sdnian

No other language version?

@Marcos Why are the contents of these two files different? hxxp://repository.eset.com/v1/com/eset/apps/business/ees/windows/v6/6.5.2132.5/ees_nt32_enu.msi hxxp://download.eset.com/com/eset/apps/business/ees/windows/v6/6.5.2132.5/ees_nt32_enu.msi

About 7 hours ago, there is a new version fixing tool. It works these versions now: 6.5.2094.0 6.5.2094.1 6.5.2107.0 6.5.2107.1 6.5.2118.0 6.5.2118.1 6.5.2118.2 6.5.2118.3 6.5.2118.4 6.5.2123.5 6.5.2123.7 6.5.2123.8 6.5.2128.0 6.5.2132.1 6.5.2132.2 Read this: https://support.eset.com/en/alert7396-legacy-products-startup-issue

If I have ESET Endpoint product 6.5.2132 running on Windows XP. After use the fixing tool, do I need to upgrade 6.5.2132.5 ?

I've few EEA 6.5.2132.2 (XP SP3), run this tool failed. The message is "Can't rename ekrn.exe!" How to resolve? Others work well.

This issue only occurs with 6.6.0.0-6.6.2063.x. 6.6.2089 can be updated normally.

How Windows XP / Server 2003 solves this problem?

Thanks for your reply, I know how to manage the new exclusions.

I've two questions about policy settings.. 1. The EXCLUSIONS settings of policy in the sam ESMC server, why have different setting items? 2. The 'Detection exclusions' setting, if the client is EEA/EES < 7.2, could apply this settings?

@Marcos @pps First time, you try to disable firewall, don't close the popup asking password window, to disable firewall again directly. If you still can't reproduce it, I could record a video to demo it tomorrow.

The EES version is 7.1.2053. I've set a password protect in EES. When I right click the EES icon in the systray, click 'Pause firewall (allow all traffic)', a popup window appears asking for a password on the screen. Just ignore it, right click the EES icon to pause firewall again. Then the firewall been disabled now. It seems a bug, please check it.

@Peter Randziak Hello Peter, There are two servers (um11.eset.com and um13.eset.com) still get error code 4100 so far, could you check it?

It work now. Thanks for your help.

I don't think there are some files blocked and I have make sure there are enough disk space. I use Procmon to record the process. I hope to help identify this issue. Logfile.zip

Since yesterday, the MirrorTool (Windows version) could not get updated with error code 4100. I checked several ESMC servers and all showed the same error. If something wrong? How to fix this situation? PS: The Linux version of Mirrortool still works. Mirror Tool, Copyright (c) ESET, spol. s r.o. 1992-2018. All rights reserved. Creating mirror for product: ep7. Mirror type changed to regular Initialization Initialization finished Perform full mirror started Update status for product 'ep7' changed to: Preparing structures and analyzing Update status for product 'ep7' changed to: Finished Perform full mirror finished Uninitialization Uninitialization finished Error: Perform full mirror failed with error: Error extracting file. Error code is: 4100 Error occured.

You are right. It can be updated successfully after a reboot. I will consider how to avoid memory problems. Thank you for your help.

I have a server, EFSW modules update failed. I've tried to clear cache. But it doesn't help. The log show: Compiler error (1b5a). How to fix this problem? I've tried to uninstall and reinstall EFSW. It can work well. But few days later, this issue happened again. Windows Server 2008 SP2, EFSW 7.1.12006

Thanks for @MartinK and @Peter Randziak help. I have found a solution to resolve this issue. The Sophos Firewall have a function - Web Proxy, it works as transparent proxy mode by default, after I added a rule to bypass transparent proxy for ESMC host, the product activation works well.

I think it might be related to Firewall - Sophos XG115w. But I can't confirm if there is SSL inspection so far.

Product activation failed. The two days ago, I just installed a new server, ESMC 7.0.577, the client is EEA 7.1.2045. I tried to activate the product many times. But don't work all the time. I entered the license key directly in the Client and got the error code of ECP.20006. On the ESMC, use Wireshark to find the red line below, always get the 404 Not Found error, the full content can be found in the attachment. Please help me to resolve this problem, thanks! activation.zip

PM sent, please check it.

