Jump to content

ESET Internet Security V12.0.27 possible bug


Recommended Posts

  • Most Valued Members

Hello ,

When ESET shows me that my OS is missing updates , I do click on Run Update from ESET Gui after looking at what updates my PC is missing , I click Run System Update or Run Update can't remember exactly , all that happens is that I get an admin CMD window opened (from system32).

EDIT : Yes I do know that I can run the Windows Update from Windows itself , but ESET instead of opening the Windows Update window for me , it's opening me the CMD Admin windows , it's like the script that is intended for this job is not doing it's job right.

Edited by Rami
Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, Marcos said:

Please post a screen shot for clarification.

I have updated my Windows , I can't re-produce the bug again , but it happened before this time

It just opens an admin CMD window and do nothing.

EDIT : I have to wait until there is an update for my system so ESET can show me and I can reproduce the error , but it happened 2 times , each time for different updates clicking the Run Update just opens a CMD admin window.

On my laptop it opens the CMD admin window , on my desktop it works , I'm trying to know what is the difference between the 2 systems , but both of them using the same Windows 10 and the same ESET version , I just don't know what is different in the laptop setup.

Edited by Rami
Link to comment
Share on other sites

Posting OS ver. used really is necessary to properly diagnosis this.

On Win 10 Home x(64), I never have had an issue with it opening the Win 10 system win update check screen.

My main complaint about the feature is it appears to be triggered by the Win 10 system update checking and is not sophisticated enough, or is not programmed, to wait to see if the update was actually done automatically. In other words, the Eset notification should only appear if the Win update was not installed.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
5 minutes ago, itman said:

Posting OS ver. used really is necessary to properly diagnosis this.

On Win 10 Home x(64), I never have had an issue with it opening the Win 10 system win update check screen.

My main complaint about the feature is it appears to be triggered by the Win 10 system update checking and is not sophisticated enough, or is not programmed, to wait to see if the update was actually done automatically. In other words, the Eset notification should only appear if the Win update was not installed. 

Laptop is running Windows 10 Pro 1803 x64 , Desktop is running Windows 10 Enterprise 1803 x64

Link to comment
Share on other sites

5 minutes ago, Rami said:

Laptop is running Windows 10 Pro 1803 x64

Strange. Same version I am using but on a desktop. Well, not exactly since I am using the home version.

Since you are using the Pro version, have you configured any SRP's or other Windows security mechanisms; e.g. ASR rules, to block cmd.exe execution?

Or, are you using third party security software like NVT's OSArmor?

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, itman said:

Strange. Same version I am using but on a desktop. Well, no exactly since I am using the home version.

Since you are using the Pro version, have you configured any SRP's or other Windows security mechanisms; e.g. ASR rules, to block cmd.exe execution?

I never changed any of the Windows Security settings or any of the Local Policy.

I have to wait for the next update so I can get a notification from ESET , uninstalling and re-installing could fix it I will see.

Link to comment
Share on other sites

@Rami, I checked this out. I opened Process Explorer prior to accessing Win Update checking via Eset GUI  check for Win Updates button in Win 10 Home x(64) 1803. I did not observe any startup of cmd.exe origination from ekrn.exe, equi.exe, or anything else for that matter. My best guess is Eset is executing "ms-settings:windowsupdate" via run command window equivalent.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
4 hours ago, itman said:

@Rami, I checked this out. I opened Process Explorer prior to accessing Win Update checking via Eset GUI  check for Win Updates button in Win 10 Home x(64) 1803. I did not observe any startup of cmd.exe origination from ekrn.exe, equi.exe, or anything else for that matter. My best guess is Eset is executing "ms-settings:windowsupdate" via run command window equivalent.

And that probably why I get an empty CMD admin window when I click it , it seems that there is something that prevented it from triggering.

Link to comment
Share on other sites

9 minutes ago, Rami said:

And that probably why I get an empty CMD admin window when I click it

No - I don't believe Eset is using cmd.exe for this. Programs can interact with the desktop. What I believe equi.exe is doing is internally running this: ms-settings:windowsupdate.

Link to comment
Share on other sites

Also, I monitor all cmd.exe startup using a HIPS rule. If egui.exe was doing so, I would have received an alert from it which I never have received.

Eset programs are written in assembler; at least ekrn.exe is and I assume egui.exe is also. You can start a program directly from assembler code using the following I found on the web:

Quote

You can start a program with CreateProcessA and wait for its end with WaitForSingleObject. The GCC-linker (LD) needs also a suffix with the number of the pushed bytes (e.g. "@4", one dword = four bytes). That is one reason to use another linker.

