High use of Memory by ESET Internet Security

[AlSky 4]

On 4/12/2021 at 10:35 PM, Marcos said:

There is no issue with the firewall visible in the screen shot. No red protection status that would indicate issues. I assume that everything is ok and you can reproduce the issue and generate a log.

Hello. Any ideas? BTW, I found that when I reboot the computer, the ESET product doesn't load properly. The screenshot shows that the free version of Malwarebytes displays a message "You are not protected" after the reboot. The last days I did not give importance to the message because I had disabled some antivirus options to do the tests that you indicated me and i thought the message was due it, but today I have rebooted the computer without disabling any option and the same message has appeared. It's as if after the reboot doesn't properly load some ESET module... but ESET says everything is ok and I'm protected!

This is pretty weird, but I feel insecure because I don't know if ESET is working properly or not.

Edited April 17, 2021 by AlSky

[Marcos 5,074]

The warning comes from Malwarebytes. Please make sure to uninstall it or install it only as a second-opinion on-demand scanner without real-time protection and any of its drivers running.

[itman 1,659]

29 minutes ago, AlSky said:

Hello. Any ideas? BTW, I found that when I reboot the computer, the ESET product doesn't load properly. The screenshot shows that the free version of Malwarebytes displays a message "You are not protected" after the reboot.

The Eset GUI home page shows no issues with Eset.

However, each day you reveal additional details about your system. What other security software do you have installed other than Eset?

As for the MBAM popup displayed, it makes no sense if you as using the free version of MBAM since its real-time scanning is disable by default. As such, the software only runs on demand by the user. However if for some reason MBAM's real-time protection is active, it will most definitely conflict with Eset's operation. It also could be the source of the high memory usage being observed for ekrn.exe.

-EDIT- The MBAM popup states that MBAM Premium is running. That is not the free version and most definitely has real-time scanning enabled.

Edited April 17, 2021 by itman

[Marcos 5,074]

It looks like there are only these two possibly troublesome drivers but none is loaded which should be fine (as long as it's still true and no additional security drivers have been installed in the mean time):

[itman 1,659]

3 minutes ago, Marcos said:

It looks like there are only these two possibly troublesome drivers but none is loaded which should be fine

Yikes! Panda is also installed. I've seen enough ..................

[AlSky 4]

1 hour ago, Marcos said:

The warning comes from Malwarebytes. Please make sure to uninstall it or install it only as a second-opinion on-demand scanner without real-time protection and any of its drivers running.

I have the free version of Malwarebytes. It only works on demand, everytime I want a on-demand scan of Malwarebytes I must open the program manually and and the same message appears: "Your device isn't protected, buy now."

Look the screenshot, for God's sake. I cliked the Malwarebytes and it says: "Your Premium trial version has expired. To restore real-time protection, upgrade to Premium." The Premium trial version expired long ago, isn't working at same time that ESET because CAN'T work. I didn't buy the Premium version. Look in the second screenshot what programs start with the computer. None of them is Malwarebytes.

On Panda, I used the Panda Cloud Cleaner several years ago (early 2016 probably) due to problematic malware and uninstalled it after fixing the problem. I used a tool that ESET provided to erase remnants of other antivirus products left on my computer. If the tool didn't work properly and still there is some file of Panda, it's not my fault. On the other hand, you think Panda is the problem. If I used Panda Cloud Cleaner in 2016 why hasn't it caused trouble till now?

[AlSky 4]

1 hour ago, itman said:

Yikes! Panda is also installed. I've seen enough ..................

Check my last post, please. It's explained. No, I have no installed several antivirus at same time. The computer just wouldn't work with several antivirus installed.

[itman 1,659]

Before I begin with this posting, you need to re-enable Eset HIPS self-protection setting if not already done so. It is Eset's most important protection mechanism that prevents hackers from modifying Eset settings and disabling its protections.

The established way to diagnose software issues is the "clean slate" approach. Simply put, you eliminate all possible sources that may conflict with the software having issues. In the case of security software, this means uninstalling all other security software that may conflict. Once this is done, monitor if the ekrn.exe memory issue still exists. If it doesn't, you have found the source of the issue.

[itman 1,659]

2 hours ago, AlSky said:

The screenshot shows that the free version of Malwarebytes displays a message "You are not protected" after the reboot.

Based on your recent postings, I assume this is related to the fact that MalwareBytes Premium is not running. However, the fact it appears at boot indicates something MBAM related is running in the background to generate the message.

Then there is the question of why this popup suddenly started to appear.

[Marcos 5,074]

Just to make sure, what is the problem actually? Asking since it was not clear from the screen shot which showed only a MBAM warning.

[itman 1,659]

A few comments about MBAM and its Katana engine use.

