Jump to content

Recommended Posts

I'm not really an Average Joe, but I have no issues with any of the CHKDSK stages after the KIS uninstall. Maybe that has to do with the fact that I put the KIS/KAV Removal Tool in the root of each disc on my computer and repeated the removal procedure for each disc separately?

 

Paul

 

There is some evidence that the CHKDSK issue may only be only apparent with large partitions with lots of files and folders. However some people with large drives and large partitions claim no symptoms. It is unclear whether those people have enabled iSwift, but my recollection is that at least some have.

 

However, I have seen no real data on how this problem effects average users. Many users may have the symptom but never notice it or connect it to KAV. We have seen it reported with KAV6 and with AVS. Symptoms vary from delays during Stage2 to an inability to run CHKDSK to completion.

 

EDIT: Removed questions about the removal tool answered by Lucian Bara while I was posting.

 

Lucian, Is there any chance of getting a removal tool for the left-over NTFS-identifiers?

Edited by jmorlan

Share this post


Link to post
There is some evidence that the CHKDSK issue may only be only apparent with large partitions with lots of files and folders.  However some people with large drives and large partitions claim no symptoms.  It is unclear whether those people have enabled iSwift, but my recollection is that at least some have. 

 

However, I have seen no real data on how this problem effects average users.  Many users may have the symptom but never notice it or connect it to KAV.  We have seen it reported with KAV6 and with AVS.  Symptoms vary from delays during Stage2 to an inability to run CHKDSK to completion. 

Here one disc with two partitions:

C: 62 GB (one third is occupied by files) - system partition

D: 18 GB (one half is occupied by files) - back up partition

iSwift was activated while KIS was on my computer. I'm ready to help you with any logs, system info or anything if necessary...

 

Did a scan with Rootkit revealer. I remember that with KAV 5 there were additions spotted to lots of files. Rootkit revealer doesn't mention anything after my recent KIS uninstall...

 

Paul

Edited by p2u

Share this post


Link to post
Here one disc with two partitions:

C: 62 GB (one third is occupied by files) - system partition

D: 18 GB (one half is occupied by files) - back up partition

iSwift was activated while KIS was on my computer. I'm ready to help you with any logs, system info or anything if necessary...

 

Did a scan with Rootkit revealer. I remember that with KAV 5 there were additions spotted to lots of files. Rootkit revealer doesn't mention anything after my recent KIS uninstall...

 

Paul

Paul, 5.0 used ADS which was attached to every file, 6.0 does not use this kind of technology, thats why you don't see them with 6.0. :)

Share this post


Link to post
soething you could try is paragon partition manager, it has some defragment metadata thing, it might help

Thanks for the suggestion. I downloaded the free Paragon Hard Disk Manager 8 Special Edition and ran the both the MFT and partition defrag. It did not help. There is still a 10 minute delay at stage 2 of CHKDSK.

 

I think we really need some way to get rid of the NTFS-identifiers left by iSwift.

Share this post


Link to post

My issues are not related to having Kaspersky build a datastore, I should have been a touch more clear with my setup. This box has had Kaspersky installed for roughly 2 weeks now, I am still trying to find a way to defrag it.

I noticed that I had long startup times and that the auto diskeeper reports were looking a touch funny stating that pretty much every file on my HDD that was fragmented couldn't be defragged, this is indicative of disk errors. When I ran a chkdisk util from WinPE it started yelling it couldn't fix the errors.

So my journey began trying to narrow down the culprit. I reverted back to a fresh image and re-installed everything slowly. The corrupt/fragmented files didn't show back up until a scheduled KIS scan had happened during the night. Also, I only have KIS scan the C drive and oddly enough it is the only partition on the drive that has these issues

 

;)

Share this post


Link to post

I just completed another test, with pretty good results. Here's an abbreviated version of what I did:

 

1) I took a fresh image of Drive C. (By the way, if you plan to try this yourself you MUST make an image first. You would be crazy not to!)

 

2) I used Robocopy to copy every file on Drive C onto a freshly-formatted NTFS partition on my second internal drive. (This took about 30 minutes or so).

 

3) I did a quick format of C.

 

4) I used Robocopy to restore the files back onto C (another 30+ minutes).

 

Results: Windows XP booted up normally and almost everything seemed to be fine, but Windows needed to be activated again, so I re-activated online (it took just a few seconds) and began testing my installation.

 

The first time I opened Word and Excel they did a quick re-registration, but after that they appeared to be normal. They opened very rapidly.

