kbfs icon indicating copy to clipboard operation
kbfs copied to clipboard

Published 20 hours ago verified publisher icon keybase

kbfsdokan uses up to 40% of CPU and triggers Kaspersky to do the same

Open big-bad-wolfe opened this issue 7 years ago • 6 comments

I'm not sure what is happening, but on reboot, everything loads really slow, and when I check the task manager I see kbfsdokan using between 25% and 40% along with that, Kaspersky Endpoint Security 10 jumps up to another 30%, making my computer hard to use.

When I end kbfsdokan CPU usage of Kaspersky drops to normal values, and my computer is usable until next reboot.

I am making an assumption that because Kaspersky is configured to scan drives when they are connected it is getting hung up on something with the mapping.

Last point of info before someone tries troubleshooting this with me, this is a corporate device, and I cannot disable Kaspersky in any way.

big-bad-wolfe avatar May 26 '17 18:05 big-bad-wolfe

This is the log entry that is repeated in keybase.kbfs.log until I manually end the process:

2017-05-29T08:18:09.852458-06:00 - [ERRO kbfs fs.go:266] 322f7 Refusing access: SID match error

It then seems to continue loading, and after a little while this message shows up and repeats (approx.) 4 times:

2017-05-29T08:25:05.742647-06:00 - [ERRO kbfs mounter.go:57] 053 Failed to mount dokan filesystem (i=16): Dokan failed: code=-5 "Mount error"

big-bad-wolfe avatar May 29 '17 14:05 big-bad-wolfe

@big-bad-wolfe I assume this was closed by mistake?

Is it possible you're running Keybase and your anti-virus as different Windows users? Seems like the AV might not have access to it. Ideally you could whitelist the k: drive so the AV doesn't try to scan it.

strib avatar May 29 '17 15:05 strib

cc @taruti @zanderz

strib avatar May 29 '17 15:05 strib

Seems like the following:

  1. Kaspersky tries to access KBFS as an another user than the one running KBFS
  2. Kaspersky is denied access
  3. goto 1.

In a busy loop between KBFS and Kaspersky. Perhaps we could return an empty drive with a single file explaining things instead of a permission denied for other users.

taruti avatar May 29 '17 20:05 taruti

AV is definitely running as a different user, Kaspersky tends to make a new user KAV_????? to give it self local admin, nothing I can do to change that, corporate laptop.

The drive reads as a removable flash drive, and gets scanned, again corporate laptop. If the drive was 64GB or better my drive wouldn't be scanned, but that sounds a little excessive.

Is there a way to disable this drive from loading?

(Sorry about closing it, clicked the wrong button)

big-bad-wolfe avatar Jun 08 '17 03:06 big-bad-wolfe

This should be fixed by https://github.com/keybase/kbfs/pull/1016 but that is not yet in a release.

You can remove Dokan via control panel, then the drive dissapears. We could fake a larger size, but given that there is a quota then it would be confusing for other users.

taruti avatar Jun 09 '17 08:06 taruti