Katana is far from new. It was developed as an open source project: https://sourceforge.net/projects/katana-usb/files/v3.0beta/ . Much later, Russian based AV Dr. Web developed it further: https://products.drweb-av.pl/home/katana/ . Note that Dr. Web is the only AV approved by Russia's FSB for use in Russia. Draw your own conclusions .......

The question is if MBAM is using the Dr. Web version of Katana under a license agreement? If this is the case, I certainly wouldn't be using MBAM.

[AlSky 4]

3 hours ago, Marcos said:

Just to make sure, what is the problem actually? Asking since it was not clear from the screen shot which showed only a MBAM warning.

The problem is the same as there was: bigger usage of RAM than usual by ekrn.exe.

After an on-demand-scan is more noticeable, and does not return to normal levels at the end of the scan or after switching off the computer, but it does (although only temporarily, gradually increases again over the days) if I disable HIPS self protection. I checked by disabling it these days to do the tests... as many as have been possible.

Also drops very much the use of RAM rebooting the computer and forcing the shutdown. I've had to do it several times these days and I've been able to check it out.

HIPS self protection is now enabled. I just disabled it for testing and immediately enabled it again.

I do not understand why in the last weeks the use of RAM is bigger than the usual one, and now I discover that the pop up of Malwarebytes after rebooting was not due to the fact that there was disabled some important function of the product ESET (at least not deliberately disabled), but that this happens NOW after rebooting. How do I know that only it happens now? Because I have that reboot at least once every month: monthly Windows update. And earlier it was not happening.

This Malwarebytes pop up does not appear switching off and switching on the computer. I switch on the computer several times a day, and when I finish something like that that I need to do, switch it off to the next time. I it do not put in to hibernation, I switch off it. And when I switching it on again, already be five minutes later or several hours later, this pop up does not appear. Only rebooting. Is there any problem with the correct ESET load after rebooting and that's why is the use of RAM minuscule after the reboot (I showed more above several screenshots with uses of little more than 20 Mb after reboot) and the pop up?

Yes, you can tell me everything's right, no error message or red / orange warning. Look at this screenshot. Last updated at 21:51. Last update search, 21:51. Hour: 23:59. ESET should have searched for updates (ESET product is set to do so) every 60 minutes, that is, at 22:51 and 23:51. It didn't do it. Just stopped searching for updates. The update module did not work again although I rebooted the computer. I also switched it off, wait a while and switched on the computer again and did not search for updates. (The "search for updates when detecting network connection" task should have worked.) And you can see that there is no error message, no red / orange warning. Just the update module stopped working and the only way to restore its operation was to uninstall and reinstall the ESET product. So when somebody tells me that ESET is working correctly because there are no red / orange warning I answer "look at this".

Malwarebytes is not running because I don't have Premium version. I don't even need it. I got the free version. When you install Malwarebytes you have two weeks of Premium usage free (I disabled it because I neither needed it nor wanted it to cause conflict with ESET) and then the free version remains. Every time you click the Malwarebytes icon for an on-demand scan the message appears saying that the version is free and that you should upgrade to Premium, the advertising is more aggressive in the latest versions, nothing more. I have installed Malwarebytes for years and had never given me problems or caused conflict with ESET... because I never used the Premium version. As far as I know, ESET is compatible with Malwarebytes free version.

On Panda, I already explained. I used Panda Cloud Cleaner together with Malwarebytes for a thorough cleaning of problematic malware in 2016. Then I used the ESET tool to clean files from other antivirus. If it didn't work properly, it's not my fault. But Panda is already uninstalled, except if really there is some file still in the disk. Should not be after using the uninstall of ESET, but there is no icon of Panda, Panda does not load when the computer starts, Panda is not running. We can not say that Panda is installed.

[AlSky 4]

3 hours ago, itman said:

A few comments about MBAM and its Katana engine use.

Katana is far from new. It was developed as an open source project: https://sourceforge.net/projects/katana-usb/files/v3.0beta/ . Much later, Russian based AV Dr. Web developed it further: https://products.drweb-av.pl/home/katana/ . Note that Dr. Web is the only AV approved by Russia's FSB for use in Russia. Draw your own conclusions .......

The question is if MBAM is using the Dr. Web version of Katana under a license agreement? If this is the case, I certainly wouldn't be using MBAM.

Interesting question you arise. I don't know if Dr. Web is the only antivirus approved by the Lubyanka Boys. Just I woulnd't use Malwarebytes Premium under any cincumstances.

I answered your other message in my previous post: yes, HIPS self protection is enabled.