 

I ran XP defrag (analyze only) just to see the defragmentation report for C, and I've never seen a less fragmented drive in my life. The graphic display shows one big blue bar (files) and one green bar (pagefile). Obviously this is the result of using robocopy, which copies the entire operating system file-by-file.

 

The user interface is very snappy, quicker than it's been in a long time. I guess getting all those checksums out of there, plus reorganizing the files, made a big difference!

 

Next, I ran chkdsk (readonly) on C, and it took just 16 seconds to go through the entire process (Phases 1, 2 and 3). What a surprise that was! As you can imagine, there was no lag at the start of Phase 2.

 

Next, I scheduled chkdsk /f and rebooted. The chkdsk took about 19 seconds from start to finish, including Stage 4, with no errors. (I didn't do the surface scan). In case you're wondering, my Drive C contains just under 50,000 files and uses 9GB of an 11GB partition.

 

I'll continue testing my OS and will post back here if anything goes wrong. Also, If anyone is interested I will post my robocopy switches and the details of how I set the whole thing up, but I have to warn you that I'm not a robocopy expert and I might have overlooked something. But here's a hint: I did each copy in two parts. For the first part of each copy I used the /CREATE switch to copy over just the directory tree and file placeholders. Part two copied the files themselves. I'm not sure if this was the best way to do it, but from what I'm seeing up to now, it seems to have worked pretty well.

 

I've been thinking that I might have been able to achieve the same results with XXClone, and probably with a lot less fuss. Would somebody else like to try it and find out?

 

Well, that's all for now. I'm going to run this OS for awhile to see if anything develops and will post back later.

Edited by Dantz

Share this post


Link to post

i was originally going to just clone my hdd to the new one, but looking at this, i'll instead only copy the files and recreate the bootsector with the fixmbr tool

 

this way it won't copy the existing mft and will no longer have these issues.

Share this post


Link to post
<snip>Kaspersky formerly used Alternate Data Streams (ADS) in earlier versions of KAV but abandoned it in more recent versions.  Also Kaspersky provided a removal tool when this came to light and I believe that tool is still available.

 

Interestingly the ADS did not have any noticeable effect on CHKDSK or much else performance-wise, other than fragmentation problems.<snip>

 

<snip>This ISwift issue (if that's what it is) is something quite different and does not involved ADS.<snip>

 

<snip>Nevertheless, KAV is selling a product with this technology and I think they need to do the responsible thing and provide a tool to remove it, just as they did in the past with the unwanted ADS.<snip>

Thank you jmorlan, that's interesting - I hadn't realised that Kaspersky used another method of tagging previously-scanned files in earlier versions of KIS/KAV, nor that it had also introduced defrag problems.

 

I'm with you all the way on the need for Kaspersky to offer an iSwift data removal tool. I understand that the iSwift tagged file data is linked to the fidbox.dat and fidbox.idx files in C:\WINDOWS\system32\drivers, but I guess just deleting those files alone will achieve nothing.

 

With the impending public launch of KIS/KAV 7, can any beta tester comment on whether use is still made of the current iCheck/iSwift technology, or is there something new?

Share this post


Link to post
I admire your intuition concerning Russian phraseology, Ron. You are absolutely right... ;) The only other possible interpretation of the original Russian word would be 'intelligent', but this still does not refer to any company other than Kaspersky itself...

Thanks, Paul. I should have added the phrase Intellectual Property. This is a catch-all phrase used to describe software, music, video, etc., the rights of which are owned, legally, by some party or other interest (business).

 

http://en.wikipedia.org/wiki/Intellectual_property

 

Basically, at least in the US, this means more jobs for more lawyers. ;)

 

Ron :)

Share this post


Link to post
With the impending public launch of KIS/KAV 7, can any beta tester comment on whether use is still made of the current iCheck/iSwift technology, or is there something new?

The TR of KAV 7 still has iChecker and iSwift as Advanced Scan options.

post-56-1180705805.gif

Share this post


Link to post
The TR of KAV 7 still has iChecker and iSwift as Advanced Scan options.

And I note that you've prudently deactivated iSwift!

 

Your last post wass removed as it was already posted by Dantz.

Edited by Don Pelotas

Share this post


Link to post
<snip>Your last post wass removed as it was already posted by Dantz.<snip>

Sorry Don Pelotas, reading back I see you're absolutely right - I had a 'senior moment' and overlooked the fact that Dantz is a user of the ZoneAlarm Security Suite, not 'pure' KIS/KAV.

