Why ESET scan spesific files without my operation?

[neocheung 0]

There is a weird behavior of my ESET. Because my English is not good enough, I will try my best to explain.

Base on Task Manager and Resource Monitor, I found that ESET sometimes scans (or just read?) some files (Most of the files are exe extention) without my operation (That means I don't control it but it scans by itself) and cause my hard disk almost 100% usage for one or two minutes. During this weird behavior, it only scan (or just read?) the same files as it did last time. It seems like it has mind to choose the target files it wants to scan (or just read?) no matter where I put them.

Even though I change the directory of those files, ESET can still track those file and scans them in next time. 

For instance, I have a game called XXX (don't mind the game name). It has 32-bit and 64-bit exe, but it only scan the 64bit exe file and skip 32-bit during the weird behavior. Sometimes it will scan some of my pictures. 

And next time, it will scan (or just read?) the same files as it did at the previous time. I can't predict when this weird behavior will occur next time.

Has my ESET been infected or hijacked?

Edited March 6, 2020 by neocheung

[itman 1,659]

18 minutes ago, neocheung said:

Has my ESET been infected or hijacked?

No.

Quote

Startup scan

By default the automatic startup file check will be performed on system startup and during detection engine updates. This scan is dependent upon the Scheduler configuration and tasks.

The startup scan options is part of a System startup file check scheduler task. To modify its settings, navigate to Tools > More tools > Scheduler, click on Automatic startup file check and then Edit. In the last step, the Automatic startup file check window will appear (see the following chapter for more details).

https://help.eset.com/eis/13/en-US/idh_config_startup_scan.html

Edited March 6, 2020 by itman

[neocheung 0]

33 minutes ago, itman said:

No.

https://help.eset.com/eis/13/en-US/idh_config_startup_scan.html

Thank you for your respond.

I am curious why does ESET only scan those particular exe files but not others in the same directory? Like I said, it seems it only choose sto scan the files it is interested in. 

I mean when this weird scanning occurs, why does It only scan the same game directory or software directory and the same exe files at each time, but filter or ignore any other games or softwares?  I mean it should scan the sensitive files which is easy to be infected but not just a game directory. 

For instance, it only scan the 64-bit exe file on XXX folder but it NEVER scans files system files (like files on C:\Windows), 32-bit exe file on XXX folder, games on Steam during this type of scanning.

I never set any scheduler. Each scheduler is default. 

For example, it never scans the games on Steam directory. It only scan the 64-bit exe file but not the 32-bit at the same directory. 

Edited March 6, 2020 by neocheung

[Marcos 5,070]

Real-time protection scans all files that are accessed by the operating system or applications. Even if you are not running a particular application, the operating system or another application may be accessing it which would trigger a scan of files being accessed.

An exception are whitelisted executables which are not re-scanned every time they are accessed.
Besides real-time protection, files may be re-scanned by other scanners, such as the startup scan which is run after each module update and scans files registered in autorun locations or that are loaded in memory. Another type of such scan is the idle-state scanner which runs a scan of disks when no user is logged in, when the screensaver is activated, etc. This scan is disabled by default, however.

[neocheung 0]

9 hours ago, Marcos said:

Real-time protection scans all files that are accessed by the operating system or applications. Even if you are not running a particular application, the operating system or another application may be accessing it which would trigger a scan of files being accessed.

An exception are whitelisted executables which are not re-scanned every time they are accessed.
Besides real-time protection, files may be re-scanned by other scanners, such as the startup scan which is run after each module update and scans files registered in autorun locations or that are loaded in memory. Another type of such scan is the idle-state scanner which runs a scan of disks when no user is logged in, when the screensaver is activated, etc. This scan is disabled by default, however.

Thanks for your respond, Marcos. 

Base on your description, and according to Task Manager and Resource monitor, during the scannings, why System (PID 4) only attempts to access the same target files? This System (PID 4) takes up over 10 or 20 seconds. The biggest target file is not over 20MB. Why it is scanned or be read for over 3.2 million bytes at every time according to the data on Resource Monitor. That means the usage of hard disk is almost 100%. Do you think this is normal?

I am so sorry for keeping asking the same question because I do worry my system may be infected or hijacked.

I just want to figure out what is going on.

1, Why operating system or any other application attempts to access the same files at every time, but not accessing other files?

2, Accessing those files for what purposes?

Edited March 7, 2020 by neocheung

[itman 1,659]

2 hours ago, neocheung said:

Base on your description, and according to Task Manager and Resource monitor, during the scannings, why System (PID 4) only attempts to access the same target files? This System (PID 4) takes up over 10 or 20 seconds. The biggest target file is not over 20MB. Why it is scanned or be read for over 3.2 million bytes at every time according to the data on Resource Monitor. That means the usage of hard disk is almost 100%. Do you think this is normal?

Whatever is going on in regards to "System"; i.e. ntosknl.exe, has nothing to do with Eset.

Eset has one process that controls all its other functions. That process is ekrn.exe. Suspect what you are observing is Windows OS normal processing activity performed at during execution of the numerous background processes Win 10 uses.

Edited March 8, 2020 by itman

[Marcos 5,070]

If you suspect ESET to noticeably affect your CPU or HDD performance., enable advanced operating system logging under tools -> diagnostics, reproduce the issue, disable logging, then collect logs with ESET Log Collector and upload the generated archive here or to a safe location if too big and provide a download link in a private message.