Hello All,

This is a first - I've never seen five instances of KAVMM.exe running in all our installations. Here's the skinny:

Windows 2003 - SP1
Dual Xeon 2.4 Prestonia (HT)
2 GB of RAM
Kaspersky Anti-Virus 5.0 for Windows File Servers - Version 5.0.40

Just installed it last night, and after configuring it, running a full scan and letting it go - I noticed I have FIVE processes running using a whopping 147980KB of RAM. That actually accounts for 43.2 percent of used RAM in the computer right now. It's fairly even in distribution:

Process ID Memory
200 28916
244 29228
1488 28924
3220 21692
3840 39220


Someone please tell me what I'm missing here - there's no way I can have a single program chewing up half the RAM used in five processes (two maybe, but not five )?

Thanks,
Skinner

I think, you have an old Version of AdminKit.

SKinner, this is how KAV for FS works - it creates a scanner process for each processor (2 processors + HT in your case) plus there's one managing process. Hence five kavmm's.

You can change the number of processes by going to this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\2A\FileServer\5.0.0.0

There should be several subkeys there: BL, P0, P1, P2, P3 and P4. You can delete (or better, rename to something like "_P3") subkeys P2, P3 and P4 and restart the antivirus service.

This is all well and good BUT if the product requires a monitor for each processor does this mean that real time checking is only available for processes running on 1 processor. If not, what is the benefit of have so many instances of the monitor running.

Still waiting for an answer to this one!

Mike

I'm not going to give up on this. Someone must know the answer.

Mike

My strong suspicion is that the product does not require multiple processes per cpu - but that for performance KAV will create a scanner process for each available CPU. I imagine that if you scale down the # of processors you will see less RAM used during full scans and that the scans will be a little slower. Real-Time protection will not be affected by the #of processes as it is not as intense of an operation as a full scan. Real-time monitoring should easily be accomplished with a single process -

Also while you wait for an answer from KL remember they are several time zones away from the States and will reply when they see this...

Mike

The problem is not that the product has multiple instances of the monitor running per CPU but that it has multiple instances period. My servers have 8 CPUs each (that's 9 KAV monitor processes per server using anything up to 50Mb of RAM each). As an example, I have a server that right now is show 612Mb of physical RAM committed of which KAV is using 428Mb!

If I'm reading your post correctly you are saying that KAV creates a monitor process per CPU, JUST IN CASE I want to run an on-demand scan?! This can't be right. Surely it's not beyond the Kaspersky programmers to have the additional monitors fire up as needed if they really are needed.

At the risk of upsetting everyone and being branded a heretic, I have to say that Sophos doesn't seem to be blighted with this or any of the other problems that seem to beset KAV, AND the Enterprise Management Console's pretty good too!

Mike

Completely agree with Mountschool1/Mike, it does seem a little barmy that it fires up a process for each (virtual) processor. What is the point?

Mike -

You are running an older version of the KAV File Server, first off - sorry I missed that earlier. Go download and install 5.0.72 and see if the problem persists.

If you see multiple KAV pids hogging memory POST full scan - I agree that this is a problem. If you see multiple KAV pids hogging memory DURING a full scan I think it is expected behavior. Agreed?

MM

The server I quoted in my previous quote is running version 5.0.74.

I still fail to see why it needs to start multiple instances at all! If multiple instances must be started then they should start as required and stop when no longer needed.

Mike

Yes, but what about the OnAccess task? By having multiple processes we're trying to speed up scanning of the files on-the-fly so that you actually get a boost out of having multiple processors. We're considering the option to let the user configure the number of the working processes.

This soundz brilliant Oleg - will this be a feature of a new version 6.x of the FS ?

Well, that was an idea that worked really well didn't it!?!? (Yes, I am being sarcastic).

We seem to be going round in circles here. Support_Mike (KL Partner US) says that the multiple processes are to give a bit of umph to the on-demand scans and do NOT have any effect on the on-access part. Now we're told that they are really there to give more welly to the on-access scans.

To be honest I don't care which is true and which is fantasy because IT DON'T WORK EITHER WAY!!! Amongst others, I have 2 servers with multiple processors running DFS. I have had to disable the on-access scans on them because the performance hit is so hard that the staging areas max out and the FRS dies.

All I can say is "most probably".

Multiple processes are needed to speed up both the OnDemand scanning and the OnAccess scanning. OAS is the reason why it is difficult to determine the number of processes needed at any moment (so that we can keep the number of processes and the amount of memory used at the minimum). Our primary goal is the speed of anti-virus on-the-fly scan which is crucial for the File Servers. We're working on optimizing the algorithm though, just give us some time.


Can you please explain what are DFS and FRS and what does "the staging areas max out" mean? We shall reproduce this scenario in our test-lab and use it to avoid the performance issues for our future releases. Thanks in advance.

I don't want to be funny but, bearing in mind that this thread has been running for nearly a year, just how much time do you need?

I have checked every server I have. The number of processes running is ALWAYS equal to the number of processors present in the system + 1. This NEVER varies! The amount of memory used by each process does vary - between 25 and 50+ Mb.

DFS = Distributed File System. FRS = File Replication Service. Staging area is a fixed amount of disc space (controlled by a registry key setting) allocated to DFS to hold changes made to files prior to writing to replication partners. As the replication between DFS partners is a background process this area can, if there is a problem, become full. When this happens the service stops. This in turn leads to a mismatch of data between the DFS partners.

Mike

actually AFAIK this was already possible to set up in earlier betas via reg keys. i am not sure however if it is still possible in the latest builds

The reason for this behaviour could be our usage of NTFS-streams for keeping the extra info about the scanned file. You can turn off the streams usage in OAS/ODS task settings, and you can contact our technical support for the StreamRemover tool to completely get rid of the unwanted streams.

Yes, it is still possible to use the registry as I've described earlier in this thread. In the upcoming FS MP4 this option will be configurable via the ADK-plugin.

1)Does this truly workin the 5.x version by deleting the reg keys?

2) Has it been cured in the 6.x version
3) What about the NDIS driver that was added in 6.x