2011wrx 0 Posted January 21, 2014 Share Posted January 21, 2014 (edited) Hi Everyone, We have recently installed Eset Endpoint Security on about 50 workstations (a mix of Windows XP and Windows 7). So far, everything seems to be working well with one exception. We have noticed that the device control module will occasionally display as "not-functioning" on a few of the clients. The issue can be resolved by a simple reboot. Once the reboot is complete, the device control will display as "active". Eset will then begin blocking external USB drives as expected. Although I am rather new to this, I am fairly certain I have the device control feature set up correctly on the client machines (most of the time the device control feature is working as expected). I am hoping our issue is a result of a simple misconfiguration on the client side. We have not yet tried re-installing EES on the clients but can always do that if needed. Does anyone have any suggestions concerning a possible fix for this issue? Here is some additional information: -We are running Eset Remote Administrator on a central server (running Windows 2008 Server). -All client settings are being enforced through policies created in ERA. -All EES installations are protected by a password. Users are not able to modify any settings or disable the application. -All client machines are connected to a domain. All users on the domain are members of the "domain users" group. -The ERA server is also a member of the same domain. -We have the device control module enabled in all of the Eset policies. -All policies have a "USB Block" rule present under the device control configuration. -This "USB Block" rule is set to block any removable storage devices. We have applied this rule to all users who are a member of the "domain users" group. -We have confirmed that the "USB Block" rule functions normally most of the time. Its only when the client shows device control as not-functional that the rule stops working. Rebooting the client machine solves the issue temporarily. -The ERA does not report any issues with the clients (its shows full protection present) even though the client machine is showing a problem with the device control when viewing the EES status window locally on the client. -So far, we have only seen this issue on Windows XP machines. We have not run into a Windows 7 machine with this issue yet. That being said, only about 10% of the client machines are running Windows 7. The majority are XP. EDIT: We have now confirmed that the issue is affecting both Windows XP and Windows 7. The difference is the Windows 7 machines show the Device Control module as being active . However, it is not successfully blocking USB drives as requested. A reboot does fix this problem. It Thank you for your help! Edited January 21, 2014 by 2011wrx Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted January 21, 2014 Administrators Share Posted January 21, 2014 Could you please run "sc query edevmon" as an administrator at the moment when the issue occurs and post the output here? Link to comment Share on other sites More sharing options...
2011wrx 0 Posted January 24, 2014 Author Share Posted January 24, 2014 (edited) Could you please run "sc query edevmon" as an administrator at the moment when the issue occurs and post the output here? Hi Marcos, thank you very much for the reply. We actually ran for about a day without any of our machines reporting the Device control as not functioning. Unfortunately it looks like it may be starting again. I ran the query as you requested and here is what I found: [sC] EnumQueryServiceStatus:OpenService FAILED 1060: The specified service does not exist as an installed service At that point, we immediately rebooted the client but ran into a blue screen. The BSOD mentioned a Bad Pool Caller as the issue. Unfortunately I was not able to find the memory dump data as none of the machines are configured to do so (I just started working at this company a few months ago so I do not yet have all of their machines configured as I like them). I will definitely make sure to set up the memory dump in the event we run into this BSOD again. We were able to get the machine to boot normally and as of now the device control seems to be working again. We also re-ran the query and received this output: Service Name edevmon Type: 1 kernel_driver State: 4 running (stoppable, not_pausable, ignores_shutdown) Win32_Exit_code: 0 (0x0) Service_Exit_code: 0 (0x0) checkpoint: 0x0 wait_init: 0x0 It appears the edevmon service stops running at some point during the day but can be re-enabled by a simple reboot. I am not sure if the blue screen has anything to do with our issue as this is the first time we have come across it. Normally when we notice the device control is off we can just do a simple reboot. Here is a little more info which may be of some help: - we installed Eset Endpoint Security locally on each machine (as opposed to using ERA to push the install). We then set up Eset to connect to the ERA server. -we installed EES under a local account with Administrator rights (as opposed to using a domain account with admin rights). I performed the install this way because I have run into installation issues in the past when using non-local accounts to perform installs. Please note that the actual end users will be logging in under a domain account (they are a member of the domain users group only). -prior to the installation of EES, all of their machines were running MS security essentials. I uninstalled MSE prior to attempting the eset install. Thanks again for your help! Edited January 24, 2014 by 2011wrx Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted January 25, 2014 Administrators Share Posted January 25, 2014 According to the output you've mentioned, edevmon.sys was not loaded. BSOD would occur if the Device Control driver edevmon.sys was removed from the Windows\system32\drivers folder but wasn't unregistered properly from the filter chain in the registry. Were these computers restarted or shut down properly or the users made a hard reset / shutdown using the reset / power button? Link to comment Share on other sites More sharing options...
2011wrx 0 Posted January 25, 2014 Author Share Posted January 25, 2014 According to the output you've mentioned, edevmon.sys was not loaded. BSOD would occur if the Device Control driver edevmon.sys was removed from the Windows\system32\drivers folder but wasn't unregistered properly from the filter chain in the registry. Were these computers restarted or shut down properly or the users made a hard reset / shutdown using the reset / power button? They were reset properly (I actually did the reset myself after noticing the device control was not functioning according to Eset). Once I rebooted device control was installed and functioning normally again. It appears that device control stops functioning randomly and then comes back up after a reboot. Link to comment Share on other sites More sharing options...
Rinzler 0 Posted May 2, 2014 Share Posted May 2, 2014 Hi i am having the same issue. Same install and setup method is used and same issue is experienced. This is running the latest Endpoint Antivirus client version 5. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted May 2, 2014 Administrators Share Posted May 2, 2014 Hi i am having the same issue. Same install and setup method is used and same issue is experienced. This is running the latest Endpoint Antivirus client version 5. Was the computer restarted after installing Endpoint or enabling Device control? If you run "sc query edevmon" with elevated administrator rights, is the driver loaded and in the "running" state? Link to comment Share on other sites More sharing options...
Recommended Posts