KIS 2017 Bug in TAM (opens programs slow)?

Status
Not open for further replies.

motox781

Level 10
Thread author
Verified
Well-known
Apr 1, 2015
483
@harlan4096

Installed KIS 2017 17.0.0.611(b) twice on my Windows 10 x64 Pro OS and can reproduce the issue.

When I enable TAM, opening programs is very slow at first (15 secs or so). Disable TAM, everything opens fast.
Any ideas?

What I've tried:

1. Run full scan
2. Opened programs and hoped they would be cached in KIS (speed increased a little on second open, but still noticable)
3. Restarted PC
4. Uninstalled via Programs and Features and re-installed
 
Last edited:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I noticed that, too, when I was still using KIS 2016/2017. :)

Do you have a fast internet connection? My guess is that TAM wants to get the file information from KSN. And so, it delays the file execution, until it gets the information from KSN. But I know that it shouldn't take that long, as KSN is used even when TAM is disabled.

What really prompted me to disable TAM was blocking a trusted file when internet connection is off or flaky. For instance, Pale Moon is trusted, but when there's no internet connection, its components (e.g. .dll) are blocked by TAM, making Pale Moon not to work properly. I guess this just occurs to my laptop, as no one reports similar, so far.

@harlan4096 can help you with that.
 

motox781

Level 10
Thread author
Verified
Well-known
Apr 1, 2015
483
I noticed that, too, when I was still using KIS 2016/2017. :)

Do you have a fast internet connection? My guess is that TAM wants to get the file information from KSN. And so, it delays the file execution, until it gets the information from KSN. But I know that it shouldn't take that long, as KSN is used even when TAM is disabled.

What really prompted me to disable TAM was blocking a trusted file when internet connection is off or flaky. For instance, Pale Moon is trusted, but when there's no internet connection, its components (e.g. .dll) are blocked by TAM, making Pale Moon not to work properly. I guess this just occurs to my laptop, as no one reports similar, so far.

@harlan4096 can help you with that.

Yes. I figured the same about the connection.

I have a 200MB download connection. I also tried to disable my VPN. Nothing worked.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Yes, I've gotten sometimes that issue also (slowdown when opening applications), for example with VLC video player, and only with some specific applications, not with all... also the strange thing was that not always, but many times... I reported to Kaspersky the issue many months ago...

You can try to mitigate the issue editing the applications rules of the applications affected in "Application Control, activating this Exclusion:
1.png
 
W

Wave

I am going to explain the situation from an educational development perspective, and will try to make it as easy to understand as possible for non-software developers, just let me know if you need a simpler explanation and I'll post it here afterwards!

Kaspersky most likely monitors process creation via a kernel-mode callback registered by one of their device drivers, called PsSetCreateProcessNotifyRoutineEx. The way this callback works is when you attempt to run a new program (regardless of how the program is starting execution - e.g. start menu, folder, etc... Which may trigger CreateProcessA/ShellExecuteA (used by explorer.exe) -> Leads back to NtCreateUserProcess in the end) the callback in kernel-mode will receive the Pre notification, which basically means it becomes notified before the process has actually finished setting itself up and has finished loading (thus the process is unable to execute any code from within it's threads yet).

Therefore, when you go to run a program, Kaspersky will successfully intercept. Chances are it sends the details of the program attempting to load back to user-mode where the user-mode process will submit the queries to the cloud and then decide the action based on this information. However, you cannot wait in kernel-mode like this as it'd hang up the system, so Kaspersky probably auto-blocks all non-white-listed objects and re-executes if the execution is allowed based on the cloud results (just a theory).

Of course without me actually reversing the product I cannot claim the above is 100% accurate however there is a 99.9% chance they do something like as suggested above, and probably many other vendors too. No doubt about the kernel-mode callback, though.

Simpler explanation:
? My guess is that TAM wants to get the file information from KSN. And so, it delays the file execution, until it gets the information from KSN. But I know that it shouldn't take that long, as KSN is used even when TAM is disabled.
Had to quote the above because it's the easiest to understand IMO, but I just wanted an excuse to post something developer-perspective. Haha. :p

What really prompted me to disable TAM was blocking a trusted file when internet connection is off or flaky.
Yeah, that's a downside of features like these, since it will be unable to do it's queries to decide to allow/block based on TAM. So it will have to rely on it's signatures/heuristics/dynamic protection only without the cloud check-ups... They should switch to Anti-Executable alerts once the internet becomes disabled, and also notify the user that the internet has been disconnected once it has been (just as a precaution say on case malware attempts to exploit this idea by automation of disabling the internet connection as a bypass method). Just an idea. :)
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Yeah, that's a downside of features like these, since it will be unable to do it's queries to decide to allow/block based on TAM. So it will have to rely on it's signatures/heuristics/dynamic protection only without the cloud check-ups... They should switch to Anti-Executable alerts once the internet becomes disabled, and also notify the user that the internet has been disconnected once it has been (just as a precaution say on case malware attempts to exploit this idea by automation of disabling the internet connection as a bypass method). Just an idea. :)
But I think this isn't intended because even Kaspersky Support told me that when there's no internet connection, a trusted file in the Application Control shouldn't be blocked by TAM. Only those that are not on the list of Application Control or are configured to be blocked, when internet connection is off, will be automatically blocked by TAM. Even harlan doesn't experience this problem. That's why I think this might be due to my ISP, network default configuration, or software incompatibility. :)
 
