katbert 3 Posted January 16, 2017 Share Posted January 16, 2017 In the production, after apply policy with integration of device control and some device blocking rules, Windows XP SP3 can't boot. Registry rollback restore them. Used Eset Smart Security 5.0.2254 and 5.0.2265 On one of recovered computers, I reinstall ESS, enable checkbox of device control integration, and monitor with "sc query edevmon" driver installation status. I wait some time - but driver wasn't installed. After reboot eset GUI freeze 2-3 minutes, and after that driver was successfully installed. I think, previosly failed computers have a problem with edevmon driver installation. On test virtual machine with clean Windows XP SP3 I collect Process Monitor log and see, what edevmon installed quickly before required reboot. How can I collect edevmon.sys installation logs? Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted January 16, 2017 ESET Staff Share Posted January 16, 2017 Hi, ESET Installation logs can be gather using this KB mention below. How do I generate an installation error log for Windows ESET products?hxxp://support.eset.com/kb406/?locale=en_US&viewlocale=en_US I believe you perhaps want to say "ESET Endpoint Security v5" instead of "ESET Smart Security" (a Home product). Do you check the Windows logs? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted January 17, 2017 Administrators Share Posted January 17, 2017 Maybe you've created a blocking rule for the system disk. I would recommend removing all blocking rules, clicking Populate in the Device control rule editor, creating an allowing rule for the system disk, if detected, and keeping the rule on the top. Link to comment Share on other sites More sharing options...
katbert 3 Posted January 17, 2017 Author Share Posted January 17, 2017 12 hours ago, Gonzalo Alvarez said: Hi, ESET Installation logs can be gather using this KB mention below. How do I generate an installation error log for Windows ESET products?hxxp://support.eset.com/kb406/?locale=en_US&viewlocale=en_US Thanks, "Configure the verbosity of setupapi.app.log and setupapi.dev.log" is what I need. Now I have detailed log of edevmon integration process. Default Windows event logs don't show any errors. Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted January 17, 2017 ESET Staff Share Posted January 17, 2017 Let us know if you need more assistance! Link to comment Share on other sites More sharing options...
katbert 3 Posted January 18, 2017 Author Share Posted January 18, 2017 (edited) Today we have analyzed one of the failed computers. It have a problem with some drivers installation. Eset drivers installed by ees_nt32_rus.msi - installed normally. But edevmon.sys - want manually confiramtion to install, like non-WHQL-signed driver. Without manual confirirmation driver not installed correctly, but registres as device filter (UpperFilters in many device classes). If computer rebooted remotely without install confirmation- Windows can't load UpperFilter for system drive, and show BSOD 0x0000007B. Rebuilding of corrupted catroot database (C:\Windows\System32\catroot2) solve driver installation issue, and edevmon driver installed successfully: https://support.microsoft.com/en-us/kb/822798 I think, ESET must more carefully verify driver intergation process it next versions. Edited January 18, 2017 by katbert Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted January 18, 2017 Administrators Share Posted January 18, 2017 Have you tried installing EPv6? It should call flushing a file after installation of a driver to prevent this. Link to comment Share on other sites More sharing options...
katbert 3 Posted January 18, 2017 Author Share Posted January 18, 2017 1 minute ago, Marcos said: Have you tried installing EPv6? It should call flushing a file after installation of a driver to prevent this. We use Endpoint Security 5.0.2254 and 5.0.2265. How "flushing a file" in v6 works? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted January 18, 2017 Administrators Share Posted January 18, 2017 After installing a driver the file is flushed from disk cache to ensure that it's saved properly before the computer is restarted or turned off. I'd recommend upgrading to EPv6 as it not only provides better protection than EPv5 but also has many bugs from EPv5 fixed and contains further enhancements under the hood as well. We're about to release ERA v6.5 together with Endpoint 6.5 soon so you might want to give it a try then. Link to comment Share on other sites More sharing options...
Recommended Posts