kbfsdokan uses up to 40% of CPU and triggers Kaspersky to do the same

[big-bad-wolfe]

I'm not sure what is happening, but on reboot, everything loads really slow, and when I check the task manager I see kbfsdokan using between 25% and 40% along with that, Kaspersky Endpoint Security 10 jumps up to another 30%, making my computer hard to use.

When I end kbfsdokan CPU usage of Kaspersky drops to normal values, and my computer is usable until next reboot.

I am making an assumption that because Kaspersky is configured to scan drives when they are connected it is getting hung up on something with the mapping.

Last point of info before someone tries troubleshooting this with me, this is a corporate device, and I cannot disable Kaspersky in any way.

[big-bad-wolfe]

This is the log entry that is repeated in keybase.kbfs.log until I manually end the process:

2017-05-29T08:18:09.852458-06:00 - [ERRO kbfs fs.go:266] 322f7 Refusing access: SID match error

It then seems to continue loading, and after a little while this message shows up and repeats (approx.) 4 times:

2017-05-29T08:25:05.742647-06:00 - [ERRO kbfs mounter.go:57] 053 Failed to mount dokan filesystem (i=16): Dokan failed: code=-5 "Mount error"

[strib]

@big-bad-wolfe I assume this was closed by mistake?

Is it possible you're running Keybase and your anti-virus as different Windows users? Seems like the AV might not have access to it. Ideally you could whitelist the k: drive so the AV doesn't try to scan it.

[strib]

cc @taruti @zanderz

[taruti]

Seems like the following: 1) Kaspersky tries to access KBFS as an another user than the one running KBFS 2) Kaspersky is denied access 3) goto 1.

In a busy loop between KBFS and Kaspersky. Perhaps we could return an empty drive with a single file explaining things instead of a permission denied for other users.

[big-bad-wolfe]

AV is definitely running as a different user, Kaspersky tends to make a new user KAV_????? to give it self local admin, nothing I can do to change that, corporate laptop.

The drive reads as a removable flash drive, and gets scanned, again corporate laptop. If the drive was 64GB or better my drive wouldn't be scanned, but that sounds a little excessive.

Is there a way to disable this drive from loading?

(Sorry about closing it, clicked the wrong button)

[taruti]

This should be fixed by https://github.com/keybase/kbfs/pull/1016 but that is not yet in a release.

You can remove Dokan via control panel, then the drive dissapears. We could fake a larger size, but given that there is a quota then it would be confusing for other users.