Stefano 0 Posted June 25, 2019 Share Posted June 25, 2019 Hi, i'm using a software called Ethercat Conformance Test that send and receive a Ethercat packed on the ethernet port for testing an ethercat device. With Eset Enpoint Antivirus 6 there's no problem, but using version 7 i unable to communicate to the board. The test is simple, i open the softare and "check for slave device", with eset 6 i found the device, with eset 7 i don't find any device. If i unistall the eset 7 product and "check for the slave device" i finally found the device. So, the problem is the eset version 7. I try disable everything from the eset 7 menu, but the real solution is unistall the product or use the old version ( 6 ) . I attach a wireshark log, for check the ok e the ko configuration. Looking wireshark seems that without eset, the message are ordered. 1) request 2)reply 3)request 4) reply. Using the version 7 the message is 1)request 2) request 3) reply 4) reply. Maybe eset 7 want inspect the ethernet packed and this introduce a delay that cause this behaviour? thanks for help log eset.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 25, 2019 Administrators Share Posted June 25, 2019 I was unable to download the tool since authentication is required. Please narrow it down by disabling protocol filtering, real-time protection and HIPS (requires a computer restart). Then open a ticket for your local customer care and provide them with: - step-by-step instructions to reproduce the issue - ELC logs - information about the protection module or setting you had to disable for the issue to go away. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 25, 2019 Author Share Posted June 25, 2019 I just try disable protocol filtering, real time, hips, network everything..but only unistall work. I'm in contact with my local customer care but after 6 months i will try the forum. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 25, 2019 Administrators Share Posted June 25, 2019 Then 23 hours ago, Stefano said: I just try disable protocol filtering, real time, hips, network everything..but only unistall work. Then the customer care should have asked you to rename drivers, one by one (except edevmon.sys) in safe mode. There are two instances of each driver, one in C:\Windows\System32\drivers and the other one in "C:\Program Files\ESET\ESET Security\Drivers" and both need to be renamed. Customer care should then reach out to ESET HQ for further assistance. Forums do not work as CRM systems where we could track the development of cases and ensure timely response. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 25, 2019 Author Share Posted June 25, 2019 14 minutes ago, Marcos said: Then Then the customer care should have asked you to rename drivers, one by one (except ehdrv.sys) in safe mode. There are two instances of each driver, one in C:\Windows\System32\drivers and the other one in "C:\Program Files\ESET\ESET Security\Drivers" and both need to be renamed. Customer care should then reach out to ESET HQ for further assistance. Forums do not work as CRM systems where we could track the development of cases and ensure timely response. Sure, but eelam.sys and ehdrv.sys can't be renamed otherwise windows crash. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 25, 2019 Administrators Share Posted June 25, 2019 1 minute ago, Stefano said: Sure, but eelam.sys and ehdrv.sys can't be renamed otherwise windows crash. Yes, as I mentioned, ehdrv.sys must not be renamed since it would result in BSOD if not unregistered properly from the registry. Since eelam.sys cannot have any effect on issues, it's actually another driver which doesn't need to be renamed. However, renaming it shouldn't cause BSOD I'd say. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 26, 2019 Author Share Posted June 26, 2019 14 hours ago, Marcos said: Yes, as I mentioned, ehdrv.sys must not be renamed since it would result in BSOD if not unregistered properly from the registry. Since eelam.sys cannot have any effect on issues, it's actually another driver which doesn't need to be renamed. However, renaming it shouldn't cause BSOD I'd say. No, if i rename the eelan i got the BSOD, maybe have the same problem of ehdrv.sys. Anyway is there a way to disable the protocol sniffer? Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 26, 2019 Author Share Posted June 26, 2019 Looking the wireshark log, seems that Eset 7 block the 'NOP' and 'APRD' ethercat datagram. This is the problem. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 26, 2019 Administrators Share Posted June 26, 2019 3 minutes ago, Stefano said: Looking the wireshark log, seems that Eset 7 block the 'NOP' and 'APRD' ethercat datagram. This is the problem. Such files are not scanned by ESET. Should that be the issue, renaming both instances of eamonm.sys in safe mode would make the problem go away. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 26, 2019 Author Share Posted June 26, 2019 58 minutes ago, Marcos said: Such files are not scanned by ESET. Should that be the issue, renaming both instances of eamonm.sys in safe mode would make the problem go away. Same result, for me eset7 block something... the only solution is unistall eset.Having 30 license of eset would mean change the antivirus software for the next years. Thanks for support. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 26, 2019 Administrators Share Posted June 26, 2019 Please do the following in safe mode: - rename "C:\Program Files\ESET\ESET Security\Drivers" to Drivers_bak - rename: C:\Windows\System32\drivers\eamonm.sys C:\Windows\System32\drivers\ehdrv.sys C:\Windows\System32\drivers\epfw.sys C:\Windows\System32\drivers\epfwwfp.sys Afterwards reboot Windows to normal mode and check if the issue still occurs. If so, please provide me with fresh ELC logs so that I can check if none of the above drivers is running. At the end of testing, C:\Program Files\ESET\ESET Security\Drivers_bak will have to be renamed back to Drivers. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 26, 2019 Author Share Posted June 26, 2019 51 minutes ago, Marcos said: Please do the following in safe mode: - rename "C:\Program Files\ESET\ESET Security\Drivers" to Drivers_bak - rename: C:\Windows\System32\drivers\eamonm.sys C:\Windows\System32\drivers\ehdrv.sys C:\Windows\System32\drivers\epfw.sys C:\Windows\System32\drivers\epfwwfp.sys Afterwards reboot Windows to normal mode and check if the issue still occurs. If so, please provide me with fresh ESET Log Collector logs so that I can check if none of the above drivers is running. At the end of testing, C:\Program Files\ESET\ESET Security\Drivers_bak will have to be renamed back to Drivers. Same problem, attach the log eea_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 26, 2019 Administrators Share Posted June 26, 2019 What happens if you rename "C:\Program Files\ESET\ESET Security\ekrn.exe" in safe mode? ESET will not start after a reboot but I wonder if the issue will also go away. Link to comment Share on other sites More sharing options...
Stefano 0 Posted June 27, 2019 Author Share Posted June 27, 2019 The same result, the problem remain the same. Link to comment Share on other sites More sharing options...
Recommended Posts