Hello, I've a Windows Server 2012 R2, it happened BSOD. Could someone help to take a look whether it is caused by EFSW? Thanks! Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Administrator\Desktop\MEMORY.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. ************* Path validation summary ************** Response Time (ms) Location Deferred SRV* C:\Symbols *hxxp://msdl.microsoft.com/download/symbols Symbol search path is: SRV* C:\Symbols *hxxp://msdl.microsoft.com/download/symbols Executable search path is: Windows 8.1 Kernel Version 9600 MP (24 procs) Free x64 Product: Server, suite: TerminalServer SingleUserTS Built by: 9600.19228.amd64fre.winblue_ltsb.181208-0600 Machine Name: Kernel base = 0xfffff800`ee20c000 PsLoadedModuleList = 0xfffff800`ee4d05f0 Debug session time: Wed Mar 6 04:50:55.765 2019 (UTC + 8:00) System Uptime: 12 days 2:08:33.568 Loading Kernel Symbols ............................................................... ................................................................ ............... Loading User Symbols PEB is paged out (Peb.Ldr = 00007ff6`eea09018). Type ".hh dbgerr001" for details Loading unloaded module list ......... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 133, {0, 501, 500, 0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for em008k_64.dll - *** ERROR: Module load completed but symbols could not be loaded for epfw.sys *** ERROR: Module load completed but symbols could not be loaded for epfwwfp.sys *** ERROR: Module load completed but symbols could not be loaded for b57nd60a.sys Page ffe3b7 not present in the dump file. Type ".hh dbgerr004" for details Probably caused by : em008k_64.dll ( em008k_64!module_init_entry+25858 ) Followup: MachineOwner --------- 14: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DPC_WATCHDOG_VIOLATION (133) The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL or above. Arguments: Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending component can usually be identified with a stack trace. Arg2: 0000000000000501, The DPC time count (in ticks). Arg3: 0000000000000500, The DPC time allotment (in ticks). Arg4: 0000000000000000, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains additional information regarding this single DPC timeout Debugging Details: ------------------ KEY_VALUES_STRING: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 9600.19228.amd64fre.winblue_ltsb.181208-0600 SYSTEM_MANUFACTURER: Dell Inc. SYSTEM_PRODUCT_NAME: PowerEdge R620 SYSTEM_SKU: SKU=NotProvided;ModelName=PowerEdge R620 BIOS_VENDOR: Dell Inc. BIOS_VERSION: 2.5.4 BIOS_DATE: 01/22/2016 BASEBOARD_MANUFACTURER: Dell Inc. BASEBOARD_PRODUCT: 0PXXHP BASEBOARD_VERSION: A03 DUMP_TYPE: 1 BUGCHECK_P1: 0 BUGCHECK_P2: 501 BUGCHECK_P3: 500 BUGCHECK_P4: 0 DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED CPU_COUNT: 18 CPU_MHZ: 7d0 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 2d CPU_STEPPING: 7 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x133 PROCESS_NAME: wermgr.exe CURRENT_IRQL: d ANALYSIS_SESSION_HOST: ESMC ANALYSIS_SESSION_TIME: 03-06-2019 18:29:20.0409 ANALYSIS_VERSION: 10.0.17763.132 amd64fre LAST_CONTROL_TRANSFER: from fffff800ee368e96 to fffff800ee34c1a0 STACK_TEXT: ffffd000`20b94c88 fffff800`ee368e96 : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx ffffd000`20b94c90 fffff800`ee249311 : 00000000`00000000 00000000`03fc0864 