Enrico 3 Posted December 21, 2019 Share Posted December 21, 2019 I've installed the latest version of my professional SW in both W7 and W10, but under W10 I've had long startup times (old version 6.5sec, new version 17sec) while under W7 they were almost the same (old 8sec, new 7.5sec), then under W10 I've paused protection to exclude Eset from the possible causes of the long startup, but startup times remained unchanged, clean-reinstalled the SW and nothing changed, so I've added a new process exclusion entry in real-time file sys protection and bam... New version started in 4.5sec! Is it possible that under W10 the "pause protection" doesn't disable some modules? Best regards. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 21, 2019 Administrators Share Posted December 21, 2019 Pausing protection cannot have any effect on system startup files since it's only temporary and protection modules are enabled after a reboot. What process did you exclude to shorten the startup time? Excluding any process creates a security hole. Link to comment Share on other sites More sharing options...
Enrico 3 Posted December 21, 2019 Author Share Posted December 21, 2019 (edited) It's a program related issue, not system startup (boot time). The process added to exclusions in "real-time file system protection" is "C:\Program Files\Tebis_AG\Tebis V4.0 R8\program\tebis.exe". Usually when I encounter slow program loading first I scan for malware then pause protection to exclude Eset detection engine from the possible causes, but even if the popup says that real-time protection will be deactivated this time I needed to add the executable to exclusions in order to totally exclude Eset process scanning. The strange thing is that this behaviour doesn't happen under Win7: with/without process exclusion or pausing protection tebis.exe startup times are almost the same. Edited December 21, 2019 by Enrico Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 21, 2019 Share Posted December 21, 2019 (edited) 3 hours ago, Enrico said: The strange thing is that this behaviour doesn't happen under Win7: with/without process exclusion or pausing protection tebis.exe startup times are almost the same. In Eset GUI for "Real-time file system protection" -> ThreatSense Paramters, make sure "Enable Smart optimization" is check marked. Once Eset scans a file, it should not do so again unless the file has been modified. Additionally if you have modified any of Eset's default ThreatSense scanning options for real-time file scanning, that also can have an impact on file scan times. Edited December 21, 2019 by itman Link to comment Share on other sites More sharing options...
Enrico 3 Posted December 21, 2019 Author Share Posted December 21, 2019 Smart optimization is enabled on both W7 and W10 machines, no threatsense options have been modified and folders containing relative executables and files are set in "performance exclusions". But this does not explain why with protection paused I have to add an exeption in real-time scanning and why under W10 1909 (Ryzen 7 3800X, 32GB, NVMe) real-time scanning cause program startup to become three times slower than on W7 (i7-6700, 16GB, RAID 0 7.2k RPM). Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 21, 2019 Administrators Share Posted December 21, 2019 Please make sure that "Scan on" -> "File creation" and "Removable media access" settings are enabled. Then - temporarily remove process exclusions - enable advanced operating system logging under Tools -> Diagnostics - reproduce the issue - disable logging - collect logs with ESETLog Collector and add C:\ProgramData\ESET\ESET Security\Diagnostics\EsetPerf.etl to the archive - upload the archive to a safe location and provide me with a download link. Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 21, 2019 Share Posted December 21, 2019 Is this program spawning and executing scripts at startup? Win 10 has AMSI protection and Eset uses it to scan scripts plus other things. Link to comment Share on other sites More sharing options...
Enrico 3 Posted December 21, 2019 Author Share Posted December 21, 2019 @Marcos: you have a PM. I've uploaded W10 logs with/without protection enabled, let me know if you need W7 logs. @itman: what I can tell you is that it's a really complex SW written in C++, it uses Sentinel HASP for licensing and Apache FOP for documentation, it constantly write to disk and with the latest version I see a lot of Buffer Overflow in file activity entries (procmon). Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 21, 2019 Share Posted December 21, 2019 (edited) 44 minutes ago, Enrico said: I can tell you is that it's a really complex SW This is CAD/CAM software. As such, I would expect a lot of system activity at program start up time. One other possibility is this software runs differently on Win 7 versus Win 10. Win 10 has more internal protection mechanisms. As such, this software could be performing additional activities such as creating files and the like not necessary in Win 7. This of course would lead to increased scanning by Eset on Win 10. You would probably have to run Process Monitor against both the Win 7 and 10 installations and then compare the logs for differences to really nail down what is different at start up time. Edited December 21, 2019 by itman Link to comment Share on other sites More sharing options...
Enrico 3 Posted January 8, 2020 Author Share Posted January 8, 2020 @Marcos: did you had some time to analyze the logs? At the moment I'm using process exclusions in order to reduce complex apps/programs startup time, but it's not the most secure thing to do, also I suspect that all the 0xc0000005 CTD's I've had on both W7 and W10 are due to process scanning. Link to comment Share on other sites More sharing options...
Recommended Posts