System Information:
Product: ESET Internet Security, Version 12.0.31.0
OS: Windows 7 Ultimate (32-bit)
CPU: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz
Memory: 2.00 GB RAM
Description:
Whenever EIS finds a threat 1 on the hard drive 2, ekrn.exe uses a constant amount of about 50% of CPU. Running an in-depth computer scan for a couple of minutes doesn't use a constant amount, but rather a variable one that almost never reaches 49%. Process Explorer showed that the ekrn.exe thread that caused the spike is at address NODIoctl+0x19910. NODIoctl is a function exported from multiple EIS modules like ekrnScan.dll and ekrnAmon.dll. Process Monitor basically shows that ekrn.exe was trying to access non-existent files by "guessing" 4 their names using existent registry values, folder names, file names, environment variables 3, etc. Most of those files had extensions like .sys, .scr, .exe, .dll, .com, .bat, and .cmd.
1 The problem is not threat-specific. I confirmed this with the EICAR test file to make sure. 2 Threats discovered in web pages like https://secure.eicar.org/eicar.com.txt, don't cause this problem. However, if I restore the discovered threat from the quarantine to any place on the computer, the spike occurs. 3 Deleting Path and PATHEXT, two of the system variables, reduced the spike time, but didn't make it disappear. 4 For example, ekrn.exe was trying to access G:\938b207aa93805367dcf11ff.exe, a non-existent file that it guessed its name via a registry value: "InstallSource: g:\938b207aa93805367dcf11ff\", a temporary directory that was created when I installed a C++ Redistributable.