EIS 10 Consuming CPU Power Due to PL

Started by XhenEd, August 16, 2015, 10:42:39 PM

Previous topic - Next topic

BenYeeHua

#50
Yes, and the bad thing is, the false sense/alarm always reporting the files with a heuristic analysis definition/name on it, so you never know if they are right or not... :P

Windows Defender also has weak spot, which don't detect low risk malware, and also hang the system while scanning exe, it did cached the scan result, but it is cleaned up after reboot, so it will be hang again after reboot. :P
---
And also one thing, the new type of Pen drive virus are smart now, they know the anti-virus only scan for special file types, so they just rename into random names with random file type(like awenoinisadw), then just create a shortcut to run it with rundll32.exe . ;)

Unless they scan unknown files loaded by rundll32.exe, then the anti-virus is useless for this type of virus, even they can detect this type of virus. :P

And anti-virus also don't unhide the files that has been hidden by the virus, so they might wonder why their folder can't be open after killing the virus...

4EverMaAT

Quote from: Jeremy Collake on September 27, 2015, 06:31:28 PM
Oh, I didn't realize that some security suites literally were user-mode scanning only, or deferred scanning until post-boot. It makes sense, as none of them want to be held responsible for slow boot times. I haven't fully audited all security suites by any means, because I don't use any. I often have Windows Defender turned off even. I never have problems, because I don't rely on the false sense of security that security suites bring.
I used to only use the firewall portion of security suites as the default windows firewall does not come with any ability to be alerted when a program is attempting to access the internet and say yes or no.   Then I came across Windows Firewall Control or WFC which does exactly this:  takes the native Windows Firewall and adds alerts and easy allow/deny permissions to exe files attempting to access the internet.  Not sure why Microsoft does not do this natively.  This would encourage people to take responsibility for each and every program they allow through the firewall.  I want to know every program trying to access the internet on my personal computers.

BenYeeHua

Because of average people don't care about it, Windows is design for newbie that don't know anything about computer, and just easy to use. ;)

XhenEd

Just to report that this is fixed. I don't know what and which of the programs changes. I'm just happy that this is fixed.  :D No exclusions in EIS made. :D

BenYeeHua

Ya, you may check the "Programs and Features", the "Installed On" will showing when they are updated. ;)

XhenEd


Jeremy Collake

LOL, well that's certainly an obscure insult.

What 'wasteful resource use' would he possibly be talking about?

If we look at resource use of CPU, I/O, and memory, Process Lasso is as lean as it gets in all categories.

I am going to try to open a dialog with him so I can better understand what the issue is, so we can hopefully not toss around insults. I don't believe (I'll have to look back), that I ever threw such insults at EIS.
Software Engineer. Bitsum LLC.

XhenEd

Quote from: Jeremy Collake on February 05, 2016, 07:21:13 AM
LOL, well that's certainly an obscure insult.

What 'wasteful resource use' would he possibly be talking about?

If we look at resource use of CPU, I/O, and memory, Process Lasso is as lean as it gets in all categories.

I am going to try to open a dialog with him so I can better understand what the issue is, so we can hopefully not toss around insults. I don't believe (I'll have to look back), that I ever threw such insults at EIS.
Thanks, Jeremy!
I don't believe him either about PL being wasteful.  ;)

Jeremy Collake

I have posted there, requesting a private dialog with him, so hopefully we'll get that going. I'll post updates as I have them.
Software Engineer. Bitsum LLC.

Jeremy Collake

#59
EIS has been very responsive and I believe we will have a - blameless - amicable resolution to the interoperability issue in Process Lasso v9, though EIS has already adjusted their code to resolve the problem for now.

Until then, I recommend users set the refresh interval for the GUI and/or Governor to a higher rate. This is in 'Options / General / Refresh interval (*)' ... The more you increase the re-enumeration interval time, the less of an impact this issue will have. Decreasing the GUI to 2 seconds, from 1 second default, for instance, would reduce the problem 50%. Setting the GUI to run only when manually launched would further substantially decrease the problem.
Software Engineer. Bitsum LLC.

BenYeeHua

I would said that, the driver/device is wasting CPU Power, not the software. :P

If you don't believe it, then monitor your CPU package power(HWiNFO, AIDA64 or Power Gadget or whatever), and don't open any software that using a lot resource like network or other PCI-E and USB devices.(to make sure they will be idle)

Disable your PCI-E and USB devices one by one(like Bluetooth, network card, WiFi network card, gaming mouse also if you has one, and remember to leave a keyboard for enabling back...), after you disable most of them, you will found out the CPU package power has drop a lot.

So yes, a driver or device that don't putting the PCI-E link into idle states(PCI-E got 2 idle states as far as I know) will consume a lot of power, more than Process lasso.
Believe me, you will love to drop away this devices than uninstall Process Lasso which consume very little power, compare to this bad designed guys...

Of cause there are faster ways to find which guys is causing it, but you need to sign NDA with Intel's guys, I don't think it worth it...
---
And yes, there is worst, the BIOS will also disabled the PCI-E power save, or manage themselves, but not handle it to the OS(Windows)...
Unless you added a Linux and change it before booting into Windows, then you really can't do anything about it.
It can be power save, balance or performance(means disable idle), but by handling to OS, they can tweak based on which powerplans you are using.

Jeremy Collake

I have made the change to reduce process re-opens. While I wholly reject the claim by Emisoft (which I think he realized was wrong) that these opens were anything other than read-only. I think their hook system just wasn't efficient enough to handle this frequency of process open requests, and so they got a little defensive at what they perceived as 'unnatural'.

I actually had originally written Process Lasso to do very few process re-opens, but then changed the code to simplify at some point in the past since it didn't seem to make any real difference, as open requests are *normally* very rapid, unless you have security software evaluating each one, and that doesn't have good caching mechanisms and thus keeps re-certifying them, as opposed to passing previously approved requests right on through.

So far it is testing well. We'll see how it goes. It 'feels' good to me, as an engineer.

Although this is in v9, only a single low-level module was modified, so this is an easy backport to v8. However, first we have to run the change through it's paces.

Later, in v9, we can maybe do away with the tamper resistant process list - or at least we'll make an attempt to.
Software Engineer. Bitsum LLC.

Jeremy Collake

I have released an alpha version that makes a change that should fix all Emisoft issues. However, it's still in early testing, as part of v9 ALPHA. If the change tests well, I can back-port it to v8. It shows ~50% reduction in CPU use by the governor. Of course, CPU use was already negligible.

https://products.bitsum.com/forum/index.php/topic,5518.msg20820.html
Software Engineer. Bitsum LLC.

XhenEd

I just saw the latest beta. Sadly, I won't install it because PL and EIS, as they are now in my laptop's system, are behaving nicely. That's why I'm not so sure what happened. I just don't want to disrupt this. haha...

As always, Jeremy rocks!  :D

Also, Jeremy, the name is EMSISOFT, not EMISOFT.  ;)

Jeremy Collake

EMSISOFT, yuck, no wonder I couldn't remember it ;). I'll go with EIS ;p.

Since at present they 'fixed' it on their end, it doesn't matter that much, but I would recommend updating to the next final release for sure, once this adjustment is well-tested. It's a pretty simple and safe adjustment, which is why I went ahead and back-ported it to v8 beta, given the importance of it.

To be clear, there was nothing wrong with my original approach, but I did underestimate the overhead involved in process opens given security software hooking these open requests. Now a container holds all these process handles and doles them out as requested, so they only need opened once, instead of as-needed.
Software Engineer. Bitsum LLC.

BenYeeHua

Never underestimate the POWER of security software. ;D