Proc Lasso does not seem to be able to control avp.exe - Kaspersky Inet Sec

Started by JackOverIP, October 11, 2009, 01:11:54 AM

Previous topic - Next topic

JackOverIP

Used PL for about the last month with settings setup to adj priorities on other than normals and 45% processor load.  Pushed avp.exe (Kaspersky Internet Security 2010 rel 9.0.0.463) all the way to Idle and it periodically loads another copy of itself (process hacker verified) and steals the show again.  PL does not see the 2nd copy but I can control it with process hacker.  Exclusive of the 2nd copy trick, the initial avp.exe runs away at times also all the way to 100% and I need process hacker to bring it back down.  My 4GHz PC won't even respond to keystokes at that time.  Any ideas?  I'm bringing about 30 years of technical PC experience to the table here and could really use a tool like PL - if I could make it work.....

watermelon

Not sure if there is a difference between the 2009 and 2010 versions in that aspect, but with self-protection disabled ProcessLasso is able to set the priority ..and only then.


I'd love to have a solution to this as well so that avp.exe could always run on 'below normal' but without permanently turning off the self-protection it is impossible to do for every restart of the process.

Jeremy Collake

As the previous poster noted, you should disable the self-protection in order to have Process Lasso operate on it. I can't say I have any current plans to try to defeat Kaspersky's self-protection.

HOWEVER, if the avp.exe process is responsible for the real-time scanning (sounds like it is), then its NOT recommended to lower its priority at any point. This is because other processes on the system end up waiting for scanning to complete before they can continue. This may be why it loads a second copy of itself when the first copy is unresponsive, but I don't know that for sure.

The best thing you can do to speed up your PC is disable the real-time scanning. Of course, this does make you a little more vulnerable to infection, but if you are careful then it won't make you that much more vulnerable.. and should increase your PC speed considerably.

Software Engineer. Bitsum LLC.

JackOverIP

More info on this:
It seems the 2nd process is a system process while the first is a user process.  Kaspersky is patenting their "new" continuous scan procedure which seems to be much more active when new data and/or applications are available to it.  This PC gets new data and apps all day, every day so it keeps KIS way too busy.  Self Defense and Proactive Defense are the two terms they use and disabling either lights the yellow warning flag on the main window which kind of defeats the purpose of the warnings - if you get used to ignoring them than you may miss the ones you shouldn't.  Lot's of stuff on the KIS site about 100% CPU usage problems.  I'm gonna drop both protections and see if PL will keep it under control.  I'm not concerned about infections within while behind two routers and the KIS firewall I'm relatively safe and Casper backups to three internal hotswap trays keep me pretty secure.  Let's see what I can get at the KIS forum.
Thanks Jeremy and all.

phthisic

This same thing occurs with Avira executables. But that is really as it should be. Leaving these processes open to restraint only opens them up to termination or modification by malware. I think this is just the price of doing business--if you want your AV to work properly, you have to leave it alone.
Microsoft MVP, Windows Shell (2004-2013)

Jeremy Collake

Quote from: phthisic on January 18, 2010, 10:14:55 AM
This same thing occurs with Avira executables. But that is really as it should be. Leaving these processes open to restraint only opens them up to termination or modification by malware. I think this is just the price of doing business--if you want your AV to work properly, you have to leave it alone.

Yes, this is correct. The self-protection measures used by the Anti-virus/anti-malware/security software is necessary, else the malware would disable your protection. A lot of malware already does this, or tries to do this. It was in response to this problem that they inacted these new protections on their processes.

Further, Process Lasso's ProBalance is designed to leave anti-virus software ALONE. Most common on-demand scanner processes are excluded from ProBalance restraint. Why? Because lowering their priority would do no good, and could even be detrimental to system performance. This is because for every file that is opened by any process on your system, it must first WAIT for the on-demand scanner process to scan that file. Therefore, you want to keep the on-demand scanner process at its default priority, letting it choose the priority appropriate for its process and individual threads.

For those who don't know, on-demand scanning is the number 1 cause of system performance problems. Anti-virus and other security software slows down PCs considerably. This is because every file that is accessed must first be scanned, and also because they consume a considerable amount of memory (for caching, signature databases, etc..). Of course, their flashy user interfaces are also big memory consumers. Most of the time, you'll see an instant boost in PC performance after removing your anti-virus software. However, I can't recommend people do that - as it leaves them 'open' to infection.

Myself, I never use any anti-virus software. But, that's just me... and I can't recommend that to other people. Just keep in mind that your anti-virus software does slow down your PC performance, especially right after boot when it has to do an initial scan of every file opened. Later, it can skip some files because its already scanned them. This is one of a few reasons why your PC may be extremely sluggish for the first few minutes after boot-up. Also keep in mind that anti-virus software is far from perfect and is likely to false alarm on harmless executables, and let dangerous ones slip through. This isn't to say they are totally ineffective, its just that they aren't perfect (nothing is I suppose).

Anyway, regarding Process Lasso - always leave anti-virus processes alone. Modifying the priorities of anti-virus software can cause problems with your system's behavior. You can conceivably even get into a priority inversion situation that will cause your PC (or a process) to stall for a while. It should always recover, but the stall could be caused by the inversion. An inversion is when a high priority process is waiting on a low priority process to do something. In this case, if the on-demand scanner was at a lower priority, then the higher priority process would be forced to wait on that low priority process to scan the file.

Last note is that the priority class of the anti-virus software doesn't indicate at what priorities its individual threads may be running. If you enable the 'threads' tab in Process Lasso (View menu), then you can see the individual threads. The priority class makes all the thread priorities go up or down, as its the 'base priority' from which the end thread priorities are derived. My point is that just because you see your anti-virus software's on-demand scanner running at a NORMAL priority class, this does not mean that its important threads aren't running at REAL-TIME (the highest) priority. It should set its process and thread priorities to what is optimal, hence my strong suggestion to leave anti-virus processes alone.

Software Engineer. Bitsum LLC.

phthisic

As a safe alternative to running without AV, I'd suggest using something like Returnil Virtual System. I set that up for a woman that changes her system very rarely and saves things on external devices, and she is thrilled wih it. You no longer need AV because the system is run in a virtual space and the overall speed of the system is much higher.

Some people also leave AV settings at default, and if they are set to scan a file both on open and on close, that is probably overkill. Only on open is really needed.
Microsoft MVP, Windows Shell (2004-2013)

Scott

Avira AntiVir can be configured to scan either (1) Only when reading a file; (2) Only when writing a file (i.e. whenever a file is created or modified); or (3) Whenever the file is read from or written to.  The default is (3), but setting it to (2) will improve performance without totally disabling real-time protection.