ESET freezing Firefox downloads at the end

[HX1]

This an area that I always advise about getting to know and understand.. so I actually agree with alot of what is being said here from both sides of the equation...

Many people complain about a lot of options with ESS, BUT I always say that you need to get acquainted with it. There are several areas here and you have to be aware of how you are tuning your protection to act. VERY few suites have such detailed orientation and allow for such a wide range of customization to allow you configure ESS to perform its best where your system would perform best ( where it can be different depending on the system )

Something I feel that many people really do not take the time to think nor comb through these areas and miss out on the efficiency of a properly configured suite.

[LeetPirate]

but shought if you have time to burn a virus to cd then it means it already broke your defences. Think about it for a moment, there is no way you could burn a zero hour or other threat to a cd unless your AV was already breached and is not detecting it therefore you have a problem. If somebody else burns a new threat on a cd and you insert it in your pc and it gets through your AV then you have a serious problem because your AV didn't receive database updates with the new definitions by that time and your advanced heuristics missed it so you're dead, LOL.

I think ESET covers every base with their AV modules, all removable media is checked with advanced heuristics by default, this includes cds and dvds etc. Web scanner module and email module will check all incoming internet traffic across the commonly used ports. All other ports will be closed by default unless some client on your pc initiates a connection, no outside program could open a port on your pc. So what this means is the web scanner already scanned your download using advanced heuristics and the other modules accepts that result, however FF moves the file from its temp dir to your download location which triggers another scan to be done using advanced heuristics for newly created files. So you see you were already protected. The advanced heuristics I suggested to be turned off will only affect the security of files already on your pc, for example if you unzip an archive, it does not disable advanced heuristics globally for every other module, only for the realtime scanner. These reasons all tend to agree with your thinking that the AH in realtime scanner is kinda useless, however I am still happy that ESET has left it as an option, I like the ability to choose.

If you want super protection you could run avast alongside eset, they play nice as far as I can tell. You could also reduce some of the strain on your pc by using opendns, they use their own advanced heuristics to block botnets and other malware that rely on dns queries to traverse the internet.

@heath: That is one of the many reasons I like to use ESET, they have so many options to fine tune every module just the way you want. :rolleyes:

[KotaXor]

Well, nice tweak to Eset though.

[Jota.Ce]

I told you about this thing... blaming about downloading things such as uTorrent or any NSIS installer eating my whole computer...

Since I'm not sure what context of useless you mean. I'd say it is useless to mean I wish it wasn't there because I don't see the point in having it. Nobody knows how well it really works and I suspect it often results in double scanning because the browser will try to scan the same file then the real time scanner will also scan it at the point where the file is written to the disk. We don't even know which scanner it looks for or what it uses, I really hate that setting, I wish they would take it out.:angry:

However it isn't useless if you mean firefox ignores the setting itself, firefox pays mighty attention to that setting and in 3.7 that setting will also control whether FF obeys the software restriction policies in Windows. That's a good thing because it means when we disable it in 3.7 it will also get rid of that stupid confirmation box that shows up when you try to run an unsigned exe file.

The reason FF might take longer than other browsers might have to do with the way it saves files. From what I have noticed, FF writes to a .part file then copies it over to the real file name which is 2 new file writes and multiple file modifications and reads, whereas IE writes 1 file and fills in the bytes into the same file till it's done. Newly created files receive the most attention from most AV software so FF requires twice the time to do the same file download. This is my theory, I have not really done any extensive testing.

I support this one. I think both files are scanned twice, so a download gets a 4x scan.

I couldn't recommend anyone to disable anything, but i don't know why ESET has same scan strategy in so many different sections of config (and i don't know why Mozilla uses that 2 file downloads, maybe for resuming or just only for reserving file name to avoid naming conflicts?).

And... what do i do?

[Lite]

Eset needs to start centralizing its scanning thats the clear message in here. Its pointless scanning the same file with its realtime scanner and the web monitor.

Security is always going to be a compromise. I could write a heuristic analyser that detects 100% of malware, but it has a false positive detection of 50%, is this better than something that detects 70% with 0% false positive? Clearly it isn't. There are many more compromises.

