Jump to content

High use of Memory by ESET Internet Security


Recommended Posts

4 hours ago, Marcos said:

@AlSkydoes temporarily disabling SSL filtering in the advanced setup and rebooting the machine make a difference in memory consumption?

Let me check. I'll need a few minutes to do and restart.

Link to comment
Share on other sites

4 hours ago, Marcos said:

@AlSkydoes temporarily disabling SSL filtering in the advanced setup and rebooting the machine make a difference in memory consumption?

No, I checked and no improvement. Since last forced shutdown the memory is increasing again, slowly but continously: after forced shutdown usage of RAM dropped to 164 Mb and is increasing till 340 Mb right now. This morning was 320 Mb. I Disabled now the SSL filtering and restarted the computer, but the usage is the same than with it enabled.

 

ESET memoria 6.jpg

Link to comment
Share on other sites

Let's try a different approach.

You say the ekrn.exe issue started recently. Check your recent Win Update history. What you are looking for is something related to an Intel Microcode update; assuming your processor is Intel based. On the other hand, my processor is AMD and Microsoft pushed this update to my device ..............

Edited by itman
Link to comment
Share on other sites

  • Administrators

What you could try is uninstalling ESET and installing it from scratch with the computer immediately disconnected from network after activation to prevent modules from being updated. Are you able to reproduce the issue? Or only after connecting the computer to LAN and updating modules?

Link to comment
Share on other sites

4 hours ago, Marcos said:

What you could try is uninstalling ESET and installing it from scratch with the computer immediately disconnected from network after activation to prevent modules from being updated. Are you able to reproduce the issue? Or only after connecting the computer to LAN and updating modules?

Hello. The only time I reinstalled the ESET product and disconnected from the Internet before the modules were installed (a futile attempt to solve whether the problems I mentioned above on version 13.2.14.0 and later), then, when I reconnected internet, the ESET product couldn't be updated and I had to uninstall and reinstall again without disconnecting the internet.

Link to comment
Share on other sites

Don't know if it is related with the problem (problems) I have with the ESET product.

Suddenly appeared two messages consecutively saying ESET has Kernel and spam Limited Direct Cloud connectivity. I opened up the ESET GUI, the notification had disappeared (except in the log I show in the screenshot) and the GUI shows now all green, no red or orange warnings.

I have changed nothing in my router or computer. No updates of programs or OS (till next Tuesday I don't expect new monthly updates of Microsoft).

But there is no message warning a restoration of the Cloud connectivity. What’s happening? Does it mean my protection is not full?

Problema ESET.jpg

Link to comment
Share on other sites

  • Administrators
2 minutes ago, AlSky said:

But there is no message warning a restoration of the Cloud connectivity. What’s happening? Does it mean my protection is not full.

It's unrelated to the memory issue. The message means that the product was not able to reach ESET's servers on port 53535 for a while. It could have been a network issue between your machine and ISP or between the ISP and ESET's servers. The point is that the error is not being reported repeatedly.

As for the memory issue, I'll prepare a package with older modules momentarily that you'll then install temporarily to find out if it makes a difference.

Link to comment
Share on other sites

1 hour ago, Marcos said:

It's unrelated to the memory issue. The message means that the product was not able to reach ESET's servers on port 53535 for a while. It could have been a network issue between your machine and ISP or between the ISP and ESET's servers. The point is that the error is not being reported repeatedly.

As for the memory issue, I'll prepare a package with older modules momentarily that you'll then install temporarily to find out if it makes a difference.

The connection to the cloud has been restored. I wonder if it's a point problem or related to the other problem.

 

Problema ESET resuelto.jpg

Link to comment
Share on other sites

@AlSky

ekrn.exe is monitoring the processes that are running in the background and actively accessing the file system/registry.

You could identify this kind of processes using Process Monitor from sysinternals.

Based on your screenshot one of the suspects could be CCleaner background process. Try to uninstall CCleaner and see if this helps. If it does then disable "Smart Cleaning" in the CCleaner options.

Link to comment
Share on other sites

  • Administrators

One more thing, are you able to reproduce the higher memory use by ekrn even after temporarily disabling protocol filtering and rebooting the machine?

If so, I'd carry on with enabling heap tracing. I'd send you instructions after answering the above questions.

Link to comment
Share on other sites

3 hours ago, Marcos said:

One more thing, are you able to reproduce the higher memory use by ekrn even after temporarily disabling protocol filtering and rebooting the machine?

If so, I'd carry on with enabling heap tracing. I'd send you instructions after answering the above questions.

Yesterday I had to restore system due to another incidence and it was useful to free memory and now the use of RAM at the moment is not very high, 250 Mb. Let's see if it continues increasing in the coming days and the ESET productp reaction to an on-demand scan in the middle of the month.

