Possible conflict between eset modules, and other processes

[tommy456 12]

I have been having issues with SSL scanning , where eset would appear to loose details of both trusted and excluded certs , as it would ask a short time later about certs that had previously been added to the trusted /excluded lists,I came to the conclusion that eset isn't loosing all these, but overwriting them for no apparent reason

 

What as this got to do with  the title of my topic i hear you ask, that by itself nothing , but  since following the suggestions of creating a rule in the hips module, 

 

If i enable ssl scanning several it appears to work ok ,some 10hrs ago i enabled ssl,had eset prompt  for ssl certs (again for already trusted/excluded certs) using firefox and IE7

 

My pc is left running through the night,  just before i started to use my pc again, i noticed a ssl cert prompt on screen for windows service host," Microsoft windows update " i selected to trust it, it disappeared

I then ran my e-mail client, which struggled to connect, and then took a long time to scan 2 e-mails with not attachments  before the program would close, odd i thought, Then i opened ie7, which took ages to decide that it could not display my home page or any web site

So i ran firefox waited ,but it wouldn't open/run,or so i thought, a check of task manager  revealed that the firefox .exe was running , I then tried to change the ssl settings in esets gui, but this was locking the machine up, so i killed the firefox process, and then was able to disable ssl,  which made no difference FF would still not run, Only after i disabled advanced memory scanning and exploit blocker  would it run, hips was set to learning mode, i changed this to auto ,

 

IMO as i set the rule in hips to  ask, (re eset ssl cert) as per instructions, it's possible that eset   fails to,or is unable to generate /display a  prompt from the hips module for me to allow or deny which ever  process wants to make changes to that rule, this failure to display the prompt( a known issue for some eset users ) is the reason for the pc freezing and ff failing to open

 

Eventually i was able to re enable the AM scanning and the exploit blocker options,  and although  firefox now works as do other web apps the page loading time is slightly reduced when this is on ,

 

So there seems to be an issue /possible conflict going on with the hips module and which ever module controls ssl ,IMO this version of eset has some serious problems ,And before someone does, don't give me that  well Windows xp support is ending next year, So what  eset currently supports Win XP therefore it should work without these issues, Mircosoft stopping releasing patches wont make any real difference to how xp works, or how secure it is  as long as it is protected by a reputable AV /firewall ,

 

 

If i revert back to version 6 is there anyway to stop the update to never version nag icon appearing ?

Edited December 15, 2013 by tommy456

[Arakasi 549]

 

Mircosoft stopping releasing patches wont make any real difference to how xp works, or how secure it is  as long as it is protected by a reputable AV /firewall ,

 

 

I was enjoying your post and reporting to ESET, up until this comment.

It is absolutely incorrect information. The security patches that Microsoft releases are hard core problems with code and loopholes found with the entire operating system.

Having an antivirus or security suite, will not help you in this XP endeavor to continue using. I would prefer not to go on about this topic, but to keep it short and sweet, the type of security risk we are talking about, are the ones that allow an attacker access into the machine to send remote code execution, initiate elevation of privilege which would allow you to just turn off the Antivirus or disable it and more compromising activities.

There are exploits coming out all the time that allow windows kernel security feature bypass.

Have a look at these last few patches from Tuesday : hxxp://technet.microsoft.com/en-US/security/dn481339

 

Regarding ESET, of course Windows XP is supported, and will be from ESET far into the future.

i am sure we can help you out with your issues. I have SSL scanning issues as well, and they are currently analyzing and reviewing my own case as to why memory climbs using SSL.

 

It sounds to me like you have a plethora of things going wrong, and i assure you this version is not that bad, but a major improvement of features from the previous versions.

Have you tried doing a complete uninstall and reinstall of the software first ? There are certain registry keys that hold on to your SSL exclusions and permissions, i have heard of them resetting on a user before and there may already be a fix,

Edited December 15, 2013 by Arakasi

[tommy456 12]

Is there a way to stop being logged out of this forum whilst composing a post ?

 

Yes i re installed v7 shortly after  performing the in-situ upgrade from v6  lots of issues with prompts from eset modules failing to display causing lock ups ect, similar to what i have recently been re experiencing

The memory accumulation is still present , lass.exe may be in some way connected to this  as that will keep accumulating using virtual memory  until the EKRN.EXE is terminated  it then releases what it no longer requires

I have tested the above using process hacker 2

But sometimes i get network throughput issues on my lan  a short time later , which may of been co incidence  as it may be more likely it's in some way down to SSL scanning if it's enabled  this ssl problem also  seems to affect the protocol filtering   side of things  such as responsiveness when it comes to loading web pages

Edited December 15, 2013 by tommy456

[Arakasi 549]

Yes Tommy, you are correct in your findings.

We have a case actively open and investigation is underway. Peter started it and i think mmx may be a researcher/analyst assigned to the case.