Share this post


Link to post

I came across my first real glitch since using robocopy to restore my OS. It seems that Ghost 2003 will no longer run. My guess is that during installation, Symantec puts a small, immovable "magic marker" on the hard drive for copy protection purposes, and when I formatted the drive the marker got moved or was lost. It's possible that if I hadn't formatted the drive but had merely deleted all the files before restoring them with robocopy, this wouldn't have happened. I'm just going to reinstall Ghost, as I don't feel like restoring from my previous image and doing the whole robocopy process again, while replacing the format step with a "delete all", just to see if it might work.

 

The XXClone website is a useful resource, since their file-copying technique is very similar to what I did with robocopy. Here are a couple of snips from their FAQ that discuss situations like this:

 

"There are a number of software products that are sensitive to minute differences in the environment. Typically, it is a result of deliberate design by the software vendor."

 

"It is best that you re-install the application as required."

 

Link to their site:

http://www.xxclone.com

 

Incidentally, anyone who wants to try out my file-copying technique who is also planning to upgrade to a new hard drive should consider giving XXClone a try, as it sounds perfect for that purpose. No doubt the developers have had time to tweak and improve the process through repeated testing, unlike my one-time experimentation with Robocopy. (XXClone is based on XXCopy, an excellent file copying utility that is comparable to Robocopy.) They also provide a freeware version that appears to have the right features to do the job.

Share this post


Link to post
The TR of KAV 7 still has iChecker and iSwift as Advanced Scan options.

2 Blackcat:

Keep in mind that in the File Antivirus, iSwift cannot be disabled; it's always active, even in version 7!

 

2 All:

Guys,

Does anyone of you use CorelDraw (for example version 12)? I found out that if you have this program installed on Windows 2000 or XP, and have worked with this program under an admin account for 30 days, the 31st day, you will have this chkdsk problem no matter what antivirus program you have installed. ANDYBOND told me this.

 

Paul

Edited by p2u

Share this post


Link to post
2 Blackcat:

Keep in mind that in the File Antivirus, iSwift cannot be disabled; it's always active, even in version 7!

 

 

I know that the File Scanner can use both iSwift and iChecker but I thought that if the iSwift technology was not selected for in the scan settings then the RTM would not be able to use this feature!

Edited by Blackcat

Share this post


Link to post
hi paul

haven't checked it compleatly yet, but won't setting the

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP7\profiles\File_Monitoring\settings useistreams & useichecker vaules to 0 work?

Lucian, any idea whether this slows down the RTM by much?

Share this post


Link to post
hi paul

haven't checked it compleatly yet, but won't setting the

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP7\profiles\File_Monitoring\settings useistreams & useichecker vaules to 0 work?

I'm not sure how Kapserky's self-protection mode will react to this...

 

Paul

Share this post


Link to post

Well, seems to me, I have a partial solution for the problem, described here - chkdsk errors in indexes.

My configuration:

Notebook HP Compaq nx6125 (AMD Turion 64 ML28 1.6/512Mb/60Gb/Card-reader/DVD+/-RW/15" XGA/Radeon X200 UMA 128M/Li-Ion/WiFi/XP HE/LAN)

OS: Windows XP Home SP2 Rus, all updates till today.

Filesystem: NTFS, approx. ~5Gb of free space.

How it began: I scheduled a chkdsk operation and found something unusual in it's behaviour - it stalled at 12% for several minutes in second phase and then it started to:

deleting an index entry from index $О of file 29196

I waited for three hours first time. blink.gif

I've found some info in the web concerning KAV+NTFS streams (I had KAV 6.0.2.621). I've deinstalled KAV, but that problem occured again in other way:

deleting an index entry from index $О of file 29196
inserting an index entry to index $О of file 29196
correcting an index entry to index $O of file 29196

and that lasted for half an hour. mad.gif Chkdsk reported, that all errors were fixed. I forced chkdsk to run again and these errors still were there. wacko.gif

I've downloaded streams utility for NTFS streams management, scanned the entire HDD

streams.exe -s c:\ > streams.txt

and found a lot of files with KAV streams - something like :KAVICHS:$DATA in every file (previously I had something like KAV 5.x.x with iStreams). I killed all these entries

streams.exe -s -d c:\

forced chkdsk after reboot - and, voila - it found these index errors but fixed them.

I checked my HDD 5 or 6 times after that, but there were no errors again.

I still have a problem when chkdsk stalls at 12% of second stage for 2-3 mins, but at least, I don't have index errors.

Hope, my solution will help you, guys.

PS: backup your system, before you'll do anything!

