kavass.exe consumes 100% cpu & causes file download to a
Moderator: Qbik Staff
12 posts
• Page 1 of 1
kavass.exe consumes 100% cpu & causes file download to a
by saubrey » May 16 04 6:46 pm
While downloading a 48 MB file thru http/ENS/www proxy, at various random times during the download Kavass.exe starts consuming 100% of the cpu for 5 - 10 minutes. During this time very little of the file is downloaded...just a few 1000 bytes per minute and then the download aborts. Five times I tried downloading the 48 MB file and five times it aborted at different spots. Once at about 4 MB, once at 10 MB, once at 17 MB. In all cases Kavass.exe was consuming 50 - 100 % of the cpu for long periods of time and the download was just trickling thru. Once I disablabled AV for the www proxy, then the 48 MB file downloaded correctly on the first try. The download is an http download, thru ENS, with TR to the www proxy. I have slow DLS, approx 250 Mbits/sec, so a 48 MB download takes over 20 minutes. I have Wingate 5.2.3 and the latest version of Kaspersky AV. Wingate runs on Win2k sp4. What can I do to help Qbik fix this issue? Thanks, Steve
- saubrey
- WinGate Master
- Posts: 207
- Joined: Sep 15 03 12:55 pm
Re: kavass.exe consumes 100% cpu & causes file download
by Nev » May 21 04 5:00 pm
saubrey wrote:While downloading a 48 MB file thru http/ENS/www proxy, at various random times during the download Kavass.exe starts consuming 100% of the cpu for 5 - 10 minutes. During this time very little of the file is downloaded...just a few 1000 bytes per minute and then the download aborts. Five times I tried downloading the 48 MB file and five times it aborted at different spots. Once at about 4 MB, once at 10 MB, once at 17 MB. In all cases Kavass.exe was consuming 50 - 100 % of the cpu for long periods of time and the download was just trickling thru. Once I disablabled AV for the www proxy, then the 48 MB file downloaded correctly on the first try. The download is an http download, thru ENS, with TR to the www proxy. I have slow DLS, approx 250 Mbits/sec, so a 48 MB download takes over 20 minutes. I have Wingate 5.2.3 and the latest version of Kaspersky AV. Wingate runs on Win2k sp4. What can I do to help Qbik fix this issue? Thanks, Steve
Hi Steve,
Can you point me at the url, I'd like to try the d/l just to see if affects my installation in a similar way. Have G/b's of surplus d/l headroom!
Connection here is 400Kbits / sec, on a good server that will take 15 minutes for my latent PanAmSat 8 service.
Largest d/l I have [with t/r] is a Linux ISO, no problems, WG 5.2.3.
Cheers,
Nev.
- Nev
- WinGate Guru
- Posts: 861
- Joined: Sep 22 03 11:35 pm
- Location: Mudgee ~ NSW ~ Australia
by Nev » May 22 04 5:19 pm
saubrey wrote:I don't think you can easily download the same file that I used. I was downloading Quicken 2004 Deluxe, but I had to purchase it to obtain the URL for downloading.
Ok, have downloaded several Intuit upgrades & demo's myself, AOK, last was QB2003 demo, was 114mb / Aug 2003.
Good luck,
Nev.
- Nev
- WinGate Guru
- Posts: 861
- Joined: Sep 22 03 11:35 pm
- Location: Mudgee ~ NSW ~ Australia
by adrien » May 25 04 2:24 am
Hi Steve
the way scanning works for web, is that WinGate will spool the entire download to a temp file, then when the whole thing is received, it sends it to the AV for scanning.
During this time, it will send 75% of everything it received (if the file is over a certain size) to the client.
When it starts scanning, if enabled, WinGate also spawns a thread (for files over a certain size) which drip feeds chunks to the browser to stop it timing out connections if the scan operation takes a long time. It sends 10% of the remainder every 20 seconds.
So, the thing to check would be drip-feeding, on the WWW Proxy plugins tab.
We tested this with very large files (like over 100M) and it seemed to work ok last time I checked.
Adrien
the way scanning works for web, is that WinGate will spool the entire download to a temp file, then when the whole thing is received, it sends it to the AV for scanning.
During this time, it will send 75% of everything it received (if the file is over a certain size) to the client.
