Jump to content

ERRORS WITH BUILD 7014 WHEN RUNNING OTHER TASKS DURING MANAUL SCAN


Yilee
 Share

Recommended Posts

***If someone know an easy way to add the missing images I will get it done, Thanks

The following article is about Misc. EAM Build 12.1.1.7014 Issues that can occur during a malware or full custom Scan at the beginning of the scan when EAM stall for a bit of time when the scan is just starting. I call it the "scan stall period". I have identified that if you open certain processes/tasks during this stall period these tasks will fail with error codes and all seem to be related to EAM not releasing (still in use) the processes for the user to use them.

***These errors are more easily duplicated when running a Full Custom Scan where on my laptop the scan usually allways stall for a bit at 50%. The stall is less noticable on the Malware Scan but the same errors can be produced if you are fast enough to open certain Tasks. On Builld 6859 this problem does not exist. I often start manual Scans and also begin certain maintanence checks during the beggining stages of most all manual scans that I trigger. The tasks that are affected during the starting stage of scans of Build 7014 to my knowledge are:

***Task Manager ***Event Viewer ***Run Maintanence Tasks in Action Center

***Saving WordPad rtf. files during scan problems(did not try Word).

****Also after enduring all of these problems (3 acronis system restores and duplicating the issues over and over in slightly different approaches) during a roll-back to delayed Build 6859, EAM would not start at reboot and showed brown in Taskbar and nothing would work for several minutes. After several minutes it would show green and Build 6859 would work but would keep failing at additional re-boots. I blame that problem on corruption caused by Build 7014 , because when I used a recent System Restore point to correct the problem, the Restore succeeded but hung with a blank blue screen for a miniute before explorer opened and the successful dialog box showed up. After that happened my system was corrupted. Instead of using Acronis to restore I reviewed the Event Viewer and saw a Service problem with the Windows Presentation Font Cache. I fixed that problem by deleting the font cache file in system32 and rebooted and the system was OK. Google the Procedure if affected.

THE FOLLOWING IS MY STORY CONCERING BUILD 7014 WITH THE FOLLOWING MITIGATING FACTORS:

*** I patched 2 windows 6 64Bit systems a laptop and a desktop with MS Udate patches from July through Nov. Only Net.framework,Security Only Monthly and a few misc. patches. No telemtry or new features. I immediately noticed that I was getting the same (5) lsass registry leaks from Local User SID's which I attributed to 2 MS patches that hardened SMB 445 Protocol for Homegroup and Remote connections. I plan on removing these patches. On both computers, I share common data folders on Drive C: and share them through homegroup. When I disable the sharing of these folders in Homegroup the lsass.exe registry leaks dissapear but are replaced with registry leaks from a2Service.exe with Build 6859. These leaks are not present with Build 7014, but the problems that it causes are the worst I have seen in a long time considering how cautious I am.

***Over the next few days I got hit with the stable EAM Build 7014 and immediately had the following problems. I have since successfully rolled back to EAM build 6859 and everything is just fine except for the Registry leaks that it causes when Re-booting. The following is what I encountered when initiating a manual Full Custom Scan and immediately trying to run the following tasks:

1. If you open Task Manager during the"Scan Stall Period" it will cause EAM to stop scanning and no Log File will be created and other issues become present once this occurs such as:

***See Event Viewer Admin Log BELOW produced when opening up Task Manager during the "Scan Stall Period", see error (red error, not warning) as follows:

******taskhost (4060) WebCacheLocal: An attempt to open the file "C:\Users\YEL\AppData\Local\Microsoft\Windows\WebCache\V01.chk" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

 

2. *related to the above, once the scan fails and you close EAM Program Dialog UI Box and if you try to run the "Action Center\TroubleShooting\Run Maintanence Tasks" will fail to run with the following error (see error dialog boxes below or Event Log Entries:

 

     

 *However, if you go directly to the Run Maintanence Task without first opening "Task Manager" during the "Scan Stall Period" the same error as above will also occur.

*Also, if you wait for the "Scan Stall Period" to finish and resume it's normal scanning and do not immediately begin the mentioned maintanence tasks, the above problems do not occur. I usually like to perform certain maintanence checks as soon as I start manual scans. It's just a habit. I never had this problem with any of the older Builds of EAM .

