You are not logged in.

Wednesday, September 3rd 2014, 1:44am

The Avira Forum will be moved to the new platform Avira Answers soon. We'll make the transition of existing user profiles and threads as smooth as possible.
New visitors are able to log in on Avira Answers with the existing Avira account directly or sign up with a new account.

NiteHawk

Community member

  • "NiteHawk" started this thread

Date of registration:
Feb 14th 2006

Operating System:
XP Pro SP3, Windows 7 Pro - Ubuntu 10.04 LTS

  • Send private message

1

Wednesday, December 10th 2008, 4:25pm

Complete system check hangs at C:\System Volume Information\tracking.log

Repeatedly AntiVir users reported a problem where the complete system check does not pass through and 'stalls' at \System Volume Information\tracking.log. Just the elapsed time increases afterwards, and the scan window cannot be closed normally any more.

What is that file?

The file \System Volume Information\tracking.log can be found on NTFS volumes. It is created and managed by the Windows service "Distributed Link Tracking Client" (DLT Client, "TrkWks"): http://technet.microsoft.com/en-us/library/cc736811.aspx.

Diagnostics

To check if the problem described here applies to your case, please do the following:
Open a command prompt ("Start" - "Execute" - cmd.exe) and type in fltmc and fltmc instances respectively (fLtmc with "L"). Check if the output contains the string "KLIF".

Other symptoms

- The DLT client service cannot be stopped as usual within the Windows service control panel ("Start" - "Execute" - services.msc). Normally that's no problem at all.
- The directory System Volume Information is subject to a special protection by Windows. When enforcing the necessary access rights (http://support.microsoft.com/kb/309531, this is explicitly not recommended!), you will notice other applications 'freezing' upon access to tracking.log, too (e.g. Windows Explorer when right-clicking and selecting "Properties", or the editor / notepad.exe upon trying to open the file).
- (These problems persist even when AntiVir is uninstalled.)

So why does the scan hang?

"KLIF" within the list of file system filters (see above) points towards the driver klif.sys. This "Klif Mini-Filter" is part of Kaspersky Anti-Virus. Now you'll probably say: "Hey, wait a minute, I never installed Kaspersky! My antivirus program is AntiVir". Well, this driver is also used by ZoneAlarm Security Suite, and even the ZoneAlarm Free firewall installs it to your system. (The output of fltmc proves the driver to be active.)

It seems there are certain conditions where this driver causes the problems with tracking.log. In case this issue arises, each and every access to this file will cause the corresponding process to no longer react: http://www.osronline.com/showThread.CFM?link=135469. [Note: this error does not affect every (ZoneAlarm related) installation of klif.sys, and may also not become relevant until much later. Some users reported this effect was triggered by a change in their hard disk configuration (adding new drives or changing the existing partitioning scheme).]

Most applications are never affected by the problem, since they normally have no access to the System Volume Information folder. AntiVir's "Complete system check" however is run with "SYSTEM" privileges, thus has the necessary (access) rights, and tries to analyze tracking.log - resulting in a hang of the process. This is not limited to AntiVir, other antivirus programs experience the same problem, including KAV and ZoneAlarm themselves: http://forums.zonelabs.com/zonelabs/boar…essage.id=79530, http://forum.kaspersky.com/index.php?showtopic=18090, http://forums.zonelabs.com/zonelabs/boar…essage.id=27909.

How do I get the scan to pass through?

The most simple and straightforward solution is to simply avoid the problem: defining a scan exception for \System Volume Information\tracking.log will allow the system check to complete normally again. (Tick "Expert mode" in AntiVir's configuration - "Scanner" - "Scan" - "Exceptions", enter or copy the filename into the input box, "Add" - Further details are given via the help function / F1.)

Alternatively, if you insist on solving the problem without exceptions / modifications in AntiVir, please do the following:
- Start the registry editor ("Start" - "Execute" - regedit.exe) and search for the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KLIF.
- Change the value for "Start" from 1 to 4 ("deactivated").
- Close the registry editor and reboot your PC. (After that KLIF should no longer show up in the output of fltmc.)
- If appropriate, remove the exception(s) for tracking.log from AntiVir, and check whether the complete system check passes through.


Regards, NiteHawk

This post has been edited 2 times, last edit by "NiteHawk" (Dec 10th 2008, 8:01pm)