5.1.889 Exhausts Kernel Paged Pool under Windows XP 32-bit?

[bapriebe]

I'm glad to announce the general availability of a new avast program update, version number 5.1.889.

I'm going to be the odd man out here and register a concern.  

Approximately one week ago, my lone remaining Windows XP SP3 (32-bit) workstation starting locking up most of the UI roughly every 2nd day.  The cause is complete exhaustion of the kernel paged pool.  Judging from the results from POOLMON, the largest consumer of that pool has pool tag "SnxN" which appears likely to be related to ASWSNX.SYS judging from an ASCII string search of the driver.  I've been watching POOLMON religously today and these "SnxN" allocations are growing at a rate of about 7MB per hour.  At time of this writing, after about 4 hours run time, there were 27,179 allocations attempted but only 17 of these allocated items were ever freed.

Coincidentally, this latest AVAST release came out at about the time this machine started crashing.  ASWSNX.SYS has a version on it of 5.1.889 and was last modified on January 13, 2011 03:41.

For now, this problem appears to be isolated to the Windows XP box.  Windows 7 (64-bit) shows no unexpected growth in kernel pool usage.

[pk]

SnxN tag stands for "filenames" and i'd need kernel-mode dump of your XP system to see when they were allocated and what are their names...

1) go to control panel, system, advanced system settings, startup and recovery -> settings, switch to kernel dumps
2) reboot
3) wait when you get significant SnxN pool using
4) download http://public.avast.com/~kurtin/osrbang.exe and click on the button
5) after reboot, don't click OK on the shown dialog, compress C:\Windows\Memory.dmp and upload it on our ftp

Thanks!

[bapriebe]

i'd need kernel-mode dump of your XP system to see when they were allocated and what are their names...

Will do.  Incidentally, I have edited the post and title to remove an error.  It's the PAGED pool that is being eaten up.

[bapriebe]

don't click OK on the shown dialog, compress C:\Windows\Memory.dmp and upload it on our ftp

Needed instructions on uploading large file to FTP site.   Found by hunt and peck after Ticket system twice rejected attached file .

See the BAPRIEBE.ZIP file.  This shows state after 5 hours of WIN/XP up time (machine idle except for running BOINC simulations) where 28.4MB of kernel paged pool was allocated to "SnxN" items.

[pk]

Thanks a lot for the dump file. I found the leak, all records contain: "\DosDevices\C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report". This leak only happen when you mount or dismount new volume (i.e. when you volume letter appears or disappears) or when an application opens volume in RAW mode (it can access the disk via sectors). It will be fixed, thanks for info!

You can uninstall Process Virtualization to fix this issue or I can send you a patched version if you use this component.

[pk]

btw, this can be fixed without patched version...
real-time shields -> process virutalization -> expert settings -> report file
- set "Generate report file" on
- set "Delete logs..." on, and set "0" days
this is ideal only if you don't use sandbox on your XP SP3, otherwise I'd send you a patched version

[bapriebe]

I've tried the virtualization fix you suggested.  But paged pool is still being eaten like candy.  Do I have to reboot to change that setting?

If not, having a patched version would be a good idea...

[bapriebe]

Please disregard earlier post.  "SnxN" entries are down to 9MB now.