Edevmon integration logs

[katbert 3]

In the production, after apply policy with integration of device control and some device blocking rules, Windows XP SP3 can't boot. Registry rollback restore them.

Used Eset Smart Security 5.0.2254 and 5.0.2265

On one of recovered computers, I reinstall ESS, enable checkbox of device control integration, and monitor with "sc query edevmon" driver installation status. I wait some time - but driver wasn't installed. After reboot eset GUI freeze 2-3 minutes, and after that driver was successfully installed. I think, previosly failed computers have a problem with edevmon driver installation.

On test virtual machine with clean Windows XP SP3 I collect Process Monitor log and see, what edevmon installed quickly before required reboot.

How can I collect edevmon.sys installation logs?

[Gonzalo Alvarez 66]

Hi,

ESET Installation logs can be gather using this KB mention below.

How do I generate an installation error log for Windows ESET products?
hxxp://support.eset.com/kb406/?locale=en_US&viewlocale=en_US 

I believe you perhaps want to say "ESET Endpoint Security v5" instead
of "ESET Smart Security" (a Home product).

Do you check the Windows logs?

 

[Marcos 4,705]

Maybe you've created a blocking rule for the system disk. I would recommend removing all blocking rules, clicking Populate in the Device control rule editor, creating an allowing rule for the system disk, if detected, and keeping the rule on the top.

[katbert 3]

12 hours ago, Gonzalo Alvarez said:

Hi,

ESET Installation logs can be gather using this KB mention below.

How do I generate an installation error log for Windows ESET products?
hxxp://support.eset.com/kb406/?locale=en_US&viewlocale=en_US 

 

Thanks, "Configure the verbosity of setupapi.app.log and setupapi.dev.log" is what I need. Now I have detailed log of edevmon integration process.

Default Windows event logs don't show any errors.

[Gonzalo Alvarez 66]

Let us know if you need more assistance!

[katbert 3]

Today we have analyzed one of the failed computers.

It have a problem with some drivers installation. Eset drivers installed by ees_nt32_rus.msi - installed normally.

But edevmon.sys - want manually confiramtion to install, like non-WHQL-signed driver. Without manual confirirmation driver not installed correctly, but registres as device filter (UpperFilters in many device classes). If computer rebooted remotely without install confirmation- Windows can't load UpperFilter for system drive, and show BSOD 0x0000007B.

Rebuilding of corrupted catroot database (C:\Windows\System32\catroot2) solve driver installation issue, and edevmon driver installed successfully: https://support.microsoft.com/en-us/kb/822798

I think, ESET must more carefully verify driver intergation process it next versions.

Edited January 18, 2017 by katbert

[Marcos 4,705]

Have you tried installing EPv6? It should call flushing a file after installation of a driver to prevent this.

[katbert 3]

1 minute ago, Marcos said:

Have you tried installing EPv6? It should call flushing a file after installation of a driver to prevent this.

We use Endpoint Security 5.0.2254 and 5.0.2265. How "flushing a file" in v6 works?

[Marcos 4,705]

After installing a driver the file is flushed from disk cache to ensure that it's saved properly before the computer is restarted or turned off. I'd recommend upgrading to EPv6 as it not only provides better protection than EPv5 but also has many bugs from EPv5 fixed and contains further enhancements under the hood as well. We're about to release ERA v6.5 together with Endpoint 6.5 soon so you might want to give it a try then.