NOD32 antivirus won't shut down

Despite quitting the application, the NOD32 process and service continue chugging along.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio

Michael Horowitz

July 17, 2007 10:53 p.m. PT

4 min read

The NOD32 antivirus program from ESET has its share of enthusiasts. After a long, detailed review of the field, Scot Finnie in February called it the best antivirus product of 2007.

Based on Mr. Finnie's reviews and recommendation, I've been installing NOD32 on the computers of some of my clients. I've also lived with it a bit on one of my computers and had no major gripes.

Until yesterday.

NOD32 using 88% of the CPU — NOD32 is using 88% of the CPU after having been shut down. Click for full-size image.

I was about to run Microsoft Update on a Windows XP machine for the third or fourth time, and was getting tired of waiting for it complete. So this time, I turned off ("Quit") NOD32 beforehand.

It didn't seem to make much of a difference, as Microsoft Update still maxed out the CPU while checking for new patches and seemed to take forever to complete.

But while I was waiting, I took a look at the system using Process Explorer, a great free program, now from Microsoft but formerly from Sysinternals. Surprise, surprise. NOD32 was using 88 percent of the CPU cycles. Despite the disappearance of the system tray icon, it never really shut down.

In the screen shot above (click for a full-size image), the highlighted line is nod32krn.exe, and you can see from the CPU History that it has been using a good portion of the processor horsepower.

NOD32 version details. Click for full size image.

I've been down this road before. This isn't the first time the user interface of an application says that it is not running but the underlying Windows service is still running (in Windows XP: Control Panel -> Administrative Tools -> Services). Windows Update is like this. So, too, is the Windows Security Center.

But NOD32 won't let you shut down its Windows service. The Stop option is disabled. I've seen enough episodes of ''Star Trek'' to know how important a manual override is. NOD32 doesn't have a manual override.

The version of NOD32 in question is the current version, 2.70. Click on the screen shot at the right to see the full details on the version of NOD32 being used at the time.

UPDATE (July 17, 2007)

Randy Abrams, the Director of Technical Education for ESET, the company behind NOD32, explained why NOD32 only partially shuts down.

"As for the inability to completely shut down NOD32, that is necessitated by the nature of security software and the threats we face. NOD32 implements technologies designed to prevent malicious software from disabling it. While NOD32 offers the user the ability to partially turn off NOD32 services, in order to allow the user to completely do so we would have to allow malware to easily disable NOD32. Additionally, the low level at which anti-virus software runs means that system stability may be compromised if it is completely removed - making it potentially dangerous to completely remove the software without a reboot. The anti-stealth technology in NOD32 that is designed to be able to detect active rootkits must operate at a system level at least as low as the rootkits it is detecting."

And he goes on to explain that NOD32 can be totally shutdown after a reboot:

"To temporarily disable NOD32 without uninstalling it on a Windows XP System, I would recommend using MSConfig and temporarily disabling the startup item NOD32KUI and the service NOD32 Kernel Service.

Although you can't stop the NOD32 Kernel Service, you can change it from the normal startup mode of Automatic to Manual or Disabled. Addressing the CPU usage observed with NOD32 half shut-down Mr. Abrams says:

"Typically when NOD32 is disabled the resource consumption will go down to about zero. There can be very strange cases where the exact combination of hardware and software create conflicts. These conflicts can be a real bear to track down."

Being a programmer, I feel his pain. And NOD32 in normal usage is not a resource hog at all.

I asked Mr. Abrams about other defensive software (antivirus, antispyware, firewalls and the like) that asks for confirmation from a human being when it gets a request to shut down. On this point he said:

"There are definitely a variety of approaches that can be taken. Each will have trade-offs in terms of security implications. Malware that can shut down a security program can also intercept messages. It is a calculated risk. "

And, on a lighter note, Mr. Abrams adds:

"Remember, in Star Trek the ultimate manual override still required a senior officer's verbal confirmation and was not valid for all starships (we hope). Ultimately, NOD32 can be uninstalled without difficulty, but we wouldn't want any random Trible (hey, they are great at replication) to be able to come along and disable every copy of NOD32."

You've got to love a company with a sense of humor. :-)

Finally, let me put this in perspective. NOD32 has been a well reviewed product, which motivated me to try it in the first place. At my computergripes.com site I often gripe about software that I continue to use and recommend. Nothing's perfect. But you'll never see me griping about, for example, Microsoft's antivirus product because it has been so poorly reviewed, I won't bother with it.