I’ve been a (mostly) satisfied user of avast for more than a decade. Over the last several weeks (maybe as far back as early March) I’ve been putting up with my computer needing to be rebooted more often than before because it gradually became unbearable to use after a few days, with CPU fan constantly spinning fast and having to wait multiple seconds for every network request. Task manager and other process monitors did not reveal any obvious single process consuming CPU. The network itself (both local and internet) is fine, other non-Windows systems have been using it.
At some point I started to suspect one of the recent avast updates. Repairing avast did not solve the problem, nor did disabling shield components, and other forum threads weren’t conclusively describing the same symptoms (it’s possible other people simply haven’t noticed because it manifests gradually over several days). Since it took so long to become annoying after each reboot I resigned myself to wait for an update, but today I stumbled upon a tool that allowed me to confirm my suspicion and immediately pinpoint the culprit as an avast subsystem.
I used PerfView to “Collect data machine wide” of “Cpu Samples” for 30 seconds. When it was done, I opened the “CPU Stacks” view for “All Procs” and the top entry was “module aswarpot.sys <<aswarpot.sys!?>>” with 54.0% of the time (“Exc % - The exclusive cost expressed as a percentage of the total cost of all samples.”) and a “When” of “19965899998879998999997899A99977” (which I interpret to mean in 24 of the 32 sample buckets it was consuming between 80% and 100% of a single CPU core). Investigating the properties of this file in Explorer and confirming with a quick web search, this turned out to be avast’s anti-rootkit protection.
Unchecking “Enable anti-rootkit monitor” (automatically unchecks “Enable anti-exploit monitor” too) under “Troubleshooting” and OK-ing immediately restored both the CPU usage and network latency to normal levels. As expected, running PerfView shows no sign of aswarpot.sys and nothing else is using a similarly high amount of CPU. Re-enabling the anti-rootkit monitor immediately brings CPU usage and network latency back up to unbearable levels (ie it does not take several days to ramp up again). I assume this is not the expected behaviour of the anti-rootkit monitor, even if I had a rootkit.
If it makes a difference, I’m running avast Free on Win 8.1. I’m fairly certain this started some time in the last 2 months, so the regression first appeared some time after 18.1.2326 in either 18.2.2328 or 18.3.2333. Has anyone else encountered these symptoms? Is this a known bug?