The important thing is that: you feel comfortable with the compromises you make.

[HX1]

...or gives you the coverage in the areas you likely want it.. depending on the type of usage or differences..

[*dcs18]

This is a very old & known issue which ESET is quite aware of . . . . . and has little choice but to remain mum (since the only workaround has always been to disable NOD32 functions.) Interestingly, this freeze is observed towards the finish line when both the 'Web scanning module' as well as the 'Real-time scanner module' attempt to scan the download simultaneously thus causing this spike in CPU cycles.

[HX1]

@Jota.Ce - Wanted to mention that you can also go into the 'Threat Sense Engine parameter setup' for the section you want to disable or alter.. and enter an exception for a file extension.. such as .part.. This however would not allow the fastest detection but would disable initial scanning of the .part file until it was turned into the original file..accessed modified or altered..

[*dcs18]

Excellent thought.

What I do, whenever I install NOD32 is to add an exception to a folder named 'Downloads' on my Desktop. Just for the records, I've configured downloads from all my downloading programs like IDM, Firefox, Internet Explorer, etc to save to this 'Downloads' folder on my Desktop by default. Hence, I'm not arm-twisted into disabling my real-time scanners.

[shought]

Security is always going to be a compromise. I could write a heuristic analyser that detects 100% of malware, but it has a false positive detection of 50%, is this better than something that detects 70% with 0% false positive? Clearly it isn't.

I've heard (or said?) that one before :P

[HX1]

I've heard it.. but I won't budge.. I just go painful into the night..LOL

[LeetPirate]

The problem is Firefox, Mozilla needs to change the crappy roundabout way Firefox handles downloads. Nod32 is doing exactly what it's supposed to be doing. There is no contention among the protection modules, it's the same kernel service that scans everything. Nod32 is built so that there won't be data contention between itself and other external security software so why would its internal modules have conflicts? If firefox causes multiple file operations then Nod32 is supposed to scan the file because of those file operations, the good thing is ESET gives every possibly option to allow you to tweak it however you want.

[*dcs18]

This issue is not at all a Firefox issue. It's definitely ESET generated.

Proof:-

Try downloading the same file with Firefox after disabling ESET and this issue does not arise. B)

Disabling 'Advanced heuristics' is just a workaround as it only reduces the freeze. The real problem lies in the 'Real-time module' and not with the 'Advanced heuristics.'

Proof:-

Try re-enabling 'Advanced heuristics' and then disable the 'Real-time module.' The freeze is completely eliminated (IMO disabling the 'Real-time scanner is not a good idea, though.) B)

The 'Real-time scanner' and 'Web access scanner' certainly overlap their duties and whether this results in conflicts between the 2 scanners is irrelevant - moot point here is that a freeze is being caused because the 'Real-time module' starts scanning not only the downloaded file but also all other previously downloaded and existing files within that download folder (including the Firefox multi-part.) During this 'Real-time scanning' activity, NOD32 will be busy churning out a lot of temp files and for Chrissake this is going to result in . . . . . . a f-r-e-e-e-e-e-e-z-e. The best solution, IMO is to add the path of the download directory to the exclusions into NOD32 'Real-time scanning.' This is a more practical approach since one need not disable the 'Real-time module' nor 'Web access module' or even the 'Advanced heuristics.'

Proof:-

Try taking a peek into the 'NOD Statistic Monitor' during the download of the same file that is causing the CPU spike. B)

Reminder:-

This is a very old issue which germinated from V3 and has only recently been acknowledged by ESET who had been denying it all through . . . . . until recent times. This solution has worked for me right from V3 days, hope it does for others, too.

[shought]

@dsc18

It really is a Firefox issue.

Obviously it's a combination of two things, but whilst Firefox has this issue, IE, Opera and Chrome work just fine. So it is really Firefox.

Even if the scan causes CPU spikes, it only uses 50% CPU in my PC, but yet Firefox freezes, this is not supposed to happen at all.