[itman 1,659]

Since high memory usage complaints exist against most AV vendors, Emsisoft actually wrote an interesting blog posting about the issue here: https://blog.emsisoft.com/en/22176/why-antivirus-uses-so-much-ram-and-why-that-is-actually-a-good-thing/ with a number of interesting comments. One is:

Quote

At present, the Emsisoft protection software uses more than 7 million malware signatures. To load them all into RAM, it needs a bit more than 200 megabytes. That sounds like a lot, but keep in mind that this equals a short sequence of 28 bytes on average that we can use to confirm whether a file is good or bad.

To illustrate that: Imagine a text sequence of just 28 letters that must be found in a library of 1 billion books, and you are not allowed to come up with a single false detection. A malware scanner has to check 7 million signatures against each of roughly 300,000 files on your hard disk…

All within a fraction of a second!

Another is:

Quote

An insider’s secret: Antivirus programs tend to hide their RAM usage

High memory usage is bad for marketing, but what do you do if you can’t avoid it? You hide it. There are two major techniques to make a big program look like a small one:

1. Use the page file: As described earlier, Windows puts less frequently used parts of programs onto the slower hard disk. Programs can also force that process and ‘ask’ Windows to swap them to the pagefile in regular intervals. Then the Windows Task Manager shows a very low memory usage, but the price for that is regular 1-3 second ‘thinking-periods’ when you access the program.
2. Use system drivers: Windows Task Manager only shows active programs and services, but not drivers. Drivers are code modules that are loaded directly by the operating system for certain core functionality. Some anti-virus vendors load hundreds of megabytes of data in their drivers to create the illusion of low memory usage. You can spot these by summing up the memory usage of all active programs and compare that with the value of total used RAM. If there is a huge difference, something is probably hiding high memory usage from you.

This gets back to what I have posted multiple times in this thread.

I have asked previously how much RAM is installed on this device? From all the Task Manager screen shots posted, it appears to be a lot.

Again, it may very well be that Eset doesn't see a memory usage issue on this device and is using as much free available RAM that it can. When ekrn.exe detects that the RAM it is using could adversely impact system performance, it will start releasing RAM it has allocated.

 

Edited April 17, 2021 by itman

[Marcos 5,074]

I don't have the logs at hand now but I recall that there's at least 16 GB RAM installed. However, regardless of how much RAM is installed, ekrn should not allocate too much.

You wrote that after disabling HIPS you could hardly reproduce the issue. Could you confirm? Is it enough to disable self-defense and reboot the machine? Also please uninstall MBAM completely while troubleshooting this issue to rule out  any effect of MBAM on the issue. Also please remove or rename the Panda driver as well.

[peteyt 393]

6 hours ago, itman said:

A few comments about MBAM and its Katana engine use.

Katana is far from new. It was developed as an open source project: https://sourceforge.net/projects/katana-usb/files/v3.0beta/ . Much later, Russian based AV Dr. Web developed it further: https://products.drweb-av.pl/home/katana/ . Note that Dr. Web is the only AV approved by Russia's FSB for use in Russia. Draw your own conclusions .......

The question is if MBAM is using the Dr. Web version of Katana under a license agreement? If this is the case, I certainly wouldn't be using MBAM.

Is this the same Katana Malwarebytes uses? Not used malwarebytes in years but all information seems to make it sound like katana is something they developed

[itman 1,659]

1 hour ago, peteyt said:

Is this the same Katana Malwarebytes uses? Not used malwarebytes in years but all information seems to make it sound like katana is something they developed

It's possible that MBAM developed something internally and named it Katana. However, their documentation states "Katana engine." This is what leads me to believe its actually Dr. Web's product. It is not unusual for AV products to used another competitor's engine under a licensing agreement. Emsisoft for example, used BitDefender's along with their own in-house developed product.

Also the Katana reference is used all over the place these days. Microsoft has an ASP.NET framework name Katana: https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/an-overview-of-project-katana

[AlSky 4]

16 hours ago, itman said:

Since high memory usage complaints exist against most AV vendors, Emsisoft actually wrote an interesting blog posting about the issue here: https://blog.emsisoft.com/en/22176/why-antivirus-uses-so-much-ram-and-why-that-is-actually-a-good-thing/ with a number of interesting comments. One is:

Another is:

This gets back to what I have posted multiple times in this thread.

I have asked previously how much RAM is installed on this device? From all the Task Manager screen shots posted, it appears to be a lot.

Again, it may very well be that Eset doesn't see a memory usage issue on this device and is using as much free available RAM that it can. When ekrn.exe detects that the RAM it is using could adversely impact system performance, it will start releasing RAM it has allocated.

 

Thank you very much for your answer. I have 16 GB of RAM. And ESET usually did not use more than 200 Mb under normal conditions. In scan mode it did use more, but returned to normal levels after scanning. Not now.

And there's a new (old) problem. Because my ESET product works properly, yes.

