Privus 0 Posted November 12, 2021 Share Posted November 12, 2021 Hello, I have a problem, that sometimes Eset services start using up all CPU. I look at the Eset logs and there is nothing written about anything blocked or scanned. Such occurances happen on randoms days. How do I stop, or find out, what is making eset use all the CPU? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted November 12, 2021 Administrators Share Posted November 12, 2021 Please install the Windows ADK (https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install). When you notice a high CPU utilization by ekrn.exe, enable logging by running the following as an administrator: wpr -start GeneralProfile -start Minifilter -filemode After not more than 5 minutes, stop logging by running: wpr stop EsetPerf.etl Next collect logs with ESET Log Collector and add EsetPerf.etl to to the generated archive. Then upload the archive to a safe location and drop me a private message with a download link. Link to comment Share on other sites More sharing options...
Privus 0 Posted November 12, 2021 Author Share Posted November 12, 2021 Ok, will do. Also, I don't know if this helps, but once I saw that Eset was using all the CPU, I tried to pause protection, but it gave me a message, that it will not pause, because a threat has just been neutralized. Link to comment Share on other sites More sharing options...
Privus1 0 Posted January 5, 2022 Share Posted January 5, 2022 I sent the requested files. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted January 5, 2022 Administrators Share Posted January 5, 2022 3 hours ago, Privus1 said: I sent the requested files. Could you please check if temporarily disabling or uninstalling this sw makes a difference? CyberarmsIdsService.exe - a part of Cyberarms Intrusion Detection. Link to comment Share on other sites More sharing options...
Privus1 0 Posted January 5, 2022 Share Posted January 5, 2022 I cannot do that. The reason is that, the service is protecting the server from brute force attacks and automatically bans IPs that guess passwords incorrectly too many times. Another thing, I can't turn it off even for testing, because that would leave the protection off for too long, since the 100% CPU issue happens randomly. It can happen next day or next month. While brute force attacks are happening daily. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted January 5, 2022 Administrators Share Posted January 5, 2022 It may not be needed. Looks like the problem is with generating dumps for a scan upon attack detection which was addressed in the firewall module currently available on the pre-release update channel. Please try switching to it at least for a while to confirm that it resolves the issue. Nevertheless, CyberarmsIdsService.exe was utilizing CPU more than ekrn so you may still notice a higher CPU utilization. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted January 5, 2022 Most Valued Members Share Posted January 5, 2022 2 hours ago, Privus1 said: I cannot do that. The reason is that, the service is protecting the server from brute force attacks and automatically bans IPs that guess passwords incorrectly too many times. Another thing, I can't turn it off even for testing, because that would leave the protection off for too long, since the 100% CPU issue happens randomly. It can happen next day or next month. While brute force attacks are happening daily. It's more better to bring a firewall or Windows Firewall to whitelist to certain IPs or a VPN IP to connect from to eliminate all the attacks, If it's not possible to do so , then using a firewall like pfSense , OPNSENSE , Fortinet , Palo-Alto etc... , can help take off the attacks with their intrusion prevention services that would block the attacks on the firewall level not the server level which is making the CPU run more and also might bring your server down , or with bad luck a breach could happen. LesRMed 1 Link to comment Share on other sites More sharing options...
itman 1,707 Posted January 5, 2022 Share Posted January 5, 2022 (edited) 2 hours ago, Nightowl said: If it's not possible to do so , then using a firewall like pfSense , OPNSENSE , Fortinet , Palo-Alto etc... , can help take off the attacks with their intrusion prevention services that would block the attacks on the firewall level not the server level which is making the CPU run more and also might bring your server down , or with bad luck a breach could happen. Supplementing the above, you want to block the brute force attacks at the network perimeter using a stand alone dedicated appliance. Not only is this a more effective way in doing so, but it will take the CPU load off of the server that is currently performing this activity. Ref.: https://www.fortinet.com/products/next-generation-firewall Edited January 5, 2022 by itman Link to comment Share on other sites More sharing options...
Privus1 0 Posted January 25, 2022 Share Posted January 25, 2022 On 1/5/2022 at 2:21 PM, Marcos said: It may not be needed. Looks like the problem is with generating dumps for a scan upon attack detection which was addressed in the firewall module currently available on the pre-release update channel. Please try switching to it at least for a while to confirm that it resolves the issue. How do I switch to pre-release? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted January 25, 2022 Administrators Share Posted January 25, 2022 1 hour ago, Privus1 said: How do I switch to pre-release? You will find this setting in the advanced setup -> update: Link to comment Share on other sites More sharing options...
Recommended Posts