W

Wave

But I think this isn't intended because even Kaspersky Support told me that when there's no internet connection, a trusted file in the Application Control shouldn't be blocked by TAM. Only those that are not on the list of Application Control or are configured to be blocked, when internet connection is off, will be automatically blocked by TAM. Even harlan doesn't experience this problem. That's why I think this might be due to my ISP, network default configuration, or software incompatibility. :)
I doubt it has anything to do with your ISP provider or software compatibility otherwise it should show problematic symptoms when your internet is connected... Hmm, strange.
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
I have TAM enabled with no slowdowns at all.Even when my connection is slow or dropping packets I still do not see a slowdown opening "Trusted" apps.
Maybe it is system specific,I do not know!!
 

motox781

Level 10
Thread author
Verified
Well-known
Apr 1, 2015
483
I like Kaspersky. I think their UI is clean, complexity and display of settings is phenomenal and they even have the coolest CEO.

BUT, why do I feel Kaspersky sometimes is traveling down the same road as Bitdefender with bugs and lack of clear solutions. I downloaded KTS 2017 last night to check it out again. Problems:

1. Slow database updating as usual (must download from Russia). Not a huge deal though.
2. 2017 TAM causing files to open slow on my Windows 10 x64 systems (not sure if this is a common issue ATM).
3. KSN wasn't working. Updated database, rebooted 3 times, still offline. Rebooted once more, started working. Very flaky.
4. Support. I read their forums every so often. The majority of the times, common problems are downplayed or not directly answered (problems that are wide spread). Forum members usually recommend the user to contact support. Good luck with getting an accurate answer.
5. Software seems to include way too many features. Some are nice (TAM... when it works, encryption, local backup), some are unnecessary. I know you can disable some, but most of the features offered in many suites can be gotten for free that perform much better (lastpass, Ublock Origin, etc).
6. Unclear update path (when they plan to release updates, how to install betas, etc). Everything is more confusing when you try to find out when a feature will really be fixed (like Bitdefender).
7. Default settings. Noticeable decrease in Chrome page load speed. Installed Norton after KTS, page load speeds are fine now.

Maybe I'm wrong on #4, but the only person I've seen for years that actually tries to solve issues on this forum and on Kaspersky's forum is Harlan. I know their are other helpful guys, but I remember him because of his avatar pic...the windows in windows in windows pic (which seems he changed :p).

I didn't mean to make this sound like I'm ragging on Kaspersky. They have a great product. I just see more potential in their product.
 
M

MalwareBlockerYT

I like Kaspersky. I think their UI is clean, complexity and display of settings is phenomenal and they even have the coolest CEO.

BUT, why do I feel Kaspersky sometimes is traveling down the same road as Bitdefender with bugs and lack of clear solutions. I downloaded KTS 2017 last night to check it out again. Problems:

1. Slow database updating as usual (must download from Russia). Not a huge deal though.
2. 2017 TAM causing files to open slow on my Windows 10 x64 systems (not sure if this is a common issue ATM).
3. KSN wasn't working. Updated database, rebooted 3 times, still offline. Rebooted once more, started working. Very flaky.
4. Support. I read their forums every so often. The majority of the times, common problems are downplayed or not directly answered (problems that are wide spread). Forum members usually recommend the user to contact support. Good luck with getting an accurate answer.
5. Software seems to include way too many features. Some are nice (TAM... when it works, encryption, local backup), some are unnecessary. I know you can disable some, but most of the features offered in many suites can be gotten for free that perform much better (lastpass, Ublock Origin, etc).
6. Unclear update path (when they plan to release updates, how to install betas, etc). Everything is more confusing when you try to find out when a feature will really be fixed (like Bitdefender).
7. Default settings. Noticeable decrease in Chrome page load speed. Installed Norton after KTS, page load speeds are fine now.

Maybe I'm wrong on #4, but the only person I've seen for years that actually tries to solve issues on this forum and on Kaspersky's forum is Harlan. I know their are other helpful guys, but I remember him because of his avatar pic...the windows in windows in windows pic (which seems he changed :p).

I didn't mean to make this sound like I'm ragging on Kaspersky. They have a great product. I just see more potential in their product.
I think Kaspersky & Emsisoft are the top two AV products to beat with Bitdefender coming in with a close third. I have not noticed any bugs in my Kaspersky product other than every time I boot Kaspersky thinks I updated 2 months ago...when if I check the updates it shows that I updated the night before - this is very strange.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I had slowdown problem with TAM even on KIS 2016
 
  • Like
Reactions: XhenEd
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top