 

https://forum.eset.com/topic/1474-local-security-authority-process/

 

Keep checking back for a possible fix, and i also informed of your issue as well in my thread.

Sorry for your troubles

[tommy456 12]

Just seen the answer,I'm sorry but i don't buy it, i have watched with my own 2 eyes LSASS.exe release it's virtual memory as well as occasionally it's physical memory too ,that it no longer needs  after the EKRN.EXE process is re started , and this is easily reproduced , On a machine  without eset installed this doesn't happen so how can it be down to windows and not something eset related? But if i don't kill EKRN.EXE It's accumulated  physical memory keeps growing as does LSASS.EXE's virtual memory   would they like to watch this in a video ?

 

This answer  is typical of the stonewall that eset throw up, this memory issue wasn't apparent for me  in v4 and v5 up until as certain build  module update

 

Then there are these other issues of eset failing to display pop up messages regarding permissions  if you happen to use the interactive option ?

Edited December 16, 2013 by tommy456

[tommy456 12]

Are they going to look into my case because what i am seeing is not down to LSASS.EXE or Microsoft ,EKRN.EXE has had a memory leak for years version 6 it started , Eset is preventing LSASS.EXE unloading  unneeded virtual memory whilst EKRN.EXE hogs my ram Possibly driven in part by using SSL 

Why is a company like Eset passing the buck, and doing nothing to fix this long standing issue that  could potentially affect a large portion of the customer base ?

Just because  they aren't on here reporting issues  means very little, they may be using telephone support , they may be unaware of this issue , or use their machines in a different way (short periods of use only) they may not prefare to use forums as a way of getting support

[Arakasi 549]

tommy456,

 

I dont think you are aware that the employees and developers come here daily to assist with questions, or if its one of their cases.

Some may be passing answers on to the moderators, and some may just be reading for answers.

 

You may have different issues then me, and its encouraged that you contact support through email or phone for assistance.

The Moderators here can start a new case for you, or they may provide different instructions...

 

I will reach back out to support myself at a later date to check for updates.  Thanks

I am ok without SSL scanning for the moment, but i may not understand you have your own reasons for requiring it, and thats ok, your incident may be of higher importance.

Edited December 17, 2013 by Arakasi

[tommy456 12]

For me it's the memory leak issue that is of more importance,, and the loosing of some but not all of the ssl certs that where saved in esets trusted/excluded lists seems to be linked to this  EKRN.EXE memory consumption, as i am now getting asked once again  to trust or exclude  ssl certs that where previously stored

 

I have already tried support who have check my pc remotely, and taken related info such as proc mon log's they have had full memory dmp's  and the message i got back was that there was nothing conclusive or something similar,

 

Basically  the impression that i get is they probably do know  what the  underlying cause is, But because they consider it to be low priority ,or it would mean a lot of work for them which in turn boils down to costs = less profits  they fob us off instead

Which is a shame, as i have had other issues that support  where able to collect enough data about ,that a replacement eset driver was released ,So i thought that eset was a vendor who really did give a dam about it's customers ,maybe i was wrong

Edited December 17, 2013 by tommy456

[Arakasi 549]

Oh they care, trust me. They do phenomenal work outside of security by extending their hand as well as with getting rid of malware.

Not sure your situation , but for now the memory leak can be supressed by disabling SSL temporarily for the moment and can see what they say here.

i'll just be patient and see what they say. . .

Thanks tommy for reporting the issue and holding out . . .

[tommy456 12]

Well the reply that you got doesn't instil a great deal of hope , as they are blaming LSASS.EXE when the main ESET process  clearly has a memory leak , IMO  perhaps if they bothered to fix this long over due issue, Maybe  LSA wouldn't be any longer affected by EKRN.EXE But there would appear to be no chance of that ever happening when they just would rather blame something else

[Marcos 4,931]

If you are a programmer, we could probably provide you with steps how to reproduce the lsass issue on your own if you don't trust us and think that we blame others instead of fixing our bugs.

[tommy456 12]

No i am not a programmer, but i am able to demonstrate visually how  ERKN.EXE is preventing LSASS.EXE from releasing  un needed virtual memory, that it has accumulated ,By simply killing the main eset process EKRN.EXE   and restarting it again,  this then allows LSASS.EXE to unload  this unneeded memory , In my case it is not as per https://forum.eset.com/topic/1474-local-security-authority-process/

 

The LSASS.EXE will not release accumulated virtual memory  until the EKRN.EXE process is stopped ,There is a very short delay of say 20 -40 seconds before LSASS will release  unneeded physical (RAM)memory , which is not what i'm talking about  here 

And in my case EKRN.EXE also  accumulates Physical (RAM) (as per memory leak issues ) i have seen in excess of 300mb with ssl disabled this does not occur  always under 100mb and LSASS.EXE isnt hoarding virtual memory , the two are linked, IMO it's down to the way eset processes ssl certs that causes the issue with lsass

Edited December 18, 2013 by tommy456

[Arakasi 549]

When i force close erkn on my system, lsass does not release the memory.

