epson w-4630 with document capture pro

[lungo 0]

I'm trying to run a scanning software "document capture pro" on my epson w-4630

with the older versions of eset it worked fine as I gave the scanning software all the rights to run in HIPS

Now with the newer version it does not work anymore.

The software cannot communicate with the printer anymore. It's blocked like a malware.

I tried the eset learning set up with no success. Interesting it works from the printer side, one can save the document on the pc, which does not make sense at all.

Anyone any idea how to approach this problem. For me the scanning is quite important as I scan many times documents as pdf's.

thank for a hint

 

[Marcos 5,074]

If the application is detected, could you post the appropriate record from your Detected threats log or a screen shot of the alert at least?

[lungo 0]

Detected threats log shows nothing (empty)

Enclosed a screenshot which displays when eset is working.

It blocks the scanning completely.

Scanning software cannot communicate with printer.

With Eset not installed everything work without a problem.

[itman 1,659]

Suspect a network/firewall conflict.

I assume you are using Eset ver.10? Open Network Protection, then Troubleshooting Wizard. Look for any refs. related to the Epson.

Ref.: hxxp://mamclain.com/?page=Blog_Personal_Projects_EPSON_Scan_Fix

[lungo 0]

First of all thank you for trying to help  me in solving an issue which really should not happen at all.

 

Like I said before, without eset the scanning software as well as the printer work flawlessly.

I took a look at the documentation link and find that the set up works perfectly, also proven that the set up

work no issues at all when eset is not present

.

Sorry when I go on a rant about eset in this particular issue. Even when trying to use the learning feature

in eset it blocks the scanning - just should not happen. What's the purpose of the learning feature?

 

Irritating that error logs are all empty. At least it should list an error somewhere.

The Hips feature in giving the scanning software completely freedom, does not work any more either.

Its bad for my issue, probably good for other items. 

 

Note: I use eset 10  

[itman 1,659]

Go into Windows Contol Panel -> System and Security -> Security and Maintenance -> Maintenance -> View Reliability History. Look for entries related to the printer. When you find one, right mouse click on it. A "View technical details" option will be shown. Left mouse click on it. Then take a screen shot of what is shown and post in your reply.

 

The only thing I can think of off the top of my head is a conflict with the driver the scanner is using and Eset. BTW - is the printer portion of the device working correctly with Eset installed?

 

Also here's a link to an older posting for the same device where Eset's HIPS was the issue: https://forum.eset.com/topic/5445-epson-scanner-software-blocked/ . In this case, the individual had the HIPS set to "Policy" mode versus the default "Automatic" setting. So check your HIPS settings in Eset. If HIPS is set to "Automatic," then temporarily disable the HIPS in Eset to determine if that is the feature causing the issue.  

Edited November 20, 2016 by itman

[lungo 0]

I used that Idea from the link with Hips and used a logfile which has a lot of following entries

<RECORD>
      <COLUMN NAME="Time">11/19/2016 10:16:02 PM</COLUMN>
      <COLUMN NAME="Application">C:\Program Files (x86)\EPSON Software\Document Capture\DeviceRunner.exe</COLUMN>
      <COLUMN NAME="Operation">Get access to file</COLUMN>
      <COLUMN NAME="Target">C:\Users\EIEIOX~1\AppData\Local\Temp\Twunk001.MTX</COLUMN>
      <COLUMN NAME="Action">some access allowed</COLUMN>
      <COLUMN NAME="Rule">scanner</COLUMN>
      <COLUMN NAME="Additional information">Write to file</COLUMN>
    </RECORD>

 

the entry: "some access allowed" bothers me.

Maybe one of you knows how to solve it. The DeviceRunner.*** has all rights in HIPS, but something is still missing.

For Info: the Printing part with eset works flawless. I even can print from my Android device with no issues.

 

Edited November 20, 2016 by lungo

[Marcos 5,074]

Does temporarily disabling HIPS and restarting the computer make a difference?

[itman 1,659]

For a test, set the Eset firewall to "Interactive" mode. Then try to scan something. If the firewall displays an alert, select the create rule option and then click on the "Allow" button. Do the same for any subsequent alerts. The scanner should work at this point.

Edited November 20, 2016 by itman

[peteyt 393]

Maybe disable a few settings and see if anything works e.g. as suggested with hips off does it work. This may help to identify which part of eset is causing the issue

Edited November 20, 2016 by peteyt

[itman 1,659]

Also in regard to this:

 

with the older versions of eset it worked fine as I gave the scanning software all the rights to run in HIPS

Manually create HIPS rules to allow all activity for any .exe associated with the Epson scanner; that includes also the driver which I believe is epson16367.exe? Test to determine if the scanner now works.