[AlSky 4]

14 hours ago, Marcos said:

I don't have the logs at hand now but I recall that there's at least 16 GB RAM installed. However, regardless of how much RAM is installed, ekrn should not allocate too much.

You wrote that after disabling HIPS you could hardly reproduce the issue. Could you confirm? Is it enough to disable self-defense and reboot the machine? Also please uninstall MBAM completely while troubleshooting this issue to rule out  any effect of MBAM on the issue. Also please remove or rename the Panda driver as well.

As for deleting all Panda files, I will do so, fortunately in your screenshot the directory where it is appears. But should have removed it the ESET tool.

And Malwarebytes I know it thanks to ESET, which recommended it once to solve a problem with a malware that resists the ESET product. I was told that I could have simultaneously the free version and ESET without any problems. Now it is no longer possible to have the free version? Are we going to delete programs until we see what happens?

New (old) problem. Again the protected browser doesn't work. And there is no warning of error. Nothing, but look at the screenshot: Paypal's website, which always opens with the protected browser (except when it doesn't for some failure) only opens with the normal browser. I have tried adding the Paypal website to the editable list of sites with which the protected browser should be automatically opened. (Look the last site of the list is the same that appears in the browser.) Neither it works. No error message, but it doesn't work. Normal? No.

I'm tired of this problem recurring from time to time last months: protected browser that doesn't work and it is necessary to reinstall the product to get it back on track... until it stops.

 

[itman 1,659]

1 hour ago, AlSky said:

New (old) problem. Again the protected browser doesn't work. And there is no warning of error. Nothing, but look at the screenshot: Paypal's website, which always opens with the protected browser (except when it doesn't for some failure) only opens with the normal browser. I

Delete existing PayPal entry in B&PP List of protected web sites.

Next navigate to the PayPal web site in FireFox. Does the below B&PP web page appear? If so, select "Remember choice for this web site." Then mouse click on "Yes, open secured browser" tab.

[AlSky 4]

6 hours ago, itman said:

Delete existing PayPal entry in B&PP List of protected web sites.

Next navigate to the PayPal web site in FireFox. Does the below B&PP web page appear? If so, select "Remember choice for this web site." Then mouse click on "Yes, open secured browser" tab.

Hello and thank you for answering. That solution you gave me was the one I used the first time I had that problem with the protected browser. It worked that time and never again. The ESET product then needed to be reinstalled. Nor was it useful to use the option "restore system" to a point previous to the problem.

How did I fix it today? Before the tedious task of reinstalling the antivirus, I tried once again, with little hope, what you have indicated. Without success. I deleted all the websites I manually added in the editable list of the protected browser and tried adding them again. Without success. I disabled the protection of online banking and protected browser and switched off the computer. I waited a few seconds and switched the computer on. I enabled online banking protection and... voilà! It was working. Until when, I don't know because since last summer I suffered this problems several times.

By the way, the PSKMAD.sys file that seems to be from Panda Cloud Cleaner turns out to be a driver, but why was it in the Windows folder? Shouldn't it be in Program Files or Program Files (86)?

[itman 1,659]

2 hours ago, AlSky said:

By the way, the PSKMAD.sys file that seems to be from Panda Cloud Cleaner turns out to be a driver, but why was it in the Windows folder? Shouldn't it be in Program Files or Program Files (86)?

No. Windows driver files are stored in this directory: C:\Windows\System32\drivers.

Also, the proper way to uninstall software is via Control Panel -> Programs -> Programs and Features -> Uninstall or change a program.

Edited April 18, 2021 by itman

[Marcos 5,074]

We have found a bug which will be addressed in the Internet protection module 1425. You can switch to the pre-release update channel to get it as soon as possible. I expect the module to be put on the pre-release channel in 1-2 days.

[AlSky 4]

14 hours ago, itman said:

No. Windows driver files are stored in this directory: C:\Windows\System32\drivers.

Also, the proper way to uninstall software is via Control Panel -> Programs -> Programs and Features -> Uninstall or change a program.

Thanks for then answer. I know the usual way for uninstall programs is through Control Panel, but not all files in a program are always deleted, there are isolated files like that of Panda that remains in the computer. Therefore, ESET support advised me to use the tool to remove such remnants of other antivirus programs. However, we see that it didn't fully work. I don't know why.

[AlSky 4]

6 hours ago, Marcos said:

We have found a bug which will be addressed in the Internet protection module 1425. You can switch to the pre-release update channel to get it as soon as possible. I expect the module to be put on the pre-release channel in 1-2 days.

Thank you, Marcos. Is it related to the usage of RAM or just another different issue? Wil be this module updated through the proper ESET product (through updates like all the other modules) in the future? Thanks in advance.