The following code example is for cmd.exe but it could also be deployed for systemsettings.exe and accessing the Windows Update feature within:

Quote

Here's a simple example to start a shell (cmd.exe) with a "dir"-command:

exec_dir.asm:

STRUC _STARTUPINFO                      ; https://msdn.microsoft.com/library/windows/desktop/ms686331.aspx
    .cb:                resd 1
    .lpReserved:        resd 1
    .lpDesktop:         resd 1
    .lpTitle:           resd 1
    .dwX:               resd 1
    .dwY:               resd 1
    .dwXSize:           resd 1
    .dwYSize:           resd 1
    .dwXCountChars:     resd 1
    .dwYCountChars:     resd 1
    .dwFillAttribute:   resd 1
    .dwFlags:           resd 1
    .wShowWindow:       resw 1
    .cbReserved2:       resw 1
    .lpReserved2:       resd 1
    .hStdInput:         resd 1
    .hStdOutput:        resd 1
    .hStdError:         resd 1
ENDSTRUC

STRUC _PROCESS_INFORMATION              ; https://msdn.microsoft.com/library/windows/desktop/ms684873.aspx
    .hProcess:      resd 1
    .hThread:       resd 1
    .dwProcessId:   resd 1
    .dwThreadId:    resd 1
ENDSTRUC

ENDSTRUC

section .data
    startupinfo:
        istruc _STARTUPINFO
        iend
    procinfo:
        istruc _PROCESS_INFORMATION
        iend
    app_fullpath: db "C:\Windows\System32\cmd.exe",0
    params: db "/c dir", 0
    msg: db `\n\nok.\n`,0

global _main
EXTERN _ExitProcess@4, _CreateProcessA@40,_WaitForSingleObject@8
EXTERN _puts, _fflush

section .text
_main:

    ; CreateProcess(app_fullpath,params,0,0,false,0,0,0,&startupinfo,&procinfo)
    push procinfo
    push startupinfo
    push 0
    push 0
    push 0
    push 0
    push 0
    push 0
    push params
    push app_fullpath
    call _CreateProcessA@40         ; https://msdn.microsoft.com/library/windows/desktop/ms682425.aspx

    ; WaitForSingleObject( procinfo.hProcess, INFINITE );
    push -1         ; INFINITE
    push dword [procinfo + _PROCESS_INFORMATION.hProcess]
    call _WaitForSingleObject@8

    ; puts ("ok."), fflush to flush the stdout-buffer
    push msg
    call _puts
    mov dword [esp], 0
    call _fflush
    add esp, 4

    ; return 0
    push 0
    call _ExitProcess@4

 

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
On 11/24/2018 at 6:40 PM, itman said:

Also, I monitor all cmd.exe startup using a HIPS rule. If egui.exe was doing so, I would have received an alert from it which I never have received.

Eset programs are written in assembler; at least ekrn.exe is and I assume egui.exe is also. You can start a program directly from assembler code using the following I found on the web:

The following code example is for cmd.exe but it could also be deployed for systemsettings.exe and accessing the Windows Update feature within:

 

It seems that the bug is caused by Windows itself , even though I am trying to open Display Settings , I only get a CMD window, I just don't know what is the cause of this.

Link to comment
Share on other sites

8 minutes ago, Rami said:

even though I am trying to open Display Settings , I only get a CMD window,

Do you mean Windows Update settings via the Eset GUI or "Display Settings?" If the later, you will have to elaborate more on what you are doing.

Link to comment
Share on other sites

  • Most Valued Members
46 minutes ago, itman said:

Do you mean Windows Update settings via the Eset GUI or "Display Settings?" If the later, you will have to elaborate more on what you are doing.

When I right click on the desktop and then click Personalize or Display Settings , all I get is an empty system32 cmd window, that might explain why when I click Run Update in ESET , the same thing happens.

Link to comment
Share on other sites

1 hour ago, Rami said:

When I right click on the desktop and then click Personalize

On my Win 10 x(64) 1803 build when I do the same, the following processes are started:

  • SystemSettings.exe
  • backgroundTaskHost.exe
  • SpeechRuntime.exe

No evidence of any attempt to run cmd.exe.

You possibly have a corrupted user account/settings or a number of other issues. Here's something to review: https://www.maketecheasier.com/fix-settings-app-not-working-in-windows-10/ . Of note:

Quote

Conclusion

It’s not simple, but creating a new Windows account is sadly the best workaround to this problem that’s managed to persist for some despite patches that have been released to tackle it. It’s worth stressing again that you should try the two simpler solutions at the start of this article before going through the hassle of creating a new account.

 

 

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
12 hours ago, itman said:

On my Win 10 x(64) 1803 build when I do the same, the following processes are started:

  • SystemSettings.exe
  • backgroundTaskHost.exe
  • SpeechRuntime.exe

No evidence of any attempt to run cmd.exe.

You possibly have a corrupted user account/settings or a number of other issues. Here's something to review: https://www.maketecheasier.com/fix-settings-app-not-working-in-windows-10/ . Of note:

 

 

I will take a look , or just format the laptop so I won't have to deal with Microsoft problems.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...