 

A bit strange Epson would refer to their driver as an .exe since drivers universally use the .sys suffix.

 

-EDIT-

 

Also another way to approach this problem is to ask "What changed in ver. 10?" One thing that was added is script protection. Although unconventional, it is possible that that scanner is being initiated using a script; most likely a Powershell script. My experience with the HIPS's supplemental protection features such as exploit protection, advanced memory protection, etc. is that you will not always receive an alert when one is employed.

 

What you can do is one by one, temporarily disable those and test the scanner each time to rule out another of those protections are interfering with the scanner. Start with script protection.

Edited November 20, 2016 by itman

[lungo 0]

again thanks for all of your advise, I think that epson scan is a hard nut to crack.

The epson scan does track a lot of activities of user, there may also lay the problem

that eset is complaining and blocking the software.

 

here some answers to previous suggestions:

 

Does temporarily disabling HIPS and restarting the computer make a difference?

no it does not make any difference at all. It used to work with the older eset versions but not anymore.

 

For a test, set the Eset firewall to "Interactive" mode. Then try to scan something. If the firewall displays an alert, select the create rule option and then click on the "Allow" button. Do the same for any subsequent alerts. The scanner should work at this point.

Yes, a couple of alerts are showing. Created the rule option of allow but to no avail it still blocks the scanning.

 

Maybe disable a few settings and see if anything works e.g. has suggested with hips off does it work. This may help to identify which part of eset is causing the issue

have tried many variation, no success

 

A bit strange Epson would refer to their driver as an .exe since drivers universally use the .sys suffix.

You could be onto something, epson does create some special rules in the windows firewall for printer and as well for the scanner.

there is a epson scanner driver which starts with c??? exe, it came up one time of beeing blocked, Have to try to hunt this one down.

 

Interestingly epson has a network tool to check if printer or scanner work, both give me the green light and test without issues under eset.

but then when actually using the scanning software it bombs out.

 

 

[itman 1,659]

A bit strange Epson would refer to their driver as an .exe since drivers universally use the .sys suffix.

You could be onto something, epson does create some special rules in the windows firewall for printer and as well for the scanner.

there is a epson scanner driver which starts with c??? exe, it came up one time of beeing blocked, Have to try to hunt this one down.

Since you mentioned that there are Epson rules in the Win Firewall, try this.

 

Set Eset firewall to "Automatic." Also ensure the setting "Evaluate also rules from Windows Firewall" is enabled. Test to see if the scanner now works.

 

In the above mode, the Eset firewall also uses the Win firewall inbound rules and allows all outbound traffic. If the scanner works, you can run the Eset firewall in this mode.

 

If you want the Eset firewall to monitor outbound traffic, you will have to set the firewall to "Interactive" mode. You will also have to duplicate all the existing Win inbound firewall rules for the scanner in the Eset firewall. 

[lungo 0]

got eset to work with scanner with personal firewall off, a custom setup in hips.

Interesting when personal firewall is paused (off) it still would not work.

It has to be turned off not paused.

Frustrating experience is the interactive user mode, it does not work all the time.

Further more detailed info about error messages oder logs are missing.

 

Some of the settings had to be made in admin mode, cumbersome too.

Eset has me served well in the past but issues like this are very frusttrating and one

really wonders if a change to annother product would be justified.

 

The help in the forum from other Eset users is great, it is a perfect tool

to brainstorm in getting a problem solved.

 

Will dig into the personal firewall settings in the next days and see what I can come up with.

[peteyt 393]

got eset to work with scanner with personal firewall off, a custom setup in hips.

Interesting when personal firewall is paused (off) it still would not work.

It has to be turned off not paused.

Frustrating experience is the interactive user mode, it does not work all the time.

Further more detailed info about error messages oder logs are missing.

 

Some of the settings had to be made in admin mode, cumbersome too.

Eset has me served well in the past but issues like this are very frusttrating and one

really wonders if a change to annother product would be justified.

 

The help in the forum from other Eset users is great, it is a perfect tool

to brainstorm in getting a problem solved.

 

Will dig into the personal firewall settings in the next days and see what I can come up with.

Glad you've found at least a temporary fix. I'm not sure if anyone mentioned but did you ever look in the troubleshooting wizard? I always have my firewall in interactive mode and basically tell Eset to remember to allow all my main stuff. However I've had stuff that's blocked automatically in the past without a allow/deny window appearing. Luckily in most cases now the troubleshooting wizard tells me what's blocked and allows me to sort it. Often I've allowed the main .exe of something to be allowed but it's actually blocked another needed file without notifying me.