When it starts scanning, if enabled, WinGate also spawns a thread (for files over a certain size) which drip feeds chunks to the browser to stop it timing out connections if the scan operation takes a long time. It sends 10% of the remainder every 20 seconds.
So, the thing to check would be drip-feeding, on the WWW Proxy plugins tab.
We tested this with very large files (like over 100M) and it seemed to work ok last time I checked.
Adrien
- adrien
- Qbik Staff
- Posts: 5441
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by saubrey » May 25 04 5:17 pm
I had drip feed set to 50K, then increased it to 100K, but download still failed either way.
>the way scanning works for web, is that WinGate will spool the entire >download to a temp file, then when the whole thing is received, it sends >it to the AV for scanning
This doesn't seem quite right, so I must be misunderstanding. If WinGate waits for the entire file to download before starting to scan, then my browser will certainly timeout as it takes over 20 minutes to download the 48 meg file. There must be some drip feeding to the browser during long downloads. I'm just guessing that Wingate drip feeds to the browser during the download *and* spools to a temp file for scanning at the same time, and then during the scanning phase Wingate also drip feeds to the browser.
OK, so when KVAss.exe started consuming 100% of the CPU and I noticed that the browser was receiving only a few 1000 bytes per minute, then this must have been the drip feed during scanning. So by this time the entire 48 meg file was already received by Wingate? (I did not think to check my DSL lights to see if bits were still being transferred or not) I have lots of disk space on my server so running out of disk space was not the problem. My server is slow (366 Mhz) with only 128 MB RAM. I checked Win2ks Virtual Memory and eventhough all physical memory was consumed at the time KVAss was consuming 100% cpu, I had approx 100 MB of virtual memory available. I did not notice excessive swapping to disk, but I wasn't looking for that either so it may have been occurring, but I guess not as there was 100% cpu utilization, and if there were excessive swapping, then cpu would not be 100% busy. I really did let KVass run at 100% utilzation for approx. 10 minutes. Then I clicked my browser's Cancel button which aborted the download. I should probably just buy more RAM.
>the way scanning works for web, is that WinGate will spool the entire >download to a temp file, then when the whole thing is received, it sends >it to the AV for scanning
This doesn't seem quite right, so I must be misunderstanding. If WinGate waits for the entire file to download before starting to scan, then my browser will certainly timeout as it takes over 20 minutes to download the 48 meg file. There must be some drip feeding to the browser during long downloads. I'm just guessing that Wingate drip feeds to the browser during the download *and* spools to a temp file for scanning at the same time, and then during the scanning phase Wingate also drip feeds to the browser.
OK, so when KVAss.exe started consuming 100% of the CPU and I noticed that the browser was receiving only a few 1000 bytes per minute, then this must have been the drip feed during scanning. So by this time the entire 48 meg file was already received by Wingate? (I did not think to check my DSL lights to see if bits were still being transferred or not) I have lots of disk space on my server so running out of disk space was not the problem. My server is slow (366 Mhz) with only 128 MB RAM. I checked Win2ks Virtual Memory and eventhough all physical memory was consumed at the time KVAss was consuming 100% cpu, I had approx 100 MB of virtual memory available. I did not notice excessive swapping to disk, but I wasn't looking for that either so it may have been occurring, but I guess not as there was 100% cpu utilization, and if there were excessive swapping, then cpu would not be 100% busy. I really did let KVass run at 100% utilzation for approx. 10 minutes. Then I clicked my browser's Cancel button which aborted the download. I should probably just buy more RAM.
- saubrey
- WinGate Master
- Posts: 207
- Joined: Sep 15 03 12:55 pm
by saubrey » Jun 06 04 7:54 am
I got more memory. Now have 256 MB. Task manager shows only 190 MB consumed by Win2k, so have plenty of RAM available) Still have same problem wih KAVSS.EXE consuming 100% of CPU for extended period of time (5 minutes or longer) which causes download of large file to timeout. During the time when KAVSS is consuming 100% cpu, Wingate server stops downloading data (GateKeeper's traffic monitor shows 0 bytes/sec). KAVSS is consuming only 8 MB RAM as shown by Task Manager. There is no swapping by Win2k to swap file occurring. GateKeeper Activit Pane still shows the HTTP connection to the download site. After about 13 minutes (800 seconds), Gatekeeper shows that Wingate has dropped the HTTP connection, probably due to my 800 second inactivity setting. After 13 minutes of inactivity, my browser shows download complete, but only 32 of 48 MB has been downloaded and selfextracting zip shows file is corrupted. I don't know what more I can do. As I said previously, if I disable AV for www proxy, then download succeeds every time. BTW: Task manager shows two kavass.exe processes...only one of them shows 100% cpu, the other is idle.