On the other hand, the problem that made me restore system was an incidence with malware. I don't understand how something like this can happen, but it happened. In the second screenshot you can check that the ESET product detected malware on web and blocked the connection. Everything seems correct, connection blocked, malware failed to enter the computer. However, forewarned is forearmed. I scanned and the ESET product found the same malware that had supposedly been blocked (third screenshot). This is more shocking because I have selected in Real Time File System Protection - > Disinfection - > Remedy infection if safe, ask otherwise. If it could not disinfect, it should has asked action to take (if I wanted to delete the file, for example). It didn't happen like that. This isn't good, because the ESET product didn't fulfill the task as scheduled.1158511323_ESETmemoria7.thumb.jpg.963e09798f320ee2928e458963500637.jpg

ESET malware.jpg

ESET malware 2.jpg

Link to comment
Share on other sites

3 hours ago, Marcos said:

One more thing, are you able to reproduce the higher memory use by ekrn even after temporarily disabling protocol filtering and rebooting the machine?

If so, I'd carry on with enabling heap tracing. I'd send you instructions after answering the above questions.

I tested what you asked me, disabling  protocol filtering. Usage of RAM dropped a lot but it disables too internet protection security tools. It isn't a solution, obviously.

 

ESET memoria 8.jpg

ESET deshabilitar.jpg

Link to comment
Share on other sites

  • Administrators

Does the issue occur also if you:
- re-enable protocol filtering
- keep SSL filtering disabled
- reboot the machine?

Link to comment
Share on other sites

1 hour ago, Marcos said:

Does the issue occur also if you:
- re-enable protocol filtering
- keep SSL filtering disabled
- reboot the machine?

The issue occur also if I:
- Re-enable protocol filtering

Only if I keep the protocol filtering disabled the usage of RAM is very low (few more than 20 Mb) but I don't know if it would increase with the time passing as happened earlier in last weeks and obviously I can't keep for days the protocol filtering disabled just to check, isn't wise idea to have a computer connected to internet without protection.

I don't care of the usage is between 100 and 200 Mb, it was the usual. And I don't care if during scan the usage of RAM peaks up to 500-600 Mb or more if after the end of scan or after rebooting the computer it returns to usual normal levels. The point is that doesn't happens: once increases the usage of RAM then doesn't diminish. That's what isn't normal, keep using the same RAM under normal conditions that under on-demand scan. Or that slowly, day per day, it increases the use of RAM with no apparent motive. Always growing, no diminishing.

Link to comment
Share on other sites

  • Administrators

Just to make sure I understand it correctly, the issue occurs with protocol filtering enabled, SSL filtering disabled and you're able to reproduce it with this setup after a machine restart.

Asking since you mentioned only re-enabling protocol filtering but you didn't mention if you also kept SSL filtering disabled at the same time.

Link to comment
Share on other sites

Posted (edited)
35 minutes ago, Marcos said:

Just to make sure I understand it correctly, the issue occurs with protocol filtering enabled, SSL filtering disabled and you're able to reproduce it with this setup after a machine restart.

Asking since you mentioned only re-enabling protocol filtering but you didn't mention if you also kept SSL filtering disabled at the same time.

If I disable protocol filtering also gets disabled SSL filtering. Automatically. Look the first screenshot.

BTW, since this morning after enabling once again SSL filtering, the usage of RAM without any scan raised from 22 Mb to 290 Mb. Check second screenshot.

I checked again, disabled protocol filtering, booted the computer and enabled only protocol filtering, but disabled SSL filtering. Then rebooted once more time the computer. The usage of RAM droped one more time, but not in the same measure than disabling protocol filtering (third screenshot, 128 Mb). Anyway, it's normal that disabling services the usage of RAM is less than with them all enabled.

But why is increasing the usage of RAM? Why on-demand scan causes so high usage of RAM and the RAM used is not free aftr finishing scan and rebooting the computer? Mistery.

 

ESET deshabilitar 2.jpg

ESET memoria 9.jpg

ESET memoria 10.jpg

Edited by AlSky
Link to comment
Share on other sites

  • Administrators

Ok, so let's enable heap tracing as follows:
1, In the advanced setup -> Detection engine -> HIPS -> disable Self-defense
2, Reboot the machine
3, Run the command:

wpr -HeapTracingConfig ekrn.exe enable

4, Reboot the machine
5, Run the command

wpr -start Heap -filemode

6, Reproduce the issue (should not take too long)
7, Run the commands:

wpr -stop heap.etl
wpr -HeapTracingConfig ekrn.exe disable

8, Provide heap.etl in a compressed form
9, Re-enable self-defense and reboot the machine.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Ok, so let's enable heap tracing as follows:
1, In the advanced setup -> Detection engine -> HIPS -> disable Self-defense
2, Reboot the machine
3, Run the command:


wpr -HeapTracingConfig ekrn.exe enable

4, Reboot the machine
5, Run the command


wpr -start Heap -filemode

6, Reproduce the issue (should not take too long)
7, Run the commands:


wpr -stop heap.etl
wpr -HeapTracingConfig ekrn.exe disable

8, Provide heap.etl in a compressed form
9, Re-enable self-defense and reboot the machine.

