|
I'd be wary of many of the most popular "free" av software, they too often leave something behind even when "fully removed."
If it still works in 10 I'd start with one of the popular old versions of mbam - 1.75. There's instructions on the web how stop it updating to latest program version while still getting the latest virus definitions (and how to avoid 'extras' installing) - set it as run on demand only leaving defender as the primary auto-scanner, after all [normally] defender 'aint bad on 10.
This internet thing is amazing! Letting people use it: worst idea ever!
|
|
|
|
|
Dan Neely wrote: On one of my PC's MS's AV tool has gone retarded and is trying to hog ~2.5 cores 24/7.
I'd recommend sticking with Windows Defender. Open powershell and do:
Get-MpComputerStatus
If it's in the middle of a full scan you might want to make sure that network drives are not being scanned. (Unless you want this)
Also, you should check if you have sample submission enabled. If the something was found on the machine it may be gathering samples for automatic submission.
Get-MpPreference | findstr Samples
The Defender cmdlet is documented here if you want to mess around with the settings.
Set-MpPreference
Best Wishes,
-David Delaune
modified 2-Aug-18 9:51am.
|
|
|
|
|
Randor wrote: Also, you should check if you have sample submission enabled.
As long as MS will silently upload anything it doesn't think contains sensitive information, that setting will remain off. There is no prompt before all uploads option, so it's staying off.
I can try the PS command when I'm home, but all scheduled scans were disabled as part of my earlier troubleshooting, and since I tried running a full one manually I know it only takes 3-4 hours to complete the one/day that was schedulded shouldn't be pegging my system 24/7.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Does anything here give you an idea what might be going on? Nothing is jumping out for me.
PS C:\Users\DanNeely> Get-MpComputerStatus
AMEngineVersion : 1.1.15100.1
AMProductVersion : 4.18.1807.18075
AMServiceEnabled : True
AMServiceVersion : 4.18.1807.18075
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 8/2/2018 4:08:51 PM
AntispywareSignatureVersion : 1.273.750.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 8/2/2018 4:08:52 PM
AntivirusSignatureVersion : 1.273.750.0
BehaviorMonitorEnabled : True
ComputerID : 4ACCDFA9-756F-4F63-ACFB-94D622CF17B5
ComputerState : 0
FullScanAge : 1
FullScanEndTime : 7/31/2018 11:42:45 PM
FullScanStartTime : 7/31/2018 6:56:34 PM
IoavProtectionEnabled : True
LastFullScanSource : 1
LastQuickScanSource : 2
NISEnabled : True
NISEngineVersion : 1.1.15100.1
NISSignatureAge : 0
NISSignatureLastUpdated : 8/2/2018 4:08:52 PM
NISSignatureVersion : 1.273.750.0
OnAccessProtectionEnabled : True
QuickScanAge : 1
QuickScanEndTime : 7/31/2018 10:51:25 PM
QuickScanStartTime : 7/31/2018 10:47:14 PM
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
PSComputerName :
PS C:\Users\DanNeely> Get-MpPreference | findstr Samples
SubmitSamplesConsent : 0
PS C:\Users\DanNeely>
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Hey,
Is it still at high CPU usage?
Actually it looks great. Looks like your full scans are taking ~5 hours to complete. I am surprised that you have NIS enabled. Is this a server or device exposed to the public?
Could you do one more check? Check to see if Defender has detected any threats:
Get-MpThreatDetection
|
|
|
|
|
Randor wrote:
Is it still at high CPU usage?
Currently at a solid 1 core, down from as much as 2.5 cores within the last day.
Randor wrote: Actually it looks great. Looks like your full scans are taking ~5 hours to complete. I am surprised that you have NIS enabled. Is this a server or device exposed to the public?
This is my main personal desktop.
I'd never heard of NIS before today, but after throwing it at google, have ran into a few articles claiming that other than briefly a half dozen years ago it's been a non-disablable part of MSE.
Randor wrote: Could you do one more check? Check to see if Defender has detected any threats:
I assume this is a negative:
PS C:\Users\DanNeely> Get-MpThreatDetection
PS C:\Users\DanNeely>
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Dan Neely wrote: I assume this is a negative:
Yes.
OK, If you really want to explore deeper and have 30 minutes to investigate then do the following:
1.) Download Microsoft Message Analyzer
2.) Launch the program as Administrator and choose "New Session"
3.) Click the "Add Provider" button and add the Microsoft-Windows-Windows Defender ETW provider to the session.
4.) Choose an appropriate log level (Verbose is default)
4.) Click 'Start'
You will get a very verbose log of what exactly Windows Defender is doing internally.
You can use this to see if Windows Defender is repeatedly scanning the same file/files/folder. Unfortunately I don't think there is a public OPN Parser available for this provider.
Best Wishes,
-David Delaune
modified 2-Aug-18 23:02pm.
|
|
|
|
|
Well, i tried. Not sure if I got it set up correctly. It ran, but with a notice about errors/warnings while loading modules, and an error log that looked like it was having network problems.
The collection was on the sparse side afterward. A few hundred items at startup, a hundredish over the next half hour, and then a few hundred more at shutdown.
Looking at the entries in the middle, it looks like a list of running processes/services, I didn't notice any of the files resourcemon suggests it's constantly touching.
