Jump to content

RCK

Members
  • Posts

    7
  • Joined

  • Last visited

Posts posted by RCK

  1. Thanks for the awesome support to all ESET guys 👍

    Marco, I find the about box !
    In normal version, I have a 1211 (20200622) module date, and on the manual patched version I have one strange 10001 (20200714) version ! I suppos e the upcoming official .dat will have a number between them ;)

    Cheers

    eset_apropos_before.png

    eset_apropos_after.png

  2. Thanks for the quick fix guys, I'm actually running em005_32.dat (CRC = EAB553CC) on EEA 5.0.2272.7 and it seems fine .

    • Q1: Can I enable again "autodefense" or will it kick this file ?
    • Q2: Will the regular database update that is coming from Server Admin 5.x will also distribute the fixed dll ?
    • Q3: How can I check if the fixed dll have been auto installed in EEA 5.x, I don't know where is "show all modules" page, should I check the CRC with EAB553CC ?
  3. Hello guys,

    Okay, I removed (from safe mode) EEA with esetuninstaller.exe, then reinstalled my usual 5.0.2272.7 x64 on my Win7.
    Then I go to > advanced configuration > computer > HIPS > [uncheck] Selfdefense, and I performed a virus database update, then I rebooted.
    With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system.
    I tried multiple times to generate a dump with selfdefense OFF, but it just totally freeze win7 (with / without "-e 1", "-ma", "32/64 procdump.exe", etc.)

    So I decided to enable again Selfdefense and start the command "procdump.exe -ma -s 10 -n 720 ekrn.exe" to have one dump every 10 seconds (because with selfdefense ON, I can't use "-e 1" unfortunatly).
    I also runned "process monitor", and wait the issue to reproduce.
    I feel that when the exception occurs, EEA is performing one of the startup scan because I can see the eset icon turning into taskbar, and overlib speak about startup scan, not virus database update.

    Could it be related to memory ?
    This startup task is eating a lot or ram (1.7 GB!), maybe there is one kind of infinite loop here.
    About dump, the bigger eea was using memory, the less dump file I could generate (See screenshot, "Error writing dump file: 0x8007000D").

    Another information, once the ekrn.exe engine is broken, disabling AV from GUI is useless, but I can have internet access again with the following settings modifications:
    USELESS = advanced configuration > internet & mail > protection of web access > HTTP & HTTPS > [Uncheck] Activate control
    USELESS = advanced configuration > internet & mail > protocol filtering > [Uncheck] Activate content filtering
    FIXED = advanced configuration > internet & mail > protocol filtering > [Uncheck] System integration

    So finally, I was able to trigger the bug and have a 1.3 GB dump before and a 1.9 GB after freeze, let's hope it will help :)
    I also have one whole 4GB logfile from ProcessMonitor.
    Please find my complete debug session files (14GB) at the following URL (it's one ultra 1GB 7z file with 512MB dictionnary RAM compression):
    hxxp://tmp.zool.fr/tmp/eset/20200713_NoOutgoingPacket.7z

    Thanks !

    memory.png

    procdump.png

    process.png

  4. Hello guys,

    Ok I was able to make 3 full dump for you :)
    In each folder I made the 4 dump you asked, and I issued the following command to test http:

    Quote

    telnet free.fr 80 (TCP connected = black screen OK)

    coucoufree

    When all is ok I got the normal response : "BAD HTTP REQUEST"
    When all output packet are blocked I have no response with my "coucoufree" TCP query

    In the following 7z file you will find:
    hxxp://tmp.zool.fr/tmp/eset/20200710_NoOutgoingPacket.7z

    • 1_NoOutgoingPacket lolder (Logs + dmp + pml + cab) :
      Eset was blocking all output http packet, I made one telnet to show you the problem (ne response from coucoufree)
    • 2_AfterRebootAllOk:
      Same dump after fresh win7 restart, no problem with telnet or eset (bad request response OK)
    • 3_NoOutgoingPacket2:
      Usual blocking problem again, telnet freeze with no response.

    When output packets are freezed, I can't have ANY new output packet from computer, but establised connection are still OK.
    For exemple if I had one RDP connection established, I still have access to thecomputer, but I can't reconnect to RDP if I lost the link.

    Tell me if those dump are enough, or if you want some more trace with wireshark or something else.
    Thanks for support !

  5. Hello Marcos,

    Unfortunatly I can't update to v7 because our company is still using Server Admin 5.x
    So we have latest EEA 5.0.2272.7 on multiple computers, and recent certfix says it's ok:
     

    Quote

    Certfix for eea, ees v5.0
    Version of this tool: 1.0.0.9
    -------------------------------------------------------------------------------
    Ekrn version: 5.0.2272.0, LanguageId: 1036, ProductVersion: '5.0.2272.7'
    Installation time: Fri Jul 10 12:00:55 2020
    -------------------------------------------------------------------------------
    Current time on machine: 2020.07.10 10:05:00
    Machine uptime: 0 days 00:37:48.379
    OS version: 6.1.7601 (1.0) "Service Pack 1", PlatformId: 2, ProductType: 0x00000001, SuiteMask: 0x00000100
    OS processor architecture: x64 (0009),
    BuildLab: 7601.win7sp1_ldr_escrow.200102-1707,
    BuildLabEx: 7601.24545.amd64fre.win7sp1_ldr_escrow.200102-1707,
    ProductName: Windows 7 Professional
    -------------------------------------------------------------------------------
    Version does not need fix


    The ESET updates works correctly when computers boot, I don't know if updates can still perform correctly when outgoing packet are blocked, I will check.
    Okay about the dump, I will perform them and give you link to download them.

    Thanks !

  6. Hello guys,

    I have the exact same problem since two days !
    - Windows 7 sp 1 x64
    - ESET Endpoint Antivirus - 5.0.2272.7 - Fr - x64

    No problem to have internet at computer start, but freeze of all HTTP outgoing packets after 20~30 min.
    When EEA is starting to block packet, I can still connect a telnet to port 80, but I can NOT send any packet on the server.

    No packet is leaving computer for HTTP 80 / 443, so no websites are loaging anymore :)
    ESET service seems freeze, if I disabled "ESET service" from Win7 safe mode, no more problem.

    If I can test somethings of send more logs, tell me.

×
×
  • Create New...