- saubrey
- WinGate Master
- Posts: 207
- Joined: Sep 15 03 12:55 pm
by yadie099 » Jun 06 04 9:27 am
I have also seen this problem. I did not check the CPU usage. However, when Kaspersky plugin is enabled, downloads are unable to complete. The size of the file doesn't really matter. When the plugin is disabled, the download completes without problem.
Also, when the plugin is enabled, downloading with Getright indicates that site does not support resuming.
This makes the plugin somewhat useless, since you have to turn it off to download, and one would really like their downloads to be scanned for viruses.
Would be nice to see a solution where downloads work fine while AV plugin is enabled.
Also, when the plugin is enabled, downloading with Getright indicates that site does not support resuming.
This makes the plugin somewhat useless, since you have to turn it off to download, and one would really like their downloads to be scanned for viruses.
Would be nice to see a solution where downloads work fine while AV plugin is enabled.
- yadie099
- Posts: 32
- Joined: Sep 27 03 1:01 pm
by yadie099 » Jun 08 04 1:17 pm
I am not sure if this is significant. However, when the AV Plugin is turned on, nothing is added to the cache. Monitoring the cache folder will show files being written to it, then being deleted shortly afterwards. So, not only is the AV plugin affecting downloading, but it is also affecting the web cache in wingate.
- yadie099
- Posts: 32
- Joined: Sep 27 03 1:01 pm
by Pascal » Aug 12 04 7:17 pm
The main reason for that is - some files cannot be scanned. They return an error code like:
KAV_S_R_CORRUPTED
KAV_S_R_NONSCANNED
KAV_S_R_FAILURE
KAV_S_R_ACCESSDENIED
Those error codes do not generally indicate that there is an infection - it simply means the AV subsystem returned a result to WinGate which left it unclear about how to proceed. WinGate's default reaction at that time is to block it to minimise the risk involved in downloading something.
There are two alternatives to work around this. The best way is probably to turn on the quarantine. You can do this in the plugin configuration itself. This will show you the result code that is returned in the quarantine log. You can then modify the response codes (Customise responses) to allow, quarantine or discard various options. So - if a download is regarded as 'CORRUPTED' you can theoretically just quarantine it - which will allow you to retrieve the download out of the quarantine, verify with another scanner and potentially deliver to the person who requested the file originally.
The second alternative is to add files / sites which cause problems like that to the list of overrides inside the plugin. This might be the best way to handle things like software updates, where you trust the supplier of the download link. However - don't do this if you don't trust the person who makes the download available.
KAV_S_R_CORRUPTED
KAV_S_R_NONSCANNED
KAV_S_R_FAILURE
KAV_S_R_ACCESSDENIED
Those error codes do not generally indicate that there is an infection - it simply means the AV subsystem returned a result to WinGate which left it unclear about how to proceed. WinGate's default reaction at that time is to block it to minimise the risk involved in downloading something.
There are two alternatives to work around this. The best way is probably to turn on the quarantine. You can do this in the plugin configuration itself. This will show you the result code that is returned in the quarantine log. You can then modify the response codes (Customise responses) to allow, quarantine or discard various options. So - if a download is regarded as 'CORRUPTED' you can theoretically just quarantine it - which will allow you to retrieve the download out of the quarantine, verify with another scanner and potentially deliver to the person who requested the file originally.
The second alternative is to add files / sites which cause problems like that to the list of overrides inside the plugin. This might be the best way to handle things like software updates, where you trust the supplier of the download link. However - don't do this if you don't trust the person who makes the download available.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
12 posts
• Page 1 of 1
Return to Kaspersky AntiVirus for WinGate
Who is online
Users browsing this forum: No registered users and 10 guests