I went to advanced setups, selected Detection engine, HIPS, disabled Self-defence, rebooted the computer, opened CMD and entered the first command, but the answer is: wpr is not recognized as an internal or external command.

I tried several times entering the following comands:

wpr -HeapTracingConfig ekrn.exe enable

wpr -HeapTracingConfig ekrn.exe

wpr

Always the same: wpr is not recognized as an internal or external command.

 

Comando.jpg

Link to comment
Share on other sites

  • Administrators

I see. I don't recall installing Windows Assessment and Deployment Kit on my machine so I didn't realize it's needed.

It contains Windows Performance Toolkit which you will need. Please follow the instructions at https://devblogs.microsoft.com/performance-diagnostics/wpr-intro/ to install it.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

I see. I don't recall installing Windows Assessment and Deployment Kit on my machine so I didn't realize it's needed.

Wpr.exe is included on Win 10 only. Its use on other desktop OSes requires use of WAD Kit.

Ref.: https://www.nextofwindows.com/windows-10-comes-with-windows-performance-recorder-wpr-exe-built-in

Link to comment
Share on other sites

You can dowload the Windows Developer Toolkit here: https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/ . Scroll down in the article to the section titled; Earlier releases , and select; "Install SDK" for Windows 8.1 SDK release.

This article describes how to install Windows Performance Toolkit only from the Windows 8.1 SDK installer: https://social.technet.microsoft.com/wiki/contents/articles/4847.install-the-windows-performance-toolkit-wpt.aspx .

Edited by itman
Link to comment
Share on other sites

2 hours ago, Marcos said:

I see. I don't recall installing Windows Assessment and Deployment Kit on my machine so I didn't realize it's needed.

It contains Windows Performance Toolkit which you will need. Please follow the instructions at https://devblogs.microsoft.com/performance-diagnostics/wpr-intro/ to install it.

Now ESET doesn't load the Firewall. Look at the screenshot.

I'll need to reinstall the product one more time.

ESET memoria fallo.jpg

Link to comment
Share on other sites

  • Administrators

There is no issue with the firewall visible in the screen shot. No red protection status that would indicate issues. I assume that everything is ok and you can reproduce the issue and generate a log.

Link to comment
Share on other sites

14 hours ago, Marcos said:

There is no issue with the firewall visible in the screen shot. No red protection status that would indicate issues. I assume that everything is ok and you can reproduce the issue and generate a log.

I have mentioned that a few months ago the product ESET stopped searching for updates. It wasn't searching for updates although was enabled the option search for updates every 60 minutes (this was the default configuration and this way a new task was created also advised by technical support to fulfil the desynchronizing of the module of updates). It wasn't also searching for updates on having start the computer and to detect connection to the network. Simply it neither was searching for updates nor could update, all this without any message of error or red / orange warning. Theoretically the updates module should have worked, but it didn't do it and only reinstalling it worked again.

The same can be said about the problems with the protected browser that I mentioned. It stopped working without any error message, although there was enabled the option of the protected browser. The only solution was to reinstall... until the same was happening again.

I reinstalled the ESET product, RAM usage is pretty low right now. We'll see its evolution.

I have to have to a medical procedure, so that possibly I won't be available during the next 24-48 hours. I will report of the evolution of the issue as soon as it's possible.

ESET memoria 11.jpg

Link to comment
Share on other sites

On 4/12/2021 at 8:00 PM, Marcos said:

I see. I don't recall installing Windows Assessment and Deployment Kit on my machine so I didn't realize it's needed.

It contains Windows Performance Toolkit which you will need. Please follow the instructions at https://devblogs.microsoft.com/performance-diagnostics/wpr-intro/ to install it.

I'm sorry for the delay in responding. Health problems. When I disable HIPS, Self-defense, the use of RAM drops a lot and hardly raises (look at the screenshots), so I doubt it is possible to reproduce the issue under those circumstances… perhaps waiting hours and hours. On the other hand, when I ran the commands you told me, after installing the SDK, the computer was frozen and it was necessary to force a shutdown.

ESET memoria 12.jpg

ESET memoria 13.jpg

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...