heol

Very High Memory Usage

Recommended Posts

I'm using the title of the thread to write about my first-time problem with emsisoft protection service (a2service.exe) halting my system for prolonged periods during the day by steadily occupying 4GB of RAM!

I've been using emsisoft for years and I never saw such a high number of memory usage before.

when it happens the PC is either idle or used for standard tasks, internet is on, protection is active.

any ideas?

thank you

 

 

Share this post


Link to post
Share on other sites

@heol - which version of Windows are you using and where precisely did you get the 4GB RAM occupation figure from?

Here, using Win8.1 64bit,  a2service has a current virtual storage use of 1.13 GB, though it's peaked a little higher... but current use (ie working set) is around 260 MB.

 

I did report a problem (in EIS in 2016) where on my system (and it seemed almost no-one else's) real storage use climbed and climbed.  That was a problem in one of the firewall drivers which kept asking the OS for 'virtual' storage of a special kind - the non-paged pool - which in practice has to be backed by real memory and the pages never paged-out... so it might as well have been real memory that was requested.   Eventually the problem went away.

Share this post


Link to post
Share on other sites

@JeremyNicoll, I'm using Win7-64bit / 8GB RAM and I got the 4GB figure from two different Task Managers.

10 minutes before writing this the windows task manager showed 4.8GB - The regular workload is 150-300Mb.

Share this post


Link to post
Share on other sites

Do you have a scheduled scan configured to run some time before you saw the high memory usage?

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

Do you have a scheduled scan configured to run some time before you saw the high memory usage?

No, I don't have scheduled scans configured in my system.

the problem has come a couple of times these last days, and in more than one case the high RAM warning appeared together with Firefox browser being totally unresponsive.

at that point the task manager clearly blamed Emsisoft  for high memory usage while Firefox appeared innocent...

anyway,thank you for answering :) 

Share this post


Link to post
Share on other sites

How often are your EAM signatures updated? I'm asking because my Firefox browser is also totally unresponsive whenever EAM updates its signatures. As soon as the update process is over, things are back to normal.

Share this post


Link to post
Share on other sites
3 minutes ago, Buddel said:

How often are your EAM signatures updated? I'm asking because my Firefox browser is also totally unresponsive whenever EAM updates its signatures. As soon as the update process is over, things are back to normal.

I've been using EAM together with Firefox for a long time - it's the first time I noticed some possible interference.

Share this post


Link to post
Share on other sites

Nowadays I use 'Process Hacker' rather than Task Manager... and in any case have no idea what columns the TM in Win7 can display.  Microsoft's earlier versions of TM don't go into enough detail to help solve problems with excess memory use.    In Process Hacker, for example, I currently have columns in the detail display that show: Private bytes, Private WS (working set), Virtual size, Working Set, Maximum working set, Minimum working set, Non-paged pool, Peak non-paged pool, Paged pool, Peak virtual size... and there are others I could've turned on.

If your TM doesn't offer this level of detail I suggest you install Process Hacker for a while and try to find out where most of that storage is going.   You might also find it useful to read through an older thread... http://support.emsisoft.com/topic/20057-possible-virtual-memory-problem-with-a2serviceexe/    as it contains URLs for articles that explain more about the way that Windows manages virtual storage, and also mentions some of the tools I used while trying to find out what was causing my problem.

 

Share this post


Link to post
Share on other sites

thank you Jeremy!

I've used ProcessHacker before and I'm aware of its functionality. I re-installed it in case EAM misbehaves again. 

:) 

Share this post


Link to post
Share on other sites
10 hours ago, heol said:

I've used ProcessHacker before and I'm aware of its functionality. I re-installed it in case EAM misbehaves again.

Do you know how to save a memory dump with Process Hacker? If so, then turn off the Self Protection in Emsisoft Anti-Malware's settings, and the next time you see the high memory usage try saving a memory dump of the process. You'll probably need to use 7-Zip so that you can compress it using LZMA2 compression to get the smallest file size (RAR may work as well, however I would believe that in most applications LZMA2 does compress better than RAR). You may also need to use a file sharing service such as WeTransferMega, etc. to send us the file. If the file sharing service requires that you send the file via e-mail, then just enter support@emsisoft.com and be sure to include a link to this forum topic in your message.

 

13 hours ago, heol said:

at that point the task manager clearly blamed Emsisoft  for high memory usage while Firefox appeared innocent...

While I can't say that it is Firefox's fault, note that memory usage of a2service.exe _does_ increase based on running programs as it needs to load more and more of its database into memory. Although, that only applies if the memory usage optimization is turned on, since it offloads unused parts of the database into the pagefile to reduce memory usage.