So my problem differs from yours and from my system, lsass seems to be the issue.

[Alikhan 3]

I have SSL enabled and am using Google chrome and don't have the issue. I've never seen lsass.exe exceed 25mb for me.

 

hxxp://oi41.tinypic.com/j6ne4o.jpg

 

Can't use here...

[Arakasi 549]

I have SSL enabled and am using Google chrome and don't have the issue. I've never seen lsass.exe exceed 25mb for me.

 

hxxp://oi41.tinypic.com/j6ne4o.jpg

 

Can't use here...

 

This issue does not effect all users Alikhan.

Thanks for sharing

[tommy456 12]

It never has affected everyone, (EKRN.EXE) memory leak  which could be linked to ssl scanning  When i had a dual boot  with Win7 i never had the issue  on that o/s but  have with XP , But IMO there's little doubt about it  that EKRN is the driver that causes LSA to hog virtual /kernel memory well in my case it does , if no eset on my PC no lsass issue, in such as case how can lsass be the problem?

Edited December 18, 2013 by tommy456

[Arakasi 549]

It never has affected everyone, (EKRN.EXE) memory leak  which could be linked to ssl scanning  When i had a dual boot  with Win7 i never had the issue  on that o/s but  have with XP , But IMO there's little doubt about it  that EKRN is the driver that causes LSA to hog virtual /kernel memory well in my case it does , if no eset on my PC no lsass issue

 

Sure no lsass issue, because your not scanning ssl and monitoring traffic and using authentication on whether to proceed with the protocol or not.

 

Install and find another security suite that will scan SSL protocol, use authentication against it, and then post your results.

[tommy456 12]

That i shall do, But the thing that you seem to be overlooking here is that when ssl is disabled  both EKRN & LSASS do not  accumulate physical memory But when ssl is enabled  every time you browse a web page, regardless of  it being HTTPS or  just plain old HTTP  So if this is purely a ssl problem & LSASS  why is EKRN accumulating  physical memory at all and in particular  when browsing non secure web pages?

Edited December 19, 2013 by tommy456

[Arakasi 549]

Its not an SSL problem.

Its an authentication issue WITH SSL.

You dont sound like you have IT background.

Please think outside the box and try to put a little faith in others, especially the company providing you with security.

 

When you turn on scanning with SSL WITH ESET Nod32 or Smart Security, does it not create a rule set ? When you visit a new SSL page for the first time does it not produce a pop up window with authentication, YES or NO to proceed to site and proceed with scanning the SSL traffic ?

 

Just visiting an SSL site has no authentication behind it. Your connection is secure through encryption, yes, but your not providing credentials and elevation of priveledges to software packages to initiate the connection.

 

I am overlooking absolutely nothing. I understand the issue completely.

 

Local security authority process is used for authentication.

Please read up on it so you understand a little of whats going on and why.

hxxp://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

 

Thanks. Let us know if you find another product that scans and watches SSL traffic, and what your results were, including product used.
I on the other hand will never pick up a different Anti virus product.

I have 17 years experience and i have used them ALL ALREADY !!

None compares to ESET's quality and hard work.

Edited December 19, 2013 by Arakasi

[Arakasi 549]

I wasnt going to say it, but i changed my mind.

 

I on the other hand, am a programmer. Albeit only an associates(2 years).

I have built applications for very large corporations already. Citibank / United Health.

 

However i no longer write or develop except for personal use.

If i could join even just the interface dev team at ESET i would.

I'll make an Open or Close button for them   Or maybe a restart computer script
 

Edited December 19, 2013 by Arakasi

[Marcos 4,931]

I'd compare this issue to a bug with Windows filtering platform that rendered downloaded files processed by ESET's HTTP scanner corrupted. The issue didn't occur with other security solutions so one might have thought that it's a bug in ESET's scanner. However, it wasn't and eventually MS released a hotfix that addressed the issue. The reason why the problem didn't manifest with other security products was that they had http scanning implemented differently (e.g. didn't utilize the modern Windows Filtering Platform or didn't make any changes to the data stream upon download).

[Arakasi 549]

However, it wasn't and eventually MS released a hotfix that addressed the issue.

 

Do you remember what KB it was ?

Edited December 21, 2013 by Arakasi

[SweX 871]

[quot] However, it wasn't and eventually MS released a hotfix that addressed the issue. [/quote}

 

Do you remember what KB it was ?

FWIW, I think this thread is about that with links to the MS KB's too so maybe it can help a bit. 

 

https://www.wilderssecurity.com/showthread.php?t=332920