SweX
-
Posts
2,266 -
Joined
-
Last visited
-
Days Won
110
Posts posted by SweX
-
-
Annoying False Positives is one way to bring traffic to the forum.....
I don't remember exactly - but the previous "most online" record was somewhere between 250-350 from late last year.
-
@itman
In this case it really is a leak. But it is not a consistent leak as it comes and goes with the module updates. The IPM (internet protection module) can get updated - and after that I can browse and browse and browse, and watch videos on websites using either Flash or html5 and the ram usage will stay within 140-150mb.
Then after the next IPM update, and I do the same procedure as above, the ram usage (if I am unlucky) can go up up up, starting at the normal 140mb and eventually hit the roof at 740mb.
All I can say is that this is not a normal behavior for the software as I have had leaks like this a couple of times with previous version, and they have been fixed after I've reported about them, there may be a usage of some kind of cache, but not that it can cause this huge increase. It most likely is a problem with that the ram doesn't get released correctly or something like that, but I am no programmer so I won't speculate.
Normal for ESET is that the ram usage is very steady and ekrn.exe stays around the same interval 140-150mb no matter if you run a on-demand scan or not, since the engine and the sigs are loaded in the ram all the time for the best system performance. Where some other AVs may use e.g 30mb of ram on idle - but when you start a scan the ram usage may increase to 300-400mb cause other parts of the software are loaded into the ram at that point. But ESET is not (and have never been afaik) designed/engineered that way.
(The exception is when the VSD get's updated, then it's perfectly normal that the ekrn.exe ram usage can go up to 200-300mb and then drop down to around 140mb as soon as the update procedure is finished. For example, the top usage for ekrn.exe today is 274mb, and I know that top usage happened during the VSD update procedure.)
If I had a faster upload speed then a memdump would have been sent to ESET for analysis ages ago, but I don't, so I leave this to other souls that are willing to help out.
@dimulec, We have not heard what they said about your dump yet, but it may not help at all since it was not a complete memory dump which usually is required and also recommended.
-
You can always download the new version manually from the website and install it over your current version/installation.
https://forum.eset.com/topic/7592-eset-nod32-antivirus-version-90375-is-available/?p=40876
The in-built product update check does not pick up the new version since it has not been released as a PCU yet.
-
Kudos to ESET for fixing this unfortunate FP quickly, and to those questioning how effective and secure the QA testing is e.g before they release the updates. Well, look at the track record of previous FP cases that affects all users that downloads/receive a particular VSD update and you'll find the answer. This was more of a very annoying than serious FP in that it affected the web protection and what websites users could access and so forth, compared to a much more serious situation if it would have affected the OS and potentially critical files that could end in a disaster for many users. And before the "you always defend ESET"-people jumps on me. I can clarify that I don't defend ESET or the FP. I just see it for what it is/was - in the sense that it could have been much worse.
In this case, the only way how to detect the FP during the pre-release QA tests would be by browsing websites using a specific java script as only web browsing was affected. The detection was triggered under certain non-deterministic circumstances and was an unfortunate coincidence of several things.
ESET pays attention to providing quality detection by using safe signatures, whitelisting critical files and performing pre-release QA tests.
Yes, I know that ESET takes QA testing serious. But that may not be the case for all customers/users.
I had comments like the following in mind when I wrote "and to those questioning..."
"This also raises questions about how thoroughly ESET updates are tested before they are released!"
https://forum.eset.com/topic/7550-wrong-detection-website-infection-jsscrinjectb/?p=40746
P.S
Is there a Knowledge Base article about the Quality Assurance process ? At least I didn't find one right now when I looked. Just thinking it could be a good reference to have when FP situations like this happen so people can read about ESET's QA procedure that the VSD:s goes through before they are released - what the purpose is and why QA testing is very important.
-
same with me, I think my computer is affected by Trojan
It should not be reported on popular sites with the signature database 13103 or newer.......
I guess it could happen if the website in question indeed is infected.
