Jump to content

MMx

ESET Staff
  • Content Count

    34
  • Joined

  • Last visited

  • Days Won

    2

MMx last won the day on February 6 2018

MMx had the most liked content!

Profile Information

  • Gender
    Not Telling
  • Location
    Slovakia

Recent Profile Visitors

584 profile views
  1. Thanks everyone for providing the dumps, using them we now have a theory about what is hapenning and a potential fix. It would be helpful if you could test it. To do that first disable all workarounds (like app verifier, enable startup scan) then download the appropriate zip file attached to this post. If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_64" then cleaner_test_dll_64bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_64 subdirectory) with selfdefense disabled and reboot. If you have a di
  2. I'd like to clarify Marcos' post. You can find the app verifier installer here 32bit: https://drive.google.com/file/d/1c4wQGJteGQb5EurEmhYaYLcmAqUbAIY-/view?usp=sharing 64bit: https://drive.google.com/file/d/1Sh_Yyp7Ie69dbGqBaitN_Nv5iAzuRdwb/view?usp=sharing Before you are able to use it, you'll have to disable self-defense and reboot. The changes you make will be applied after you click Save in the verifier and restart ekrn by rebooting Windows. You can skip the manual registry import he's describing by extracting and importing the file attached to this post. Dumps will th
  3. Thank you very much RCK for the dumps, they have been helpful. Unfortunately by the time they were created too many things have gone wrong to figure out what was the primary cause and was just a result. It would be helpful if you (or anybody else) could run the following command as admin as soon as possible after boot procdump -ma -e 1 -n 10 ekrn.exe Then replicate the problem, and send us all the dumps that will be created. Procdump can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump. Edit: Please disable selfdefense and reboot before using t
  4. Also please note that supporting HTTP/2 means implementing full client and server functionality as specified by standards. This isn't directly related to certificates, and changing the TLS handshake to advertise HTTP/2 support is one of the easiest things to implement.
  5. That might work in your case, but we try to tune our solutions to work for the majority of around 100 milion of our users. In particular we detect streams and avoid writing them to disk altogether. It's possible that the server in your case is using some less common ways to present the stream to you which our detection doesn't recognize. To investigate further it would help if you could let protocol filtering logging run for a couple of minutes while the temp files are being created: Enable F5 -> Tools -> Diagnostics -> Enable Protocol filtering advanced logging Make sure
  6. It's user dependant. Any constant I might give you is bound not to be enough for someone. Not really, every htt???.tmp file is a separate download, but not every download creates such file. Not really, because "The service control manager does not support passing custom environment variables to a service at startup." (from https://msdn.microsoft.com/en-us/library/windows/desktop/ms685990(v=vs.85).aspx). The closest you can get is by redefining the system-wide environment variables TMP and TEMP (in Control Panel -> System -> Advanced system settings -> Advanced -> En
  7. I'm not sure I follow. Are you saying that you only have the SSD drive? No one's ever tested that as far as I know, but it should work Just make sure c:\windows\temp points to a valid place before ekrn.exe starts. Guessing the size is tricky. For protocol filtering you'll want it to fit all of your simultaneous downloads (plus files extracted if there are any archives). That's fairly easy to do yourself. Filter the procmon log to the System process (make sure to disable the predefined filter "Process name is System then Exclude"), find some big writes and open the event in the
  8. The actual limits are 1MB per file (this is what Marcos mentioned) and 100MB globally.
  9. Have you considered moving the temp directory away from SSD? That would solve the problem for all software that might be using it. Assuming D: is your HDD, do the following Download the Junction utility: https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Delete the directory c:\windows\temp (go to safe mode if there are locked files) Create the directory d:\temp Run junction c:\windows\temp d:\temp
  10. SCR: Is there a chance you need to use an HTTP proxy to connect to the internet?
  11. itman: That shouldn't be happening regardless of version. Can you try if you can replicate it using an utility that accesses only a single page (e.g. wget or curl) and make sure you connect to the same IP each time? It is possible that each time you reload a page a new server is connected due to load balancing.
  12. There are two reasons ekrn.exe might make connections to servers that are not operated by ESET if you have TLS filtering enabled. First when a browser tries to establish a TLS connection, ESET Security needs to decide if it will filter, block or leave the connection untouched. This decision is in part based on the certificate the server would present if the connection was to proceed, which is not available yet. To solve this problem, ekrn.exe opens a separate connection and requests the certificate, which allows it to make the right decision in the main connection. This certificate is then cac
  13. It would help us a great deal if you could do the following: 1. Download procdump from https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx and Process Monitor from https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx 2. Update from prerelease update servers, this should reintroduce the problems, possibly after a reboot 3. When that happens, run procdump -ma ekrn.exe 4. Start Process Monitor, start monitoring, open some pages that end with error, stop monitoring 5. Send me the ekrn dump and process monitor log Thanks a lot.
  14. Thank you for reporting this problem. Eve launcher was unable to communicate because ESS9 has a default configuration that blocks the obsolete SSLv2 protocol. However it was not our intention to filter the communication of anything else than browsers or email clients in automatic SSL filtering mode, so I've made a change that fixes that. It should be available on prerelease update servers next week, and on release servers possibly a week later.
  15. Please start the machine that has the Protocol filtering problem and open this link: hxxp://www.eicar.org/download/eicar.com A red notification informing about an infection should appear, please post a screenshot of it. Also please note that the link in question is not infected, it is perfectly safe and it is only used to test if an antivirus software is working properly.
×
×
  • Create New...