*Lastly. once you receive the below error dialog box, the only way to clear it up is to Re-Boot. Also, and most importantly if before rebooting if you try to update EAM 7014 you will get the other EAM "Unexpected Internal Processing Error Occured" which a re-boot will clear up also. I have duplicated this behaviour on 2 separate computers. Also other regular programs during the period before Re-boot become sluggish when trying to open them (don't open right away).

***The following is the error box that is received if you try to update EAM before Re-booting to clear up the Failed EAM Scan.

OTHER NOTES: *The laptop has never produced significant issues since bought.

*The problems above will occue on Admin or Standard User Profiles.

*The problem continues to re-occur after Re-Boots when trying certain tasks during the initial "scan stall period. But, if you do not attempt to run any maintanence tasks , the EAM scan will complete successfully and produce a log if left alone and you don't try to run certain other Tasks as I will continue to describe, plus none of the problem effects describe so far will occur after a successful EAM Scan when left alone to complete.

3. Another Problem that can occur during the initial "Scan Stall Period" when trying to access the Event Log Viewer:

 

Notes about the above error:

* A reboot is not required for any reason after a few minutes once EAM finally offers a dialog box to confirm "Stop Scan. When the above error alerts happen, I always click pause then stop on the EAM Scan but it does not respond until several minutes later. Once it does respond with "do you really want to stop the scan" and click OK, then EAM will Update normally and the Event Viewer will work again and there are no problems with the Action Center. Everything seems OK, I believe because EAM has released it's use of the files needed to run the MMC snap-in/Event viewer and other items. I believe this is the case because in this case clicking OK to stop Scan causes EAM to release the needed files

* Of course if you try to do anything before clicking OK to stop scan or if it's not offered then the Event viewer will continue to fail and an EAM update will produce the "internal processing error" dialog box. Plus, because the severity of the MMC Snap-in error seems more severe, if i continue to open other processes such as "Run Maintanence Task" in the Action Center and then Trying to update EAM and then producing the EAM "internal processing error" and then trying to Re-Boot, the following occurs likely due to OS corruption:

***Re-boot hangs during the "windows is shutting down" and requires turning off the laptop. I have my Power Button set to turn the laptop off just for such occasions. Sometimes I remove the Batteries in order to make sure any corrupted CMOS settings are removed.

*** Also during the 1st part of the Re-boot process the screen shows that "TaskHost" is having trouble shutting down processes that refuse to close (EAM I suppose) and thus causes the shutting down/reboot process to hang and lock up permanently. The only way to solve the issue is to power off the laptop.

***After Turning off the laptop and then back on with the power button and automatically brought to the "Safe Mode" screen I enter safe mode and run a CHKDSK which shows no problems. Also SFC /scannow shows no errors.

****The "Scan Stall Period" is much more pronounced on Full Drive C: Custom scans and gives a user more time to open other Maintanence Task such as Event Viewer, ETC... Once the EAM scan gets past the " Scan Stall Period" the "Event Viewer" will work again, However the following errors can still be produced after the Full Drive C: Custom scan has been running for quite a while:

***Problem saving WordPad rtf file:

 

****As you can see I was unable to save to WordPad concerning this very document.

****Also Run Maintanence Tasks in Action Center completed the 1st standard user part but failed with the above error under the "run elevated as Admin" portion of the task.

****The spinning scan Icon continues to be active in the Taskbar even after pausing and trying to stop the scan. Eventually, EAM after several minutes will respond to the Stop Scan button and then I am able to save changes to my WordDoc, also the Elevated Run Maintanence Tasks in Action Center will run properly again without rebooting.

Conclusion: This is complicated and I only have 2 days to renew my license. I will at this point roll EAM back to Delayed Updates and will just have to put up with the Registry Handle Leaks as long as none of the above effects are still present. I usually get a 1 yr/3 computer license and I was trying to get this resolved before renewing. I like a lot of the features offered on EAM and do not believe there are any other lightweight/unintrusive/not privacy invasive AV's available. What to do????

NOTE: Well I decided to again go back to the delayed Updates EAM build 6859 and to renew for now but now I encountered new problems after rolling back to build 6859 as I mentioned at the beggining of this article:

***Delay with EAM,WiFI, and anything else at startup after reboot. EAM shows Brown color and cannot be accessed after trying several reboots.