Popular sites may be popular - but not even the so called popular sites are immune...yet
-
same with me, I think my computer is affected by Trojan
What VSD are you on ?.....(If you are on 13103 -> solution is to update.)
If you are on 13104 or later......
"If the detections are triggered after update to 13103 or higher, they should be correct. If you are unsure if a particular detection is ok or not, report it to the ESET Malware Research Lab"
-
Just why does the latest version consume more physical memory and other resources ?
No, it doesn't consume that much more memory, around 140MB is normal for V9. If it reaches 300MB as you mention in your post then you are probably affected by the leak. If you have a fast upload connection and are willing to help out, then create a complete memory dump and uploaded it somewhere so ESET can download and analyze it, and hopefully it will shed some light on why some users are having this problem.
-
Kudos to ESET for fixing this unfortunate FP quickly, and to those questioning how effective and secure the QA testing is e.g before they release the updates. Well, look at the track record of previous FP cases that affects all users that downloads/receive a particular VSD update and you'll find the answer. This was more of a very annoying than serious FP in that it affected the web protection and what websites users could access and so forth, compared to a much more serious situation if it would have affected the OS and potentially critical files that could end in a disaster for many users. And before the "you always defend ESET"-people jumps on me. I can clarify that I don't defend ESET or the FP. I just see it for what it is/was - in the sense that it could have been much worse.
"If the detections are triggered after update to 13103 or higher, they should be correct. If you are unsure if a particular detection is ok or not, report it to the ESET Malware Research Lab"
-
Thank you for the instructions. But it kind of kills the point of creating a memory dump. Instructions require a restart after which for about a week EKRN.exe process will allocate pretty low amount of memory. I will have to wait for a week before I can make a dump.
A week ? I can make ekrn.exe reach the 400-600mb interval within 6 hours or so. Still, ESET do want a complete memory dump for analysis, so even if you have to wait a week, the full dump will include what they need to possibly find the issue that cause it.
When the dump is created you have to compress it before you upload it, I don't do it myself since my upload speed is too slow so it would take an eternity to get the dump uploaded.
But perhaps the old dump you uploaded and notified Marcos about will be enough, we have to wait and see I guess.
But now I am thinking that since I will have to renew my license in less than a month anyway and this time it will be V9 so maybe there is no point in investigating this issue.
I would say there is since I have experienced the leak with both V8 and V9.
-
-
No one is "happy" about it, and everyone would rather use the system resources the products use for other tasks. Though people need to understand the bottom line which is that no product have a guarantee of detecting 100% for obvious reasons, no serious vendor claim that their product do. But the most effective "thing" we can use to counter malware and/or privacy threats is actually what we have inside our head, our brain, and it comes with a bonus that it does not require updates. But AV/AM is one thing, one can also use them together with other stuff like HIPS, sandbox, policy restrictions etc etc...Some products like ESET have features like that built-in. But most importantly, make backups, so even if ransomware (or something else) hits you or your drive may crash, you can restore the data from the backup.
Staying away from suspicious/unknown websites and not download everything without a second thought is quite easy, but knowing if one of all the serious websites one may visit daily or weekly has been booby-trapped before you load them in a browser is another matter.
-
It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum. May the Force be with us.
Thanks fot the heads-up SweX. The forces have now removed the dubious links
The force is strong in the ESET family. Nice job, Marcos
Edited by TomasP, 19 February 2016 - 12:51 PM.removed link
Hehe. No need to ask where to that deleted link went. Nice proactive job, TomasP.
Would be even better if all new members that does nothing but post spam are banned ASAP (not just remove the links in their posts). To not give them the possibility to come back and post even more on here whenever they like. Which is exactly what "haronaroum" did - came back to post more spam. Marcos even deleted a "fishy" link in the very first post by "haronaroum" last December: https://forum.eset.com/topic/6755-cryptowall-cryptolocker-detection/?p=37476
The member "haronaroum" in this thread is nothing more than a simple spammer.