[KotaXor]

Guess its our fault.:frusty:

Don't use firefox and eset together.:unsure:

[*dcs18]

@ shought

It's actually an issue which is easily replicated with all browsers. The freeze might seem more pronounced in Firefox, though . . . . . due to the fact that Firefox downloads in a multi-part manner as LeetPirate has rightly pointed out earlier. Other Users on low-powered systems have certainly experienced this freeze on other browsers, too and reported the same. The best way to find this out is to keep an eye on the 'NOD Statistics Monitor' especially during the end of the download (any browser.)

Suggest you to try the different solutions. If you've already done so I might as well give up on this issue . . . . . :dunno:

[shought]

I don't like the idea of entirely disabling scanning in my Downloads folder (I leave everything there and execute it there, so...), but disabling Advanced heuristics made a big difference so I'm happy for now :)

[Jota.Ce]

Is it a good idea disabling "Advanced heuristics" and enabling "Advanced heuristics on file execution" ???

I don't like Mozilla's strategy in downloads, but i suffer 1-2s freeze in Windows when copying certain files (i guess they're NSIS LZMA-compiled installers).

Obviously, when ESET takes all your CPU, it'll only take 1 core (that's why i don't really understand multi-core CPUs with unithread programming, and multithread programming is very complex/unclear). Very few programs use more than 1 core, and when they use it, they don't get very efficient (for example, getting a 50% of speed gain when using 2 cores, obviously, means you are not doubling your performance).

[shought]

Nah, enabling Advanced heuristics on file execution will significantly slow down system performance (at least at first use, maybe ESET somehow keeps track of files and only checks then when something changed, but I think this means ESET will scan the file every time you execute it with Advanced heuristics).

[DKT27]

It's because of Firefox + ESET for sure. Downloading from Chrome, Opera, IDM, does take my CPU to 50-60%. But in Firefox, it just hangs everything. Maybe, both ESET and Firefox should work together to solve this problem.

[Sonar]

It's because of Firefox + ESET for sure. Downloading from Chrome, Opera, IDM, does take my CPU to 50-60%. But in Firefox, it just hangs everything. Maybe, both ESET and Firefox should work together to solve this problem.

I Agree. I Also have the hanging problem. But at times the download may finish but unable to use the setup file :s I re-download in chrome and it works fine.

[Jota.Ce]

Nah, enabling Advanced heuristics on file execution will significantly slow down system performance (at least at first use, maybe ESET somehow keeps track of files and only checks then when something changed, but I think this means ESET will scan the file every time you execute it with Advanced heuristics).

I don't like disabling "Advanced heuristics". But what happens if i disable that and enable "on execution" ??? Slowdowns are only when executed. So there's no loss of security!

If ESET re-scans EXE files everytime, it's a problem, since there are many files loading in your computer each time you boot up.

[LeetPirate]

I don't like disabling "Advanced heuristics". But what happens if i disable that and enable "on execution" ??? Slowdowns are only when executed. So there's no loss of security!

If ESET re-scans EXE files everytime, it's a problem, since there are many files loading in your computer each time you boot up.

Disable AH in the realtime scanner for newly created/modified files, leave it enabled in the web access protection module. ESET has a feature called "smart optimisations" that is supposed to speed up repetitive scanning by some magical techniques which they refuse to divulge. They purposefully refuse to say the exact meaning of smart optimisations because they want the ability to alter it or improve its functionality with updates.

When ESET was beta testing v4 I told them to implement whitelisting to not scan the same file over and over but they actively refused. So yes ESET does scan the same file each time a new file operation is carried out on it. Multi threaded scanning can only scan 1 file per core because it needs independent data streams to work on. Multi threaded scanning only works when scanning multiple independent files.

[Jota.Ce]

I guess you are referring to disable:

- Real-time... -> Advanced config -> AH (and also disable AH on file execution)

And keeping enabled:

- Web Access -> ThreatSense engine parameters-> Analysis options -> AH

I'll try this one, i'm getting tired of slow download screen loading/activation, and slow download finishing...

[HX1]

One more thing, especially with those of us who have single-core chips... Is manually disabling slide notifications in FF.. these notifications can take quite a bit of CPU.. just a tip to help with some of the spike at the end of an action or download in FF..