***(7) Registry Handle Leaks when rebooting only from the standard user profile. (2) from A2Service.exe and (5) from lsass.exe

***Taskhost when shutting down on all profiles shows delay in closing a program.

***New Event Viewer Error(red error) as follows:

 

SO I TRIED THE FOLLOWING:

***I did a System Restore to the point just before allowed EAM to Update to Build 7014 but that did not help and the same above Font Cache Error at startup remained. I have used System Restore in the same manner in the past and it usually corrects such problems as the Delayed Build 6859 did not cause this problem just before updating to build 7014.

****SEEMS LIKE ALL OF THE TROUBLESHOOTING EARLIER ON WITH BUILD 7014 DAMAGED MY "FONT CACHE SERVICE" IN A MANNER THAT SYSTEM RESTORE CANNOT OVERCOME OR THE ROLLBACK REMAINED CORRUPTED.

I eventually fixed the above Font Cache Error and Rolled back to delayed build 6859 and everything is ok. I am not worried about my Registry Handle Leaks from a2service.exe or from lsass.exe because I am on a well insulated LAN with an external UTM Gateway with external BlueCoat content protection, IDP and Anti-Virus. I also do not ever make any remote connections. So, I know that my leaks are being caused locally likely by the new SMB 445 Protocol patches from MS and because I share common folders on Drive C: and use Homegroup. The Leaks do not occur if I turn off Homegroup.

I have also Renewed for 1 more year. I would like to suggest that Emsisoft stop trying to be everthing to everyone and stick to an unbloated version of EAM, but at least stay compatible with Sandboxie and whatever else works with it now. Improving current features is fine but adding a lot of new features over time will put you out of business. InvinciaX is a new malware program on the horizon that I am keeping an eye on. Made by the same group who bought Sandboxie, which has been the most excellent 3rd party progrem that I have ever had the pleasure to use.

I'm sure someone will duplicate these problems and send you guys some logs. I'm done with this stuff for a while. This wore me out.

PS: Re-booting does not permanently solve this issue. It will continue.

 *** As I mentioned at the top, there are missing images and if there is an easy way to insert them , please advise.

 

Edited by Yilee
I do not know how to insert images, snipping tool not working
Link to comment
Share on other sites

You will have trouble with system I/O performance while scans are running until we are able to fix the I/O related issues. I've noticed that it can cause some system stability issues while scans are running, so for now I recommend (if possible) running scans at times when you aren't planning on using the computer.

Link to comment
Share on other sites

12 hours ago, GT500 said:

You will have trouble with system I/O performance while scans are running until we are able to fix the I/O related issues. I've noticed that it can cause some system stability issues while scans are running, so for now I recommend (if possible) running scans at times when you aren't planning on using the computer.

Thank You for the timely info.

The problems are definitely related to .IO.IO input output errors as far as running Event Viewer/MMC Snap-In is concerned as there was an image that I included(several images) that I could not figure out how to attach or insert. I was tired and I don't blog much, I usually fix my own problems only with research. The problem is related to EAM not releasing the needed files to run various other tasks when it is running, especially during the starting phase of a manual scan. So, I have the following questions to GT500:

1. Dose EAM Build 7035 address this particular issue? From what I can tell it doesn't. If that's the case, then should I stay on delayed build 6859 for a while longer or are the a2service.exe registry leaks a concern for me even if I am protected by a secure LAN/UTM Gateway and I'm not involved with remote connections, VPN or other similar outgoing connections ?

2. Is there an easy way to insert images or upload jpeg's or gif's using Microsoft's built-in Snipping Tool if I first save the image using the "Snipping Tool" to a desktop file. The FILE choices are: PNG, GIF, JPG, AND MHT. What is the procedure? I couldn't find an FAQ section to address such question. I am not interested in creating an online dropbox link account or anything similar. Thanks again. Looks like I figured out how to add an image. I guess you have to do it where the curser is at the time you hit save edit.

The following are the images that I wanted to insert in my primary post but didn't know how to get it done:

1.JPG

2.JPG

3.JPG

4.JPG

5.JPG

6.JPG

7.JPG

Link to comment
Share on other sites

Does the new beta resolve the issue for you? Here's how to try the beta:

  1. Open Emsisoft Anti-Malware.
  2. Click on Settings in the menu at the top.
  3. Click on Updates in the menu at the top.
  4. On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list.
  5. Click on the Update now button on the right side.
Link to comment
Share on other sites

2 hours ago, GT500 said:

Does the new beta resolve the issue for you? Here's how to try the beta:

  1. Open Emsisoft Anti-Malware.
  2. Click on Settings in the menu at the top.
  3. Click on Updates in the menu at the top.
  4. On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list.
  5. Click on the Update now button on the right side.

