Malware removal being extremely slow

[0xDEADBEEF 43]

I think this doesn't happen until recently... Generally when the ESET scan engine detects a malware, it is taking unusually long time to delete that specific malware sample and show notification popups (I think it is definitely more than 40s to process one sample with very high cpu utilization on a high-end CPU). The EIS version is 12.0.31.0. Any changes under the hood that leads to such behavior?

[Marcos 5,070]

Please reproduce it.Beforehand, enable advanced operating system logging in the advanced setup -> tools -> diagnostics and start logging with Procmon as well. After the cpu utilization drops down after cleaning, stop logging.

Then gather logs with ESET Log Collector and together with a compressed Procmon log provide it to us for perusal.

[0xDEADBEEF 43]

28 minutes ago, Marcos said:

Please reproduce it.Beforehand, enable advanced operating system logging in the advanced setup -> tools -> diagnostics and start logging with Procmon as well. After the cpu utilization drops down after cleaning, stop logging.

Then gather logs with ESET Log Collector and together with a compressed Procmon log provide it to us for perusal.

I have sent u a message containing the log

It takes more than 15sec to delete this sample and when the logging is enabled it takes several minutes

[itman 1,659]

I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added?

Edited March 5, 2019 by itman

[0xDEADBEEF 43]

On 3/5/2019 at 3:57 PM, itman said:

I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added?

did you observe the same thing on your side? The samples, upon being detected, will show in explorer as 0kb and takes a long time before being deleted and the notification.

[persian-boy 22]

On 3/6/2019 at 1:27 AM, itman said:

I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added

Does Eset plan to add this feature?

[Marcos 5,070]

You could try enabling pre-release updates since some optimizations have been made recently, however, we don't expect any big difference in this particular case.

Please provide a new etl log generated as follows during issue replication:
1, Start logging to an etl log by running "wpr -start GeneralProfile -start Minifilter -filemode".
2,. Reproduce the issue.
3. Stop logging and compress the generated log. Upload it to a safe location and provide me with a download link.

[itman 1,659]

8 hours ago, 0xDEADBEEF said:

did you observe the same thing on your side?

I have observed a slight lag in the malware resolution process but nothing as extreme as you posted. However, I don't test with live malware as you do.

[0xDEADBEEF 43]

1 hour ago, itman said:

I have observed a slight lag in the malware resolution process but nothing as extreme as you posted

seems the performance issue is largely resolved in the latest version that is just released today. The deletion latency has dropped from 15 sec to 3~4 sec.

[0xDEADBEEF 43]

8 hours ago, Marcos said:

You could try enabling pre-release updates since some optimizations have been made recently, however, we don't expect any big difference in this particular case.

After updating to 12.1.31, the performance issue gets largely resolved. The sample that originally takes 15 sec to delete now only needs 3~4 sec in the latest version. 

Anyway I've messaged u the new log on 12.1.31