tomha 3 Posted August 29, 2017 Share Posted August 29, 2017 We´re running Eset FileSecurity for Windows Server 6.5.12010.0 on a SBS 2011 (technically Server2008R2). Our customer is using a software called Remote Administrator 3 to gain remoteaccess to the server. This software is reported as potential unsafe application by eset products, which we were aware of and set up the necessary exclusions. The executable "rserver3.exe" ist installed under "C:\Windows\Syswow64\rserver30\" and the path and the executable are excluded. This exclusions were working without problems for long time, but suddenly we got messages about rserver3.exe as potentially unsafe application again, FS 6.5 shows a strange path for the rserver3.exe like "\D:\AdoMed\Util\n7\..\..\..\..\..\..\Windows\SysWOW64\rserver30\rserver3.exe". The count of "\..\" varies from 5 to 6 and each entry is logged twice. The messages are logged at the startupfile scan. The folder "D:\AdoMed\Util\n7\" exists on the server, but it does not contain any subfolders, symlinks or the rserver3.exe. Does anyone know why Eset FileSecurity mixes up folders in the Servers filesystem and reports not existing files? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted August 30, 2017 ESET Moderators Share Posted August 30, 2017 Hello, I would suggest to run a Processmonitor tool with advanced logging enabled to capture the ESET's startup scan and open a ticket with your local ESET support to check. Also please attach output from ESET log collector to the request. Regards, P.R. Link to comment Share on other sites More sharing options...
tomha 3 Posted August 31, 2017 Author Share Posted August 31, 2017 (edited) @ Peter Thanks for your reply. I ran Procmon while doing a startupscan and it seems ekrn.exe tries to access all entries of the systems path variable wit some "\..\" added and then the "C:\Windows\syswow64\reserver30\" added. - Screenshot attached. No clue why ekrn.exe does this, where it gets the path from and why it seems to find a file under this strange path. As you suggested i opened a ticket at the local Eset support and provided the logs. Regards, Thomas Edited August 31, 2017 by tomha Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted September 14, 2017 ESET Moderators Share Posted September 14, 2017 Hello Thomas, may I ask how it went with your support case? Are there any findings from it? Regards, P.R. Link to comment Share on other sites More sharing options...
tomha 3 Posted September 20, 2017 Author Share Posted September 20, 2017 The Eset Support Team seems to have fond a glitch with parsing of lnk files. I was told, this problem will be solved by a module update. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted September 21, 2017 ESET Moderators Share Posted September 21, 2017 Hello Thomas, great, thank you for keeping us posted. Regards, P.R. Link to comment Share on other sites More sharing options...
Recommended Posts