows 2008 R2.

ekrn.exe is consuming 40% of the CPU since 3 days on a server. I had the same problem with EES before I moved to EFSW.

Once a week ekrn.exe was consuming the CPU of all my servers, leading to big problems. That's why I do not install ESET product on production servers.

Help to find what is happening to correct this issue. AthenaGS support is turning me crazy since 1 year.

I think you would easily understand that I need to protect all my servers with an antivirus.

I do not understand why it is consuming this much CPU, like if it were running a task, but nothing is visible in the GUI.

The CPU is still consumed, contact me quick before it go back to 0%.

Best regards,

Jonathan ESPOSITO

Deputy IT manager