Jump to content

Archived

This topic is now archived and is closed to further replies.

Enrico

"Pause Antivirus and antispyware protection" info

Recommended Posts

I've installed the latest version of my professional SW in both W7 and W10, but under W10 I've had long startup times (old version 6.5sec, new version 17sec) while under W7 they were almost the same (old 8sec, new 7.5sec), then under W10 I've paused protection to exclude Eset from the possible causes of the long startup, but startup times remained unchanged, clean-reinstalled the SW and nothing changed, so I've added a new process exclusion entry in real-time file sys protection and bam... New version started in 4.5sec!
Is it possible that under W10 the "pause protection" doesn't disable some modules?

Best regards.

Share this post


Link to post
Share on other sites

Pausing protection cannot have any effect on system startup files since it's only temporary and protection modules are enabled after a reboot. What process did you exclude to shorten the startup time? Excluding any process creates a security hole.

Share this post


Link to post
Share on other sites

It's a program related issue, not system startup (boot time).

The process added to exclusions in "real-time file system protection" is "C:\Program Files\Tebis_AG\Tebis V4.0 R8\program\tebis.exe".

eseteb.thumb.png.3e17b7cafb82b8299a4ebbc6dde44adb.png

Usually when I encounter slow program loading first I scan for malware then pause protection to exclude Eset detection engine from the possible causes, but even if the popup says that real-time protection will be deactivated this time I needed to add the executable to exclusions in order to totally exclude Eset process scanning. 

The strange thing is that this behaviour doesn't happen under Win7: with/without process exclusion or pausing protection tebis.exe startup times are almost the same.

Share this post


Link to post
Share on other sites
3 hours ago, Enrico said:

The strange thing is that this behaviour doesn't happen under Win7: with/without process exclusion or pausing protection tebis.exe startup times are almost the same.

In Eset GUI for "Real-time file system protection" -> ThreatSense Paramters, make sure "Enable Smart optimization" is check marked.

Once Eset scans a file, it should not do so again unless the file has been modified. Additionally if you have modified any of Eset's default ThreatSense scanning options for real-time file scanning, that also can have an impact on file scan times.

Share this post


Link to post
Share on other sites

Smart optimization is enabled on both W7 and W10 machines, no threatsense options have been modified and folders containing relative executables and files are set in "performance exclusions".

perfexcl.png.1940e95b1e07ff3447661b0124f7675f.png

But this does not explain why with protection paused I have to add an exeption in real-time scanning and why under W10 1909 (Ryzen 7 3800X, 32GB, NVMe) real-time scanning cause program startup to become three times slower than on W7 (i7-6700, 16GB, RAID 0 7.2k RPM).

Share this post


Link to post
Share on other sites

Please make sure that "Scan on" -> "File creation" and "Removable media access" settings are enabled.

Then
- temporarily remove process exclusions
- enable advanced operating system logging under Tools -> Diagnostics
- reproduce the issue
- disable logging
- collect logs with ESETLog Collector and add C:\ProgramData\ESET\ESET Security\Diagnostics\EsetPerf.etl to the archive
- upload the archive to a safe location and provide me with a download link.

Share this post


Link to post
Share on other sites

Is this program spawning and executing scripts at startup? Win 10 has AMSI protection and Eset uses it to scan scripts plus other things.

Share this post


Link to post
Share on other sites

@Marcos: you have a PM. I've uploaded W10 logs with/without protection enabled, let me know if you need W7 logs.

@itman: what I can tell you is that it's a really complex SW written in C++, it uses Sentinel HASP for licensing and Apache FOP for documentation, it constantly write to disk and with the latest version I see a lot of Buffer Overflow in file activity entries (procmon).

Share this post


Link to post
Share on other sites
44 minutes ago, Enrico said:

I can tell you is that it's a really complex SW

This is CAD/CAM software. As such, I would expect a lot of system activity at program start up time.

One other possibility is this software runs differently on Win 7 versus Win 10. Win 10 has more internal protection mechanisms. As such, this software could be performing additional activities such as creating files and the like not necessary in Win 7. This of course would lead to increased scanning by Eset on Win 10.

You would probably have to run Process Monitor against both the Win 7 and 10 installations and then compare the logs for differences to really nail down what is different at start up time.

Share this post


Link to post
Share on other sites

@Marcos: did you had some time to analyze the logs?

At the moment I'm using process exclusions in order to reduce complex apps/programs startup time, but it's not the most secure thing to do, also I suspect that all the 0xc0000005 CTD's I've had on both W7 and W10 are due to process scanning.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...