AV scan uses all available file handles on XP, and too many on Win 7 [V6][M236]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic title, NOT here.

  • Can U reproduce the problem & if so how reliably?: most likely yes
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
  1. I’ve opened DVD iso image with installer for some application with WinCDEmu as a virtual drive.
  2. I decided to AV scan this virtual drive (not the iso, as AV could not look inside of it).
  3. While scanning I used Total Commander, however this does not really matter.
  4. At some point TC showed error message saying there were no free resources. Then its icons started to disappear, system become slow, alt-tab had no app icons etc. (normal situation when OS has not enough free handles)
  5. I started closing my opened apps to make a reboot or preparing for imminent crash. I canceled AV scan, but then its window gone white (normal situation when window process is very busy).
  6. Then something came to my mind. I’ve used Process Hacker and inspected cavscan.exe. It showed that cavscan used at the same time almost… 30000 handles!
  7. I’ve noticed that this number goes down after stopping a scan, so I decided to wait. When after few minutes it dropped to a reasonable value AV window regained controls as well as whole OS got cured (reboot wasn’t needed).
  • If not obvious, what U expected to happen: not using all file handles
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version: Total Commander 8.01, Process Hacker 2.30, WinCDEmu 3.6
  • Any other information, eg your guess at the cause, how U tried to fix it etc:

The iso image consisted many big (not in size, but in number of files inside) cab archives. So I suspect that scanning archives with enough files inside can cause similar event. I’ve tested scanning on folder with some 7z & rar archives and observed than when scanner is inside archive then used handles counter increases, when it exits they are immediately freed. However so far even scanning whole drive never caused such situation as described above.

  • Always attach - Diagnostics file, Killswitch processes list, dump (if freeze/crash). If complex - CIS logs & config, screenshots, video, zipped program (not m’ware) - unfortunately there are none
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- CIS version & configuration: 5.12.256249.2599, own config

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: AV: stateful, D+: paranoid, FW: custom
  • Have U made any other changes to the default config? (egs here.): many (I use private custom config)
  • Have U updated (without uninstall) from a previous version of CIS: yes (I reinstall only for major versions)
    [li]if so, have U tried a a clean reinstall - if not please do?: no
    [/li]- Have U imported a config from a previous version of CIS: yes
    [li]if so, have U tried a standard config - if not please do: no
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, & VM used: XP Pro, SP3, 32b, admin
  • Other security/sandbox software a) currently installed b) installed since OS: none
    [/ol]

BTW. I see now that CIS 6.0 has been released, however integrated upgrade check says I’m up to date. (but this feature often lied me)

Files attached inc diagnostics, config, processes - PM for pwd.

[attachment deleted by admin]

Many thanks for a bug report in standard format, which is much appreciated.

Would you be kind enough to try to see if this is solved in CIS 6.0, and if so updating your issues report. It’s unlikely that this will be fixed in 5.x, so we are not any longer accepting this sort of issue for 5.x

Many thanks in anticipation.

Best wishes

Mouse

I’ve upgraded to 6.0 and I totally regret this. Maybe it has better functions, but in usability it’s a huge step backwards. I will try to test it again in a few days, however I no longer have this iso.

Your testing efforts are much appreciated

Thanks I’ll hold this here for 2 days to give you a chance to re-run this test on CIS 6.0

Best wishes

Mouse

Unfortunately I have to confirm that this is an issue for 6.0 as well.

http://i47.tinypic.com/2cfy64n.jpg
http://i47.tinypic.com/ke6wt2.jpg

After several minutes of scanning as you can see used handles went up to the 26520. If I’d wait till about 32k system will most likely crash. I had to stop scanning and wait about 5 minutes to handles get free because scanner window was unresponsive after confirming to stop scanning.

The scanned package is an installer for Visual Studio 2010.

However keep in mind this is a rare situation.

Thanks Wilk, much appreciated.

I think that Win7 has a much higher handle numbers limit, so, probably things will not lock up.

I experienced similar problems with another App (MS Outlook leaks handles) and worked round it by raising the max number of handles XP allows (within MS recommended limits)

I can look out the KB link if you wish

Best wishes

Mouse

At 99% of scans it never happened. The limit is one problem, the other one is waiting until CIS frees those thousands of handles.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

OK, so with 2813 I was unable to reproduce the same issue, neither with mounted .iso with plenty of .cab files (unfortunately not the same as the first one) nor in Full Scan. However at some point used handles increased up to 14k: http://i42.tinypic.com/2uo6yxz.jpg but then they were released.

Is your latest result on XP? If not could you please repeat with XP preferably using the original CABS?

Note this:
http://support.microsoft.com/kb/327699

If you are interested in further investigation, Mark R’s blog is one of the best sources for the theory and testing approaches, though the figures it gives are for the whole OS I think not for one process:

Best wishes

Mike

Yes, its still XP SP3.

The link http://support.microsoft.com/kb/327699 is related with GDI/USER handles’ limit. The issue I report is with file handles (opened files / files in use). (note that the screen I’ve attached shows 14095 as a sum of all used handles’ types for this process, but 95% of that are file handles indeed like in one of my previous posts)

From my observations it looks like AV scanner while scanning archives uses new handle for each unpacked file, but releases all of them only after it finished scanning the whole archive.

Fair enough - should have checked sorry. I think the thing to do is to test on the previous CABs if you still have them and look for signs of instability. If none I think we can provisionally assume this is fixed.

Best wishes

Mouse

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

The devs have informed me that they believe that this is fixed for CIS version 7.0.313494.4115. I will therefore move this to Resolved.

If this is still not fixed for you please both respond to this topic and send me a PM (including a link to this bug report).

Thank you.