I missed that Build 7035 was a Beta release. After looking at the list of issues that were addressed I did not see any evidence that addressed problems that can occur when trying to run other windows maintenance tasks at the same time a manual scan is initiated. Could you please consult with the team working on this matter if the fix is included in this beta or if the investigation is still ongoing. I noticed that another poster named Reerden recently sent in diagnostic logs concerning this very issue 12 hours ago about the same time the Beta release came out. I also read your reply to Reerden that the team believes that this issue has been fixed in the current 7035 beta release. I will wait for the stable release and for some feedback from Reerden.

However, I still would like some input about these Registry Handle Leaks (Build 6859) when they occur on a locked down LAN system where users never use Remote connections ETC....??? Do they still present a risk when browsing the internet?? I ask because I do not know how long I will have to stay on build 6859. Thanks

Link to comment
Share on other sites

17 hours ago, Yilee said:

After looking at the list of issues that were addressed I did not see any evidence that addressed problems that can occur when trying to run other windows maintenance tasks at the same time a manual scan is initiated.

The issue, as I understand it, was caused by too many file handles being opened (and not being closed). That issue has been resolved in the beta.

 

17 hours ago, Yilee said:

However, I still would like some input about these Registry Handle Leaks (Build 6859) when they occur on a locked down LAN system where users never use Remote connections ETC....??? Do they still present a risk when browsing the internet??

I don't think they posed a threat per se, however the full extent of the issue was never explained to me.

 

17 hours ago, Yilee said:

I ask because I do not know how long I will have to stay on build 6859.

The registry leak was already fixed. If you switch to the current stable build (12.1.1.7014) then you should no longer have the problem, and that will be the case with the beta as well.

Link to comment
Share on other sites

On 12/23/2016 at 8:51 PM, GT500 said:

The issue, as I understand it, was caused by too many file handles being opened (and not being closed). That issue has been resolved in the beta.

 

I don't think they posed a threat per se, however the full extent of the issue was never explained to me.

 

The registry leak was already fixed. If you switch to the current stable build (12.1.1.7014) then you should no longer have the problem, and that will be the case with the beta as well.

Thanks GT and the Rest of the Team, my computers are doing well on the new Beta 7035. This ordeal was tough on me because I had just patched both of my computers with 5 months of Windows update patches just a few days before Build 7014 was released. So, between the previous registry leaks and then the problems with Build 7014 I have vowed never to wait so long in between Windows updates. In my case the issues has so many possibilities which caused me extra effort. I have learned my lesson. Thanks again for the feedback.

Link to comment
Share on other sites

11 hours ago, GT500 said:

Thanks for letting me know. If you have any other feedback about the beta, then please be sure to post it here so that I can forward it to our QA team. ;)

Just to let you know, the lsass.exe registry handle leak warnings that I was getting at the same time that I was getting some a2service.exe leaks on the Builds prior to 7014 were not related. I'm sure you knew that. Many people on the internet have searched and failed for an answer concerning lsass.exe. I spoke too soon after updating to EAM 7035 and was getting them again after tweaking and rebooting both of my machines. I had to get serious about how to frame my search criteria on google and finally hit pay-dirt. In my case both computers were using SSD's and the laptop's USB 3.0 backup drive was also a SSD. The answer that I found on Expert's Exchange was  to uncheck the "Enable Write Caching on this device" for any SSD drives, even the usb backup ssd. The solution worked immediately upon reboot. I don't perceive any reduction in performance and my acronis backups to the USB SSD are possibly faster. I have read other articles that disagree about whether there is actually any performance degradation concerning SSD drives. On mechanical drives it's best to leave the option checked. My opinion is that there is no noticeable difference on SSD drives. I am also quite sure that these separate lsass.exe leak alerts were caused by a windows update patch between july and nov 2016. I know this is off topic but I like to help when I can.

 

Link to comment
Share on other sites

19 hours ago, Yilee said:

The answer that I found on Expert's Exchange...

Interesting, the last time I checked Expert's Exchange was just a click-bait website mimicking Stack Exchange, and trying to get people to pay money to see hidden "answers" to questions.

As I understand disabling write caching shouldn't be a big deal with an SSD, although it may increase the amount of writes to the SSD in the long term. Although most SSD's can handle this, so as long as it resolves your problem then there should be absolutely nothing wrong with it. ;)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...