  • Upvote 1

Share this post


Link to post
Share on other sites

thank you Arthur  :)

nothing has happened since my last post but if it does I will follow your guide.

have a nice day!

Share this post


Link to post
Share on other sites

We've received the file, and I'll pass it on to QA as soon as I have managed to finish downloading it. ;)

Share this post


Link to post
Share on other sites

Do you have real-time protection turned on in Malwarebytes Anti-Malware?

Also, I'm seeing running drivers from Zemana Anti-Malware in the logs, however I don't see the service from Zemana Anti-Malware. Do you have software from Zemana installed, or are these just leftovers from a previous install?

Share this post


Link to post
Share on other sites

yes I have real-time protection ON in MBAM.

Zemana - I don't remember using anything from them recently, except for some short trial maybe, in the past.

thank you ;)

Share this post


Link to post
Share on other sites

Analysis of the memory dump shows that there are two very large (roughly 2GB) files in your Quarantine, and when the memory dump was saved EAM was loading them into memory in order to scan them. In theory this is due to the Quarantine rescan that happens after updates are installed, however we are only assuming that since we don't have debug logs (the memory dump doesn't actually say why the Quarantined files were being scanned).

If you delete those large files from your Quarantine, then that should resolve the issue.

  • Upvote 1

Share this post


Link to post
Share on other sites

Does that mean that EAM should only load one such file (for re-scanning) at a time?    And maybe also that automatic rescan should be skipped for files greater in size than some threshold amount?

Share this post


Link to post
Share on other sites

my EAM Quarantine is clean now.

I hope that will solve the issue so I won't have to bother you again.

thank you very much mr.Wilkinson! 

 :):)

Share this post


Link to post
Share on other sites
10 hours ago, JeremyNicoll said:

And maybe also that automatic rescan should be skipped for files greater in size than some threshold amount?

There's already a file size limit for the scanner. It doesn't apply to Quarantine rescans. This is partially due to the need to rescan things in the Quarantine to determine if they are safe to restore (in case of false positives), and partially due to the fact that the only way for a file that large to get into the Quarantine is for someone to manually place it there (which means it's something that doesn't normally happen).

 

10 hours ago, heol said:

thank you very much mr.Wilkinson! 

You're welcome. ;)

Share this post


Link to post
Share on other sites

> There's already a file size limit for the scanner. It doesn't apply to Quarantine rescans. ...

Maybe it should then.  The OP wouldn't have had the problem if their two huge files had been skipped.   I'm not saying that they shouldn't be scanned at all, but since on anyone's system scanning a huge file is likely to tie up the machine and its resources for ages, maybe a user should be asked if the huge file should be auto-scanned 'now' (with slowdown etc a likely consequence) or skipped. 

Also... why did memory use climb to well over 4 GB?  Was the excess due to /both/ large files being in memory at the same time?   If so, that seems stupid.  

Also... the file-size limit that applies to other scans... is this an absolute size (set to what, where?) or is it a percentage of the installed RAM plus page file sizes on a particular machine? 

Share this post


Link to post
Share on other sites
On 2/10/2018 at 7:27 AM, JeremyNicoll said:

Maybe it should then.  The OP wouldn't have had the problem if their two huge files had been skipped.

He is, as far as I can recall, the first person to report such a problem. As I said earlier, the only way for large files like that to end up in the Quarantine is for someone to place them there manually, so it's not something that's going to happen on its own.

 

On 2/10/2018 at 7:27 AM, JeremyNicoll said:

Also... why did memory use climb to well over 4 GB?  Was the excess due to /both/ large files being in memory at the same time?   If so, that seems stupid.

Yes, that's how our scanner works. It loads a file for each thread that is processing scanned files, which means if your CPU can process 8 simultaneous threads, then the scanner will load 8 files into RAM at the same time for scanning. This is done to improve scanning performance, but it does cause scans to be rather resource intensive.

Note that we don't recommend leaving files in the Quarantine for a long period of time. It's just intended as a temporary backup for deleted files, in case they need restored. If things are OK for a week or two after a file has been removed, then it's best to delete it from the Quarantine.

 

On 2/10/2018 at 7:27 AM, JeremyNicoll said:

Also... the file-size limit that applies to other scans... is this an absolute size (set to what, where?) or is it a percentage of the installed RAM plus page file sizes on a particular machine?

It's an absolute size. I would believe it's hardcoded. The actual size limit has changed several times over the years (I'd have to ask what the current limit is), however I would believe it's more than 50 MB at this point.

The size limit is set based on what our malware analysts see in-the-wild. Files over a certain size generally aren't malicious, simply because it isn't efficient to deliver payloads in large files, so we set the maximum file size for the scanner based on what size files we can expect real-world malware to be delivered in.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.