00000000`00000001 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x7fa6 ffffd000`20b94d20 fffff800`ee992ac5 : ffffd000`215cf7a0 00000000`00000001 ffffe001`e359e660 ffffd000`20b55180 : nt!KeClockInterruptNotify+0x91 ffffd000`20b94f40 fffff800`ee2be713 : fffffb90`54a625a8 fffff800`ee2de201 00000000`00000000 ffffd000`20b8ac60 : hal!HalpTimerClockIpiRoutine+0x15 ffffd000`20b94f70 fffff800`ee34d6aa : ffffe001`e2607bc0 ffffd000`2604c918 ffffd000`20b8acd8 ffffd000`20b8ac60 : nt!KiCallInterruptServiceRoutine+0xa3 ffffd000`20b94fb0 fffff800`ee34db57 : ffffe002`0f456d38 00000000`00000001 ffffe001`e359e260 fffff801`68736154 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea ffffd000`2604c4e0 fffff800`ee28b54f : 00000000`00000000 ffffaaf6`9894f0ac ffffaaf6`9894f0cc 00000000`00000005 : nt!KiInterruptDispatchNoLockNoEtw+0x37 ffffd000`2604c670 fffff801`6872aa08 : 00000000`014db5d8 00000000`00000002 ffffc000`27bcf010 fffff801`67bd7737 : nt!KxWaitForLockOwnerShip+0x27 ffffd000`2604c6a0 fffff801`68729e0b : ffffc000`27bcf010 ffffd000`0000005c ffffd000`28e70ed8 00000000`00000000 : em008k_64!module_init_entry+0x25858 ffffd000`2604c9a0 fffff801`6873c1a7 : ffffd000`20b8a960 00000000`00000000 00000000`00000000 00000000`00400000 : em008k_64!module_init_entry+0x24c5b ffffd000`2604ced0 fffff801`6873c0db : ffffd000`20b8a870 00000000`00000040 ffffe801`dc33a880 ffffd000`20b8a740 : em008k_64!module_init_entry+0x36ff7 ffffd000`2604cf40 fffff800`ee34fc87 : ffffd000`266173f0 00000038`b0cddf20 00000000`40000000 00000000`00000000 : em008k_64!module_init_entry+0x36f2b ffffd000`2604cf80 fffff800`ee34fc4d : ffffd000`20b8a902 ffffd000`2604d000 ffffe801`dc33a880 fffff800`ee25670a : nt!KxSwitchKernelStackCallout+0x27 ffffd000`20b8a740 fffff800`ee25670a : 00000000`00000002 ffffd000`20b80001 fffff6e8`00130230 ffffd000`20b8ab70 : nt!KiSwitchKernelStackContinue ffffd000`20b8a760 fffff801`6873c185 : fffff801`6873c0b0 ffffd000`20b8a870 00000000`00000000 fffff801`00000004 : nt!KeExpandKernelStackAndCalloutInternal+0x4ba ffffd000`20b8a840 fffff801`6873c335 : ffffd000`20b8a928 ffffd000`20b8ab20 ffffe001`e3386340 ffffe001`e3386340 : em008k_64!module_init_entry+0x36fd5 ffffd000`20b8a8b0 fffff801`68705144 : ffffd000`20b8aa70 fffff800`ee277c4e ffffffff`00000000 fffff800`ee353945 : em008k_64!module_init_entry+0x37185 ffffd000`20b8a8f0 fffff801`686f0aea : 00000000`00002711 ffffd000`20b8ac60 00000000`00000040 ffffd000`20b8acd8 : em008k_64+0x3144 ffffd000`20b8a920 fffff801`686f154f : ffffe001`e33864f0 ffffd000`20b8ac60 00000000`00000040 ffffd000`20b8acd8 : epfw+0x1aea ffffd000`20b8a9b0 fffff801`686f1973 : ffffd000`20b8ab70 fffff801`686f1930 ffffd000`20b8ab90 00000000`00000011 : epfw+0x254f ffffd000`20b8aa40 fffff801`67807239 : ffffd000`20b8ab90 00000000`00000002 ffffd000`20b8aba0 ffffe001`e305b4b0 : epfw+0x2973 ffffd000`20b8aaa0 fffff801`6780753e : 00000011`00000000 00000000`00000000 ffffd000`20b8ac60 fffffb00`000012ff : epfwwfp+0x7239 ffffd000`20b8ab50 fffff801`6780ea0a : ffffe001`e45e542a 00000000`00000004 00000000`00000021 00000000`00000000 : epfwwfp+0x753e ffffd000`20b8ac10 fffff801`6780eb16 : ffffe002`1f3cc770 ffffe002`1f3cc610 00000000`00000000 00000000`00000000 : epfwwfp+0xea0a ffffd000`20b8acc0 fffff801`6780b556 : ffffd000`20b8b0f8 ffffd000`20b8ad90 ffffe001`e3944f50 ffffe801`dab05a68 : epfwwfp+0xeb16 ffffd000`20b8ad10 fffff801`6780b5d2 : ffffe001`e2dd9b40 00000000`00000000 ffffe002`1f3cc610 