This's probably as far as I can take it in the near term. I need a fully functioning system for tomorrow night, and will be booting MSE for something else in the morning.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
I did use AVG but it lost a couple of features I liked & kinda turned into spyware wanting to upload your Docs folder to the web...went to Windows Defender and never had an issue.
|
|
|
|
|
On Windows 10:
Open Resource Manager (see the bottom left corner of Task Manager's Performance tab), switch to Disk, sort by Image. Do you only have a few instances of msmpeng.exe, or dozens/hundreds? Each instance should show what file it's accessing. Are new instances being created/deleted all the time, or is the list pretty much static?
This should at least give you an idea of WTE is keeping it so busy.
(I'm assuming you're talking about the built-in Windows Defender...third-party AV tools might behave differently)...
|
|
|
|
|
dandy72 wrote: third-party AV tools might behave
leap of faith
This internet thing is amazing! Letting people use it: worst idea ever!
|
|
|
|
|
Don't twist my words by excluding a key part.
I actually wrote they "...might behave differently", not "might behave". Which, you're correct, would absolutely be a leap of faith.
Especially as of late. These days I have no faith whatsoever in third-party AV software making anything better at all.
|
|
|
|
|
Just one process. I did notice something screwy comparing resmon with task manager.
According to the resmon's bytes/sec counter, MsMpEng.exe was writing almost constantly and just doing reads in occasional smaller bursts, task manager shows exactly the opposite pattern. A torrent of reading (32GB in the last 24 hours since reboot) and an occasional burst of writing (320mb total since reboot).
Other than that something screwy is going on - which I already knew - this isn't giving me any more of an idea WTE is wrong.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Is it constantly writing to the same file? Anything unusual about said file?
|
|
|
|
|
The only thing it's hit continuously for the last 20 minutes has been the NTFS volume log, it's admitted to touching at least 4 other files during that time. OTOH the 2 sets of numbers in resmon don't add up and are much lower than the rate that task managers totals are updating. In the last 75m, according to that it's read 210GB and written 80MB.
https://i.imgur.com/HuntFLY.png
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
I wonder if running chkdsk at the deepest level (if there's still such a thing nowadays) might fix something that Defender is struggling with...admittedly this is pure speculation from my part...and probably as useless as some of the other suggestions you've already come across.
I would also try getting rid of older volume shadow copies - there's no point keeping those around and having Defender scan them (assuming it does) if there's nothing you think you'd ever need to recover. Try this from an admin prompt:
vssadmin delete shadows /all
Maybe with these gone, it'll quiet down Defender.
If it doesn't help...well, that was my best shot so far. I'd be curious to know one way or another if you do find a solution.
|
|
|
|
|
I'll poke those and update when I do, but it'll probably be Sunday at the earliest before I have the time.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
No hurry - it's just morbid curiosity from my part. It's your system that's suffering from it in the meantime.
|
|
|
|
|
I had this problem under Win7, solution was to just right click on the defender icon on the task bar, find the settings and turn off real time disk/memory scanning.
It still kept a watch on what was in memory, and stopped threats getting in, but it wasn't constantly scanning the hard drive looking for threats.
Not seen it re-occur since I moved to W10 tho.
|
|
|
|
|
The current version doesn't let you permanently disable major components other than the upload to cloud for analysis stuff because lots of enterprise customers would also balk at that. As do I since the only 2 options when it's enabled are "silently upload anything of concern" and "only prompt for things MSE thinks might have sensitive information". There is no "prompt before all uploads" option. If the latter did exist I'd probably enable the feature, but I don't trust any Artificial Idiot to always get things right.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Ah...
As I say it was back under Win7 when I used to have those problems.
The only problems I have know is how overzelous the damn thing is.
"I Found a Trojan in your System, OMG, OMG, OMG.... call the police, sound the alarms...", Erm, yea Defender, that trojan happens to be Sony Sound Forge, I re-installed from it's original CD, and I been using it for years..... repeat ad infinatum....
|
|
|
|
|
Peter Shaw wrote: "I Found a Trojan in your System, OMG, OMG, OMG.... call the police, sound the alarms...", Erm, yea Defender, that trojan happens to be Sony Sound Forge, I re-installed from it's original CD, and I been using it for years..... repeat ad infinatum....
I know that feeling. I installed a trial of FSecure this morning did a full system scan, it flagged an apparent old game install as adware. I didn't do anything before leaving for work, will probably feed it to virus total tonight and see what the rest of the world thinks.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
I tend to stay clear of "free" AV products for obvious reasons already discussed.
If you have a good enough reason to buy around 5 licenses, some of the premium security suites can be had for around $5-$8/seat. Even then, you could sell the other licenses you don't need to friends or family. I happen to have that exact number of PC's (5), so I do this every year.
As for software utilizing your CPU cores, it might be helpful to know which CPU you are using. Core over utilization can be a real serious thing, especially if you are running WIN10 on an older CPU.
Best of luck,
|
|
|
|
|
i7-4790k, overclocked to IIRC 4.8 or 5Ghz.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Lets see... My time is worth $200/hr.
My 3 years of ESET for 6 Computers cost me less than that.
Once setup, when I pay in the future, all computers see the new expiration date.
AND they include the newest version of the software with this fee structure.
It's fast, and if you upgrade early, it extends your expiration date properly (unlike norton).
So... 1hr of time buys me 3 years of piece of mind, on all the computers I need.
I barely ever NOTICE ESET hogging cpu (over a slow VPN, yeah, but EVERY scanner will do this).
Ignoring the time spent "Dealing" with this stuff and the Lost CPU time justify the cost!
PS: In a past life, I went in and cleaned up machines for clients that their employees got infected... And it became so common, that they owner said the employee would absorb my charges when it happened on their computer... Funny how much less I showed up after that. LOL.
|
|
|
|
|