Oct 11, 2012 8:11 AM
1) Memory leak (The Nonpaged-pool fills up):
More than two weeks ago, after the update of all our (64-bit) Windows 7 machines, to version 11.6(SecurityCenter) and 15.6(VirusScan), excessive memory leaks occur and the scans are very slow.
After 5 to 8 days uptime (depending on the IO use), the machines crash with a BSOD(Blue Screen of Death), because the non-paged memory reaches the physical memory limit.
On the XP machines, 9 in total, (Version 11.0/15.0/..) these problems are not seen at all! (The *.6 seems to be a Win7 only version.)
The newer versions v11.6.434(SC) and v15.6.231(VS) seemed to improve the memory issue a bit, the machines build up their Nonpaged-pool slower, but did not fix the leak.
The leak occurs from the kernel-driver FWPKCLNT.SYS, in c:\Windows\Sysnative\drivers\. (On my systems it has date 2012-08-22 20:12 (UTC+1), is version: 6.1.7601.17939, and is installed on 12-September-2012, the time from the MS-Updates batch.)
This was found out using 'poolmon.exe' from the Windows Driver Kit. (The driver with Tag 'Fwpx', never Frees any! of its allocated memory and when the nonpaged-memory reaches a total of about 3GB it crashes our 4GB PCs. (Max nonpaged memory is 75% from the Physical Memory size on a Win7 64-bit machine.)
See attachement A.)
I have about 5 almost 100% identical BSODs. (All report a crash in the driver NETIO.SYS (BugCheckCode=1d, String=DRIVER_IRQL_NOT_LESS_OR_EQUAL).
See attachment B).
If the machines are rebooted, before the Non-paged memory reaches its border (the Nonpaged Limit), the machine does not crash.
Filling up almost all the Physical memory with nonpage-able pages, of cause really hurts the performance of a PC.
This is surely (one of the) reasons the next problem also occurs.
2) Slow Scanning (either Scheduled, Full or Manual):
From the Windows 7 PCs, all with the latest patches (so including the patches of yesterday 2012-Oct-11), 6 machines were tested.
The worst behaviour is shown on 3 (of those 6) PCs. They have a dual core processor (and only 4 GB of memory).
Also their scanning, which normally lasted maximally up to 4 hours (before this was even 2 hours!), now sometimes takes over a day or longer!
(This is even with the "Scan using minimal resources" setting turned off.)
The Resource Monitor (Disk-tab) shows the scan has problems with big (ASCII) files. The INBOX and Sent files from Thunderbird take a very long time to scan. During this the non-page memory size raises even more quickly.
The files are in plain ASCII text (not compressed or anything), and its size reaches up to 3.5GB for some INBOX-es. As said before, they are scanned a lot faster on the slow XP machines!
The slow scanning is occurring since it was first notices on 26-September. (We run weekly scans).
The described problem, the memory leak, is also very extensively reported in at least 2 other threads in the forum.
It seems to be the EXACT same problem for which McAfee (until now) has not found a solution.
- One link which mentiones the exact same problem is the one from user Fragged, posted on 19-September:
- It is not related only to machines with lots of IO, as the Blue Iris Camera-PCs from user Lotty.
He already reported this problem as early as 7-Augustus!, yet there is no fix!
- It is not limited to Total Protection, as we are using VirusScan Plus only!
It seems to be in the core-software of the newer *.6 version for Windows 7 PCs.
- There must be a lot of unaware users from McAfee out there, who probably reboot their machines regularly, and therefore may not even notice the problem.
(Or it is simply too much hassle to write here...?)
McAfee should give this issue some very, very serious attention, because they are loosing customers this way!
A) Nonpaged Memory-pool usage shown by Task Manager, RamMap(sysinternals) and poolmon.
Poolmon also shows that 0 Frees were done in the 4-days the 'Fwpx' driver build up its nonpaged pool to 2.5GB ! (NP-total=~2.9GB)
B) BSOD from this morning 2012-Oct-11, shown with BlueScreenView (It also shows one from 2 weeks ago!)
Message was edited by: beheer on 10/11/12 8:11:49 AM CDT