ffffd000`20b8b6b0 : epfwwfp+0xb556 ffffd000`20b8adc0 fffff801`6773d902 : ffffe001`e2dd9b40 ffffd000`20b8af10 ffffd000`20b8b2d0 ffffd000`20b8b1d0 : epfwwfp+0xb5d2 ffffd000`20b8ae10 fffff801`67724549 : ffffe002`1f3c0018 ffffd000`20b8b698 ffffe801`b0e80860 ffffe002`1f3cc610 : NETIO!ProcessCallout+0x8b2 ffffd000`20b8af80 fffff801`67723250 : 00000000`00000000 ffffd000`20b8b698 00000000`00000000 ffffd000`20b8b3f0 : NETIO!ArbitrateAndEnforce+0x2c9 ffffd000`20b8b180 fffff801`67fd3c81 : ffffd000`00000001 00000000`00000000 ffffe002`1f3cc610 00000000`00000001 : NETIO!KfdClassify+0x831 ffffd000`20b8b640 fffff801`67f4c834 : 00000000`00000000 ffffe801`d2c24a00 00000000`00000001 00000000`00000000 : tcpip!WFPDatagramDataShimV4+0x44d ffffd000`20b8ba40 fffff801`67f0943b : 00000000`00001500 ffffd000`20b8be70 00000000`00000000 00000000`00000000 : tcpip!ProcessALEForTransportPacket+0x49e24 ffffd000`20b8bd20 fffff801`67f06cb9 : 00000000`00000000 ffffd000`20b8c4f8 00000000`0000004c ffffd000`20b8c508 : tcpip!WfpProcessInTransportStackIndication+0xd9b ffffd000`20b8c180 fffff801`67f05dcf : 00000000`00000000 ffffe801`dad158c0 ffffd000`20b8c3b0 ffffe001`e33773c0 : tcpip!InetInspectReceiveDatagram+0x269 ffffd000`20b8c2b0 fffff801`67f06945 : ffffd000`20b8c550 ffffd000`20b8c550 ffffe801`b0df9140 ffffe801`dad158c0 : tcpip!UdpBeginMessageIndication+0x7f ffffd000`20b8c450 fffff801`67f06fe8 : 00000000`0000eb00 ffffe801`dad158c0 ffffe001`00000018 ffffd000`20b8c668 : tcpip!UdpDeliverDatagrams+0x3f5 ffffd000`20b8c600 fffff801`67f0797d : 00000000`00000000 00000000`00000000 ffffe001`e324e0b0 00000000`00000000 : tcpip!UdpReceiveDatagrams+0x298 ffffd000`20b8c840 fffff801`67f0364b : ffff4f03`12d8ad1f ffffd000`20b8d208 ffffe801`b0e83cd0 00000000`00000003 : tcpip!IppDeliverListToProtocol+0x5d ffffd000`20b8c900 fffff801`67f01aa2 : 00000000`00000000 ffffd000`20b8ca19 00000000`00000011 ffffe001`e47ff3f0 : tcpip!IppProcessDeliverList+0x6b ffffd000`20b8c960 fffff801`67effe80 : 00000000`fc0000e0 ffffe001`e3c2bae0 ffffe001`e331c000 ffffe001`e331c000 : tcpip!IppReceiveHeaderBatch+0x232 ffffd000`20b8ca80 fffff801`67efeba2 : ffffe001`e6472370 00000000`00000000 ffffd000`20b8ce01 00000000`00000000 : tcpip!IppFlcReceivePacketsCore+0x680 ffffd000`20b8ce00 fffff801`67eff5c5 : ffffe001`e64b0002 00000000`00000000 fffff801`67eff610 ffffd000`00000101 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x318 ffffd000`20b8cee0 fffff800`ee256529 : ffffd000`20b8d028 ffffe001`e32ae9c0 ffffe001`e33bec12 ffffe801`dc33a880 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x155 ffffd000`20b8d010 fffff801`67eff7b6 : fffff801`67eff470 ffffd000`20b8d120 00000000`00000000 ffffe001`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x2d9 ffffd000`20b8d0f0 fffff801`6760ba53 : 00000000`00000000 ffffd000`20b8d1d1 00000000`00000004 fffff801`6761b2e5 : tcpip!FlReceiveNetBufferListChain+0xb6 ffffd000`20b8d170 fffff801`6760be7f : ffffe001`e644a601 ffffd000`20b80008 00000000`00000000 ffffe001`00000004 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123 ffffd000`20b8d230 fffff801`6760c6b2 : ffffe001`e4ffe1a0 ffffe001`e43fa501 fffff801`67618560 00000000`00000000 : NDIS!ndisMTopReceiveNetBufferLists+0x22f ffffd000`20b8d2c0 fffff801`68c0f814 : ffffd000`20b8d610 ffffe001`e4feb510 ffffe001`e43fa590 ffffe001`e4fb9460 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732 ffffd000`20b8d4b0 fffff801`68c0f23e : ffffe001`e4ff01f0 ffffe001`e4fec000 00000000`00000001 ffffe001`00000004 : NdisImPlatform!implatTryToIndicateReceiveNBLs+0x1e8 ffffd000`20b8d520 fffff801`6760ba53 : 00000000`0001ff00 00000000`00000000 ffffd000`20b8d601 ffffd000`00000004 : NdisImPlatform!implatReceiveNetBufferLists+0x1a2 ffffd000`20b8d5a0 fffff801`6760bf19 : ffffd000`20b8d6e0 fffff801`67ec4071 ffffe001`00000000 ffffe002`00000004 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123 ffffd000`20b8d660 fffff801`6760c6b2 : ffffe801`b0c451a0 00000000`00000001 fffff801`67618560 fffff801`67ec43b2 : NDIS!ndisMTopReceiveNetBufferLists+0x2c9 ffffd000`20b8d6f0 fffff801`68ab67f4 : 00000000`00000000 ffffd000`20b55180 ffffd000`20b8d978 fffff801`68a8c0de : NDIS!NdisMIndicateReceiveNetBufferLists+0x732 ffffd000`20b8d8e0 fffff801`68ab6108 : ffffe001`e411d000 ffffd000`20b8d9b9 00000000`00000004 00000000`00000001 : b57nd60a+0x497f4 ffffd000`20b8d930 fffff801`68a79553 : 00000000`00000004 ffffe001`e411d001 00000000`00000000 fffff800`00000000 : b57nd60a+0x49108 ffffd000`20b8da20 fffff801`68a701ac : ffffe001`e411d000 00000000`0000000e 00000000`00000003 00000000`00000004 : b57nd60a+0xc553 ffffd000`20b8da60 fffff801`68a70b8c : 000cc49c`d9773b6f ffffe001`e411d000 ffffd000`20b8db79 00000000`00000000 : b57nd60a+0x31ac ffffd000`20b8dab0 fffff801`6760de12 : ffffe801`b0c451a0 ffffd000`20b8db79 00000000`00000000 00000000`0000ffff : b57nd60a+0x3b8c ffffd000`20b8db00 fffff800`ee24b5f0 : 00000000`0000ffff 00000000`00000000 ffffd000`20b8de90 ffffd000`20b5ae68 : NDIS!ndisInterruptDpc+0x1a3 ffffd000`20b8dbe0 fffff800`ee24a937 : ffffd000`20b8de80 00000000`0000000e 00000000`00000000 ffffd000`20b55180 : nt!KiExecuteAllDpcs+0x1b0 ffffd000`20b8dd30 fffff800`ee34f285 : 00000000`00000000 ffffd000`20b55180 00000000`00000000 ffffe001`e359e210 : nt!KiRetireDpcList+0xd7 ffffd000`20b8dfb0 fffff800`ee34f089 : fffff800`ee229470 ffffc000`227ab000 ffffc000`2ccbf1d2 fffff801`6794c0f8 : nt!KxRetireDpcList+0x5 ffffd000`2caf2bf0 fffff800`ee351963 : ffffb001`3f140040 ffffb001`3f1400a8 fffff43a`0cb79c55 ffffb001`3f140178 : nt!KiDispatchInterruptContinue ffffd000`2caf2c20 fffff800`ee26ca97 : ffffffff`ffffffd2 fffff801`6874a855 00000000`00000010 00000000`00000286 : nt!KiDpcInterrupt+0x2a3 ffffd000`2caf2db0 fffff801`6874a96a : ffffe001`e359e210 00000000`00000000 ffffe801`b1f5ae01 00000000`000019cc : nt!KeReleaseInStackQueuedSpinLock+0x67 ffffd000`2caf2de0 fffff801`6872803c : ffffffff`ffffffff 00000000`00000001 ffffd000`2caf2e73 ffffd000`2caf2f40 : em008k_64!module_init_entry+0x457ba ffffd000`2caf2e40 fffff801`687295ab : ffffd000`2caf3301 00000000`00000015 ffffe001`e359de80 00000000`00000000 : em008k_64!module_init_entry+0x22e8c ffffd000`2caf3060 fffff801`6873c1a7 : ffffd000`2caf3838 fffff801`69596bc0 00000000`00000000 00000000`00000000 : em008k_64!module_init_entry+0x243fb ffffd000`2caf3590 fffff801`6873c0db : ffffd000`2caf3750 00000000`00000015 ffffe801`dc33a880 00000000`00000000 : em008k_64!module_init_entry+0x36ff7 ffffd000`2caf3600 fffff800`ee256529 : 00000000`00000001 00000000`00000000 fffff800`ee4e7b78 ffffe002`15d018b8 : em008k_64!module_init_entry+0x36f2b ffffd000`2caf3640 fffff801`6873c185 : fffff801`6873c0b0 ffffd000`2caf3750 00000000`00000000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x2d9 ffffd000`2caf3720 fffff801`6873c335 : ffffd000`2caf3808 fffff800`ee4e7b88 ffffd000`2caf38e8 ffffe001`e3386340 : em008k_64!module_init_entry+0x36fd5 