[Marcos 5,074]

Interesting when personal firewall is paused (off) it still would not work.

It has to be turned off not paused.

 

That means it's an issue at the driver level and not just a simple blocking of communication by rules. I would suggest contacting your local customer care so that the case is properly tracked in a ticket and communicated with developers. A Wireshark log from the situation when firewall is integrated and the issue occurs and another one from the situation when firewall is disabled in the advanced setup and printing works well will be needed.

Also collect logs with ESET Log Collector that may contain valuable information for developers too.

When you have the logs ready and uploaded to a safe location, pm me the download links so that I briefly check them before you create a support ticket.

[lungo 0]

I used to belong to the users who install a security software and then forget about it.

Never paid much attention to it. 

Now when working with this issue I discovered that the scanning software from epson does much more than just scanning. It keeps a log about your scanning with a lot of details.

Does it have to that way. I don't think so.

It writes to the registry, changes/overwrites files and looks up the user id, printer id, etc. This are probably the reasons that eset does complain.

In the logs from eset it does give the scanning software in some instances only partial access see

 

 <RECORD>

      <COLUMN NAME="Time">11/19/2016 10:16:02 PM</COLUMN>
      <COLUMN NAME="Application">C:\Program Files (x86)\EPSON Software\Document Capture\DeviceRunner.exe</COLUMN>
      <COLUMN NAME="Operation">Get access to file</COLUMN>
      <COLUMN NAME="Target">C:\Users\EIEIOX~1\AppData\Local\Temp\Twunk001.MTX</COLUMN>
      <COLUMN NAME="Action">some access allowed</COLUMN>
      <COLUMN NAME="Rule">scanner</COLUMN>
      <COLUMN NAME="Additional information">Write to file</COLUMN>
    </RECORD>

the Rule was created in HIPS, don't know why it was only "SOME ACCESS ALLOWED"

 

I did run the eset log collector once, but had too much info in it.

But will run it again to check for some details as I now know more what to look for.

thanks for the idea about the troubleshooting wizzard.

[itman 1,659]

 <RECORD>

      <COLUMN NAME="Time">11/19/2016 10:16:02 PM</COLUMN>

      <COLUMN NAME="Application">C:\Program Files (x86)\EPSON Software\Document Capture\DeviceRunner.exe</COLUMN>

      <COLUMN NAME="Operation">Get access to file</COLUMN>

      <COLUMN NAME="Target">C:\Users\EIEIOX~1\AppData\Local\Temp\Twunk001.MTX</COLUMN>

      <COLUMN NAME="Action">some access allowed</COLUMN>

      <COLUMN NAME="Rule">scanner</COLUMN>

      <COLUMN NAME="Additional information">Write to file</COLUMN>

    </RECORD>

the Rule was created in HIPS, don't know why it was only "SOME ACCESS ALLOWED"I

"Some access allowed" is the normal message received from the HIPS when advanced logging is enabled, a user HIPS rule is present, and the process actions are allowed. Interpreted, it means the user created HIPS rule activities have been allowed with the following exception - user HIPS rules are not allowed to override Eset hidden default HIPS rules. As to Eset's hidden default HIPS rules? Eset will not publically disclose those - LOL.

[itman 1,659]

thanks for the idea about the troubleshooting wizard.

FYI - I mentioned the Network troubleshooting wizard to you in my first reply to this posting? Guess you miss that.

[lungo 0]

 

thanks for the idea about the troubleshooting wizard.

FYI - I mentioned the Network troubleshooting wizard to you in my first reply to this posting? Guess you miss that.

 

 

 

thanks for the idea about the troubleshooting wizard.

FYI - I mentioned the Network troubleshooting wizard to you in my first reply to this posting? Guess you miss that.

 

My bad, forgot to mention that i tried to use troubleshooting wizard, but it never came up without anything concerning firewall, that particular page is always empty. Even if the firewall blocks the communication to scanner it does not show anything. There is way of logging which does show much more in xml format.

 

"Some access allowed" is the normal message received from the HIPS when advanced logging is enabled, a user HIPS rule is present, and the process actions are allowed. Interpreted, it means the user created HIPS rule activities have been allowed with the following exception - user HIPS rules are not allowed to override Eset hidden default HIPS rules. As to Eset's hidden default HIPS rules? Eset will not publically disclose those - LOL.

 

So I guess I have to create a Ticket for this issue, instead of playing doctor from my site.

Let's see what happen - will report back.