Решение на русском написано тут: http://forum.ixbt.com/topic.cgi?id=22:67854#4

 

If you'll use this solution, feedback will be highly appreciated.

Edited by VjFill

Share this post


Link to post
Well, seems to me, I have a partial solution for the problem, described here - chkdsk errors in indexes.....

371979[/snapback]

 

Thank for that information. In your case some of the extra data was placed there by IStreams technology which used ADS. Those Alternate Data Streams can be removed using a number of utilities including one supplied directly by Kaspersky as well as the one you used.

 

IStreams has been abandoned by Kaspersky in favor of a new technology called ISwift. Nevertheless, many system which had older versions of KAV may still have the old ADS attached to all their files, even though current versions of KAV no longer use them. It's certainly useful to get rid of them because it's possible that their presence may be aggravating other issues, such as the current CHKDSK problems.

 

The current problem is believed to be caused by extra data added to the indexes by ISwift. This extra data cannot be removed except by extreme measures such as described by Dantz above in this thread. Like ADS, this extra data is not removed by KAV (or AVS) after it is installed. Thus the stall before or during stage two persists after removal of the program.

 

Unfortunately the exact nature and/or format of this extra data (called NTFS-identifiers by KAV) are proprietary. No information or other documentation for these identifiers have ever been published as far as I know.

 

For a description of ISwift technology see:

 

http://www.kaspersky.com/faq?qid=186010624

 

It appears that it is possible to remove these undocumented NTFS-identifiers using heroic measures like copying an entire drive and copying it back using a utility such as RoboCopy, as demonstrated by Dantz.

 

What needs to be done is for KAV to step up and provide a removal tool for the undocumented NTFS-identifiers placed there by ISwift. I have full confidence that such a removal tool would put our systems back to normal and that the long pauses before or during CHKDSK stage 2 would disappear.

 

Unfortunately KAV continues to stonewall on this issue which is really too bad. It's a great company, but I can no longer recommend it to my clients until they step out in front of this issue and offer a removal tool for the undocumented NTFS identifiers.

 

 

 

Share this post


Link to post

jmorlan

I know eveything you wrote, I've read this thread. My point is in that fact, that iSwift from new release conflicts with iStreams from previous installation and removing all remaining parts of iStreams helps to fix several problems with iSwift - at least you can remove errors in filesystem check.

Share this post


Link to post

Here is a link that explains about NTFS "object identifiers" and how they work. Essentially an attribute is added to each file which uniquely identifies it.

 

http://msdn2.microsoft.com/en-us/library/aa363997.aspx

 

The description explains why copying the files removes the identifiers, but moving them does not. This is exactly the experience described by Dantz above.

 

Here is code which will delete object identifiers:

 

http://msdn2.microsoft.com/en-us/library/aa364559.aspx

 

Will this code also delete the index of all object IDs stored on the volume? If so, then could somebody please write an implementation that we could use to get our file systems back to normal?

 

Please.

 

 

 

Share this post


Link to post

A user has started a topic at DSLR now, in hope to get some feedback

 

http://www.dslreports.com/forum/r18608452-...st-me-at-ISwift

 

I am no programmer, so what I say is just thoughts, maybe the team can look more into what actually is causing the freeze. As I have not seen the issue, I am unable to even ponder. Is it in the way it is logged ?

 

http://book.itzero.com/read/microsoft/0507...12lev1sec4.html

 

Even this link at the bottom of the page has a mention on performance issues related to the NTFS filesystem

 

http://webtools.live2support.com/windows/fsutil.php

 

 

Share this post


Link to post
A user has started a topic at DSLR now, in hope to get some feedback

 

http://www.dslreports.com/forum/r18608452-...st-me-at-ISwift

 

I am no programmer, so what I say is just thoughts, maybe the team can look more into what actually is causing the freeze. As I have not seen the issue, I am unable to even ponder. Is it in the way it is logged ?

 

http://book.itzero.com/read/microsoft/0507...12lev1sec4.html

 

Even this link at the bottom of the page has a mention on performance issues related to the NTFS filesystem

 

http://webtools.live2support.com/windows/fsutil.php

388060[/snapback]

 

omg omg and i just installed aol active virus shield last week omg is my hard drive seriously destroyed now tell me they fixed this issue before i used it omg i'm seriously freaked out now.

Share this post


Link to post
omg omg and i just installed aol active virus shield last week omg is my hard drive seriously destroyed now tell me they fixed this issue before i used it omg i'm seriously freaked out now.

390554[/snapback]

 

seams this is all a myth as there is no proof so i'm gona role with it lol.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.