ffffd000`2caf3790 fffff801`68705144 : 00000000`00000000 fffff960`0022aa6c 00000000`00000001 00000000`00000000 : em008k_64!module_init_entry+0x37185 ffffd000`2caf37d0 fffff801`686f0949 : ffffe801`00002711 ffffd000`2caf38a0 00000000`00000015 00000000`00000000 : em008k_64+0x3144 ffffd000`2caf3800 fffff801`686f1b0a : ffffe801`dad80900 00000000`00000001 ffffe801`dc33a880 00000000`00000001 : epfw+0x1949 ffffd000`2caf3870 fffff800`ee5bb8d4 : ffffe801`dad80900 ffffe801`dad80900 00000000`00000001 ffffe801`dad80900 : epfw+0x2b0a ffffd000`2caf38d0 fffff800`ee5bbe73 : 00007ff6`eea0e000 ffffd000`2caf3980 00000000`00000000 ffffe001`e8d40590 : nt!PspExitProcess+0x150 ffffd000`2caf3920 fffff800`ee80950f : 00000000`00000000 00000000`00000000 ffffe801`dad80900 ffffe801`dc33a880 : nt!PspExitThread+0x52f ffffd000`2caf3a30 fffff800`ee35c0a3 : 00000000`00000011 00007ffb`7ac10000 ffffe801`dc33a880 00007ffb`7ac35710 : nt!NtTerminateProcess+0x32f ffffd000`2caf3b00 00007ffb`7d9f0a1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 000000e8`dbc0fac8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`7d9f0a1a THREAD_SHA1_HASH_MOD_FUNC: 156cff2b8f7a4e711db6b634c9a7eb045f38fc3e THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ca2d548a0be612ce6402f432eb4a41723267d3a2 THREAD_SHA1_HASH_MOD: dd27c095ddeb040031c7bf0c5597932106e7f4de FOLLOWUP_IP: em008k_64!module_init_entry+25858 fffff801`6872aa08 498b8590960000 mov rax,qword ptr [r13+9690h] FAULT_INSTR_CODE: 90858b49 SYMBOL_STACK_INDEX: 8 SYMBOL_NAME: em008k_64!module_init_entry+25858 FOLLOWUP_NAME: MachineOwner MODULE_NAME: em008k_64 IMAGE_NAME: em008k_64.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5c17b304 IMAGE_VERSION: 0.0.1523.0 STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 25858 FAILURE_BUCKET_ID: 0x133_DPC_em008k_64!module_init_entry BUCKET_ID: 0x133_DPC_em008k_64!module_init_entry PRIMARY_PROBLEM_CLASS: 0x133_DPC_em008k_64!module_init_entry TARGET_TIME: 2019-03-05T20:50:55.000Z OSBUILD: 9600 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 3 OSPLATFORM_TYPE: x64 OSNAME: Windows 8.1 OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2018-12-09 01:18:05 BUILDDATESTAMP_STR: 181208-0600 BUILDLAB_STR: winblue_ltsb BUILDOSVER_STR: 6.3.9600.19228.amd64fre.winblue_ltsb.181208-0600 ANALYSIS_SESSION_ELAPSED_TIME: 4416 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x133_dpc_em008k_64!module_init_entry FAILURE_ID_HASH: {0237b88b-a781-f28c-ed3a-0dfc36284ef7} Followup: MachineOwner --------- windbg> .hh dbgerr001

Here is another example that ESET can't stop ransomware again. There are three key points: 1. These two ransomware viruses are already detectable by ESET. 2. ESET does not block it when it starts up. 3. After startup, ESET can detect it, but it cannot terminate it. Finally, all files been encrypted.

ESET has not been destroyed. Its function can work normally.

I agree with you. User has something he should do, but User pays ESET, isn't it that ESET can help it stop bad things in some unexpected situations? And my problem is: this example, ESET has not been destroyed, the malware is already detectable, and ESET has detected it after execution. Why keep it working? Why can't ESET terminate it? This is not the only one. I also reported another example. The ransomware virus executed by Powershell, ESET is still only detected, and can not terminate its encrypted file.