"haronaroum Asked on 5. February 2016"
hxxp://answers.winbuzzer.com/question/how-do-i-remove-browser-hijack-malware-newsearch123-com/
"By haronaroum, Junior Member on 16th November 2015, 05:08 AM"
hxxp://forum.xda-developers.com/general/help/computer-virus-t3249957/post63847710#post63847710
"Try completely removing all parts of Chrome with Spyhunter 4"
https://linustechtips.com/main/topic/518468-some-sort-of-malware-in-chrome/#comment-6935088
"manual removal resources: uufix"
hxxp://forums.moneysavingexpert.com/showthread.php?p=69588057#10
One Enigmatrooper busy doing its job.
(It gets even more fun when I see that "haronaroum" uses the same avatar as another spammer on here, that uses the nickname "Michelle" - that also joined the forum last December, just like "haronaroum").
-
Link 1 Hmmm.....
Link 2 Hmmm.....
Link 3 Hmmm.....
It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum.
May the Force be with us.The Force was with us and saved us from the dark side once again. (; -
I'm commonly seeing sustained memory usage between 350-450MB. Occasionally it almost reaches 1GB. Then I have no choice but to reboot to clear it.
I'm running XPsp3 with 2GB RAM so I can't afford this nuisance.
I'll be downgrading back to ESS8, till this problem gets sorted out.
I have 8.0.319 in XP SP3 and using pre-release updates. You can check my posts in this thread and you'll see that I was kinda affected -> not affected -> affected -> and now I am not affected by the leak again. Been fine for the last 1 and ½ month. Ekrn.exe stays within it's normal (for v8 IMO) range between 120-130mb. I have never seen it consume e.g 150-200mb like Marcos suggests under any circumstances, except when there is a leak, and then it doesn't stop at 200 but slowly goes up up up.
It doesn't matter how hard I try to make the leak reveal itself again, ekrn.exe's ram usage just stays normal no matter what.
Haha I don't believe this, it is back again.
ekrn.exe use 180mb right now, but reached as high as 690mb yesterday.Internet protection module: 1242 (20160114)
Since downgrading back to ESS 8 (production v. 8.0.319.0) the memory leak has NOT reoccurred at all. Still running XP sp3 (for a bit longer).
If it helps at all, here is the installed components list.
Virus signature database: 13034 (20160215)
Rapid Response module: 7517 (20160215)
Update module: 1060 (20150617)
Antivirus and antispyware scanner module: 1478 (20160121)
Advanced heuristics module: 1167 (20160128)
Archive support module: 1245 (20160118)
Cleaner module: 1114 (20151004)
Anti-Stealth support module: 1093 (20151216)
Personal firewall module: 1289.2 (20151215)
Antispam module: 1029 (20141103)
ESET SysInspector module: 1257 (20151113)
Real-time file system protection module: 1010 (20150806)
Translation support module: 1448 (20160112)
HIPS support module: 1211 (20160120)
Internet protection module: 1173.15 (20160125)
Web content filter module: 1046 (20150925)
Advanced antispam module: 3250 (20160215)
Database module: 1072 (20150831)
LiveGrid communication module: 1017 (20140415)
Specialized cleaner module: 1010 (20141118)
Yes it has indeed reoccurred, 540mb right now.
But it can go away soon again and stay normal, you never know.
Though it did (again) go back to normal after I made the post you quote, but around 5-6 days ago the leak reoccurred, again.
(I use pre-release updates which is why my module list looks a bit different).
