Cody
-
Posts
10 -
Joined
-
Last visited
Posts posted by Cody
-
-
Good afternoon,
We're having a problem here at our office where ESET is preventing a folder from being deleted or otherwise modified, with no logging or alerting that we're aware of. We're deploying alpha versions of some internal software to certain users in our office for testing, but the folder which contains the alpha executables is being locked from modification by ekrn.exe.
This folder which we automatically delete and re-create is C:\Program Files (x86)\CompanyName\SoftwareAlpha. We have Real-Time File System Protection enabled, with the following paths excluded from our ESET Security Management Center's settings in Detection Engine > Performance Exclusions: C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName*
When I completely disable HIPs for these users, this automated alpha software deployment works fine. Is it HIPS that is locking this folder from being modified? How do I make sure that HIPS is not locking this folder?
I've attached a screenshot from the program Process Explorer. When I search for "SoftwareAlpha" (the name of the folder which we want to delete), it shows that the process ekrn.exe is currently using this folder and keeping it from being modified.
-
Just checking to see if you ever received my response to this post. When I leave HIPS re-enabled, the audio problem occurs again. Any suggestions?
-
After re-enabling HIPS and leaving AMS and self-defense turned off, the problem appears to have started occurring within a day.
-
Marcos,
Sorry for the delay. After making each of these changes, I have to wait a few days just to verify whether the problem occurs again or not.
I've tried everything, and the problem has stopped. On the machine that I have been testing on, this is the current state:
- HIPS is disabled, and machine has been rebooted
- In Safe Mode, C:\Program Files\ESET\ESET Security\Drivers has been renamed to C:\Program Files\ESET\ESET Security\Drivers_bak
- In Safe Mode, C:\Windows\System32\drivers\ehdrv.sys has been renamed to C:\Windows\System32\drivers\ehdrv.sys.old
- Machine has been rebooted and problem does not seem to be occurring
-
When a computer is run for more than about 48 hours, and any audio is played using any software, ESET will frequently spike from it's normal 0% of CPU usage to about 1%. This would ordinarily be fine, but every time the CPU usage spikes, at least once every two minutes, the audio on the computer becomes "glitchy" or "artifacted." This lasts for about 1-3 seconds, and the audio is totally unintelligible during this time. This is unacceptable for employees whose work duties include working with digital music files and listening to customer voicemails.
This is happening on several Windows 10 devices in our office with Intel Core i5-7500 CPU @ 3.40GHz, and 8+ GB of RAM. When ESET is uninstalled, this does not happen. We have observed and reported this bug since version 6, about a year ago. We have been using version 5 for the last year while I was waiting for this bug to be fixed, but apparently that hasn't happened. Any advice?
Thanks. -
Marcos,
The memory usage doesn't seem to climb quite so high, even after several days of running the newer versions.
However, we are still experiencing audio "artifacting" or "glitching" when ESET is installed and a computer is run for several days, and audio is playing in any program. When ESET is uninstalled, this does not happen. When there is audio artifacting, I do notice that ESET's memory usage goes from about 0% up to 0.4% or 0.6% of about 16GB of available RAM. Is this a situation where we want to try and catch a memory dump while this error is occurring?
-
Thanks for the reply. We've been having some trouble getting a decent memory dump while this problem is occurring, but I am looking forward to seeing whether this fix mitigates the problem or not. Is there any way that you could reply here with the version number when that fix is released so that we can test it out as soon as possible?
Thanks.
-
Marcos,
Thanks for the reply. When you say "temporarily disable self-defense," which ESET features are you referring to?
-
Over the course of several days, if ESET Endpoint Security 7.1.2045.5 is left running, it will gradually use up more and more memory, and ESET's ekrn process will climb to the top of the process usage chart in Task Manager, sometimes consuming up to 70% of the machine's memory by itself, even surpassing the memory usage of Chrome with 20+ tabs open. After just a few days of running, the computer becomes almost unusable, showing audio and video skipping and other symptoms of low RAM availability for other applications. This is all happening on computers running Windows 10 1803, with 8 or 16 GB of RAM installed, which is well within the hardware requirements.
When I uninstall Endpoint Security, the problem goes away.
I tested out version 6.5 something like a year ago, and reported identical problems to support, but the problem was never resolved. Hoping that it had been fixed a whole year later, I downloaded version 7.1, and it still seems to be having similar memory usage problem.
ESET Endpoint Security 7.1 locking folder and preventing changes
in ESET Endpoint Products
Posted
When I enable HIPS but have Deep Behavioral Inspection disabled, this issue still occurs.
Additionally, I've already added those exceptions there, in the same format as above (C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName*)