Eset Antivirus on Windows 7 using excessive memory
I came across an unusual problem about a week ago which has probably been an issue on this particular computer for a long time without me realising it as I have one other application on there which uses a large amount of memory if left open for a long time, so I have a routine to restart that application once every couple of weeks.
Unfortunately such a thing isn’t really possible with an antivirus program without restarting the computer, and this particular system needs to stay running as much as possible. Restarting it is something which I can only really schedule in a couple brief windows each week without causing other issues.
This particular system is running Windows 7 so it is well and truly out of date in terms of Windows support, and Eset doesn’t release new software versions for it but does continue to provide antivirus definitions for it. Updating it to Windows 10 or Windows 11 isn’t really an option due to some of the software running on it being antiquated. One piece of software in particular has been discontinued and replaced by a different product which doesn’t quite work the same way and isn’t suitable for my purposes any more. I don’t know if installing and activating the old software on a new system would even be workable and the last time I had an interaction with support for that software, it left me less than certain that they knew much about how it worked at all. So I’m left needing to continue to run a Windows 7 system. While this does present some security risks, if properly managed these can be largely mitigated.
So, back to the problem I started to encounter with Eset Antivirus.
The other week I was investigating some performance issues with the machine and noticed one component of Eset was using over 900MB of RAM. This was unusual as it has never really left double digits before in my observations. The process in question was eguiProxy.exe. This process acts as a bridge between the Eset program window and the backend processes, allowing the Eset window to get and display information about the Eset Antivirus status and allow the user to start scans etc without needing administrative privileges. The eguiProxy.exe process is supposed to close shortly after the Eset window is closed, but a bug in some version 16 installations causes eguiProxy.exe to not close (and in some cases to run even if the Eset window was never opened) and to instead just sit there and eat up RAM indefinitely. Sometimes it will close after a few days, while on other occasions it just sits there until it is using up as much memory as the system will allow and starting to cause issues for other processes.
Memory usage after a few days of uptime
I had to restart this machine at a not-at-all optimal time to clear the excess memory usage and allow the rest of the system’s software to function normally, and due to the timing of this also had to manually fix a handful of processes which were interrupted or failed.
I was running Eset Antivirus 16.0.26.0
Eset released an update to version 16.0.28.0 to solve this issue, however in most cases the Eset application does not automatically update to this version and instead requires a manual update. As you can see in the above screenshot, Eset thinks it is up to date despite being on version 16.0.26.0 and not 16.0.28.0.
The Eset forum has a lengthy thread on the issue at https://forum.eset.com/topic/34941-suspected-memory-leak-eguiproxyexe-why-does-this-process-continually-run/ however the link to the download is broken. The download was moved to https://forum.eset.com/files/file/134-16028/ which annoyingly requires a registration on the Eset forums.
Hopefully the file remains in that location, however Eset’s websites have a habit of pages moving around quite a lot, so I have decided to mirror the file myself. It can be downloaded here. As it is a signed file, you can verify its authenticity by whether Windows accepts the signing to be valid. Regardless, if you can find the file on Eset’s websites, it is better to get it from there than from a random website on the internet such as mine, but I provide the download just in case you can’t find it elsewhere.
What isn’t clearly explained on the Eset website and doesn’t become apparent until you try to install it is that to install it, the system must be running at least Windows 7 SP1 with two specific updates installed, KB4474419 and KB4490628. If you try to install the Eset update without those Windows updates, it will refuse to install and send you to a series of Eset pages which provide a mishmash of information about whether or not you can install the Eset update.
KB4474419, which adds SHA-2 code signing support to Windows, can be downloaded from Microsoft at https://support.microsoft.com/en-us/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339 and I have mirrored the Windows 7 x64 version here.
Likewise, KB4490628 which makes improvements to Windows Updates’ support of SHA-2 code signing, can be downloaded from Microsoft at https://support.microsoft.com/en-us/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba and I have mirrored the Windows 7 x64 version here.
As Microsoft stopped providing updates for Windows 7 some time ago, I disabled the Windows Update service (you can do that in Windows 7 – it’s a pain in Windows 10 and later, but I documented a method for doing so a few months ago) as I found it was often using excessive CPU to check for updates which were never coming. In order to install those updates, the Windows Update service must be enabled, so I had to re-enable it temporarily.
It turned out I already had SP1 and KB4474419 installed, and just had to install KB4490628. Once I did that, Eset version 16.0.28.0 was happy to install. The installer requests a login to Eset Home but this is not necessary. If Eset Antivirus is already activated, once installed the new version will recognise that, but if it isn’t activated you can always active or login after installation.
So now I have version 16.0.28.0 installed
And pleasingly the eguiProxy.exe process now only opens if the Eset window is opened, and closes shortly after the window is closed, no longer draining memory until Windows is left exasperated at the diminished resource.
Samuel
Add comment October 14th, 2024 at 04:49am