Virus signature database: 13035P (20160216)
Rapid Response module: 7518 (20160216)
Update module: 1060 (20150617)
Antivirus and antispyware scanner module: 1479 (20160203)
Advanced heuristics module: 1167 (20160128)
Archive support module: 1245 (20160118)
Cleaner module: 1118 (20160205)
Anti-Stealth support module: 1094 (20160119)
Personal firewall module: 1297 (20160126)
Antispam module: 1029 (20141103)
ESET SysInspector module: 1257 (20151113)
Real-time file system protection module: 1012 (20151124)
Translation support module: 1454 (20160212)
HIPS support module: 1211 (20160120)
Internet protection module: 1226.9 (20160209)
Web content filter module: 1046.1 (20151202)
Advanced antispam module: 3250P (20160215)
Database module: 1077 (20160212)
LiveGrid communication module: 1020 (20150807)
Specialized cleaner module: 1010 (20141118)
Rootkit detection and cleaning module: 1000 (20151228)
-
That's what can be called making a mountain out of a mole hill. The alleged "exploit" simply misuse the way Windows works. The chance of putting a malicious dll in the Download folder prior to the execution of Live Installer and crafting it in the way that it would be properly loaded by Live Installer is so slim that it's barely unexploitable anyways.
I see. So, it is doable but very unlikely it would work out successfully.
Or as we say here; "to make a hen out of a feather".
-
Hmmm...interesting
-
New users first need to be manually approved by moderators.
Why is that?
Previously you just had to confirm your mail. Or is the mail verification still broken?
To counter spammers is one reason. But its not 100% effective as we have seen lately when some spam slipped through, but I would say that it's better to use this method than not use anything at all.
-
This is most likely another spammer.
The above post is as far as I can see identical with the one (now deleted) posted on Bleeping, except for the very last part: "for more detail you may google it sure shot software".
The post no longer exists on Bleeping since it has already been deleted. But scroll down on the google cache link above and see post #62 by "mizan24h".
-
I would also take a wild guess and assume that some (not all) of the other "grey" countries on the map simply don't have enough users and as a result they don't provide enough telemetry data back to ESET, or something similar.
-
I see this post is 2½ years old so presumably somewhere there is an easy fix for this issue?
IIRC. The above issue was a bug with Windows Update itself, MS released an updated which fixed the issue with the high CPU usage. But the quality of the updates that MS push out is not exactly consistent, so it may be something similar again, idk.
-
Well, I have to disagree on that.
Real machine working perfectly.
Celeron with 1 GB RAM, Windows XP SP3 fully patched with version 9,
Same here, no problems at all.
Well, I got V8 installed now, but had no issues like the ones described in this thread when I had V9 installed. Both versions work fine.
P.S Do you use the POS Ready trick on it ?
-
This link was posted by Marcos over on Wilders forum the other day and it's a good read, so here it is.
hxxp://static3.esetstatic.com/fileadmin/Images/INT/Docs/Other/ESET-Technology-Overview.pdf
It was part of this topic: hxxp://www.wilderssecurity.com/threads/eset-nod32-antivirus-and-eset-smart-security-version-9.380948/page-7#post-2562154
Thanks again Marcos.
Yep, very nice and informative.
P.S
Was also posted in this thread as well: https://forum.eset.com/topic/7355-nod32-ransomware-protection/
Edit: I see that they now also refer to this PDF/white paper on the ESET Technology page (that I have a link to in my signature) if one would like to read the "complete description". hxxp://www.eset.com/int/about/technology/
Hmmm...Really wish they would include the whole feature description under "show more" for every feature so one wouldn't need to open up the PDF every time one would like to copy & paste some info to other people. That should be the purpose of the "show more" button - expand to be able to read the whole feature description on the page itself. );
-
Also see this thread about the same or similar problem.
https://forum.eset.com/topic/6281-blink-open-windows-in-os-windows-8110-after-upgrading-to-ess9/
-
To make things clear - I included a high dose of sarcasm when I made the previous posts (except the very first post which is based on facts)
You?!? Sarcastic?!?!......
No, never ever, I am always 100% serious
Seems like a memory leak
in ESET Internet Security & ESET Smart Security Premium
Posted
We actually have another on going thread about this: https://forum.eset.com/topic/6317-eset-smart-security-9-memory-leak/
Would be good if we could keep all talk - and all information about it, in one thread.
This is a screenshot from yesterday of my ekrn.exe ram usage right before I shut the PC off...