Jump to content


ESET Staff
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by MMx

  1. Thanks everyone for providing the dumps, using them we now have a theory about what is hapenning and a potential fix. It would be helpful if you could test it. To do that first disable all workarounds (like app verifier, enable startup scan) then download the appropriate zip file attached to this post. If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_64" then cleaner_test_dll_64bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_64 subdirectory) with selfdefense disabled and reboot. If you have a di
  2. I'd like to clarify Marcos' post. You can find the app verifier installer here 32bit: https://drive.google.com/file/d/1c4wQGJteGQb5EurEmhYaYLcmAqUbAIY-/view?usp=sharing 64bit: https://drive.google.com/file/d/1Sh_Yyp7Ie69dbGqBaitN_Nv5iAzuRdwb/view?usp=sharing Before you are able to use it, you'll have to disable self-defense and reboot. The changes you make will be applied after you click Save in the verifier and restart ekrn by rebooting Windows. You can skip the manual registry import he's describing by extracting and importing the file attached to this post. Dumps will th
  3. Thank you very much RCK for the dumps, they have been helpful. Unfortunately by the time they were created too many things have gone wrong to figure out what was the primary cause and was just a result. It would be helpful if you (or anybody else) could run the following command as admin as soon as possible after boot procdump -ma -e 1 -n 10 ekrn.exe Then replicate the problem, and send us all the dumps that will be created. Procdump can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump. Edit: Please disable selfdefense and reboot before using t
  4. Also please note that supporting HTTP/2 means implementing full client and server functionality as specified by standards. This isn't directly related to certificates, and changing the TLS handshake to advertise HTTP/2 support is one of the easiest things to implement.
  5. That might work in your case, but we try to tune our solutions to work for the majority of around 100 milion of our users. In particular we detect streams and avoid writing them to disk altogether. It's possible that the server in your case is using some less common ways to present the stream to you which our detection doesn't recognize. To investigate further it would help if you could let protocol filtering logging run for a couple of minutes while the temp files are being created: Enable F5 -> Tools -> Diagnostics -> Enable Protocol filtering advanced logging Make sure
  6. It's user dependant. Any constant I might give you is bound not to be enough for someone. Not really, every htt???.tmp file is a separate download, but not every download creates such file. Not really, because "The service control manager does not support passing custom environment variables to a service at startup." (from https://msdn.microsoft.com/en-us/library/windows/desktop/ms685990(v=vs.85).aspx). The closest you can get is by redefining the system-wide environment variables TMP and TEMP (in Control Panel -> System -> Advanced system settings -> Advanced -> En
  7. I'm not sure I follow. Are you saying that you only have the SSD drive? No one's ever tested that as far as I know, but it should work Just make sure c:\windows\temp points to a valid place before ekrn.exe starts. Guessing the size is tricky. For protocol filtering you'll want it to fit all of your simultaneous downloads (plus files extracted if there are any archives). That's fairly easy to do yourself. Filter the procmon log to the System process (make sure to disable the predefined filter "Process name is System then Exclude"), find some big writes and open the event in the
  8. The actual limits are 1MB per file (this is what Marcos mentioned) and 100MB globally.
  9. Have you considered moving the temp directory away from SSD? That would solve the problem for all software that might be using it. Assuming D: is your HDD, do the following Download the Junction utility: https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Delete the directory c:\windows\temp (go to safe mode if there are locked files) Create the directory d:\temp Run junction c:\windows\temp d:\temp
  10. SCR: Is there a chance you need to use an HTTP proxy to connect to the internet?
  11. itman: That shouldn't be happening regardless of version. Can you try if you can replicate it using an utility that accesses only a single page (e.g. wget or curl) and make sure you connect to the same IP each time? It is possible that each time you reload a page a new server is connected due to load balancing.
  12. There are two reasons ekrn.exe might make connections to servers that are not operated by ESET if you have TLS filtering enabled. First when a browser tries to establish a TLS connection, ESET Security needs to decide if it will filter, block or leave the connection untouched. This decision is in part based on the certificate the server would present if the connection was to proceed, which is not available yet. To solve this problem, ekrn.exe opens a separate connection and requests the certificate, which allows it to make the right decision in the main connection. This certificate is then cac
  13. It would help us a great deal if you could do the following: 1. Download procdump from https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx and Process Monitor from https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx 2. Update from prerelease update servers, this should reintroduce the problems, possibly after a reboot 3. When that happens, run procdump -ma ekrn.exe 4. Start Process Monitor, start monitoring, open some pages that end with error, stop monitoring 5. Send me the ekrn dump and process monitor log Thanks a lot.
  14. Thank you for reporting this problem. Eve launcher was unable to communicate because ESS9 has a default configuration that blocks the obsolete SSLv2 protocol. However it was not our intention to filter the communication of anything else than browsers or email clients in automatic SSL filtering mode, so I've made a change that fixes that. It should be available on prerelease update servers next week, and on release servers possibly a week later.
  15. Please start the machine that has the Protocol filtering problem and open this link: hxxp://www.eicar.org/download/eicar.com A red notification informing about an infection should appear, please post a screenshot of it. Also please note that the link in question is not infected, it is perfectly safe and it is only used to test if an antivirus software is working properly.
  16. It is fixed in versions >= 9.0.130 and >= 9.0.206 (there are two versioning lines, one has 1xy as the third version number, the other has 2xy). Though I can't tell you what will be released when.
  17. Looks like prerelease servers serve exactly the same modules as release until the product is released, sorry for that. The module should be available on release now.
  18. Thank you for reporting this problem. It should be fixed now on prerelease servers (make sure you receive Internet protection module version 1206B).
  19. There is a bug in the beta that causes that website rules are temporarily not applied after reboot. If you make any change to them, they will be applied again until the next reboot. Can you confirm that this is the problem that you're seeing? This should be fixed in the next release.
  20. Try going to Advanced setup, Web and email -> Protocol filtering -> SSL -> Certificates and look for End certificate validity. Switch both options to Ask. Does that make any difference?
  21. Slithereen Guard: Can you please post a screenshot of the error you see on windows 8.1 64 bit?
  22. @Ellie: What settings have you changed in ESS or Sandboxie? I'd like to ask you to start Firefox from Sandboxie, start Task Manager, click More details at the bottom left, then switch to Details tab on the top of the window and see what User name is next to the firefox process.
  23. Doing an upgrade of an older product leaves the old drivers in place until the next reboot, which is what I guessed might have worked around the issue somehow.
  24. Krond: I'd like to ask you to do the following: With ESS8 already installed open regedit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces and expand it. Open each name in curly braces you see there, and if there's a DWORD value called TcpAckFrequency there, change it to 2. Then right click Interfaces, Export and PM the file to me. Then reboot and see if it makes any difference regarding speed. Thanks.
  25. waledakmal: You wrote that upgrading v6 -> v7 -> v8 solves your issue. Is it still solved after reboot?
  • Create New...