Jump to content

Eset Endpoint Antivirus 7 issue with ethernet


Stefano
 Share

Recommended Posts

Hi, i'm using a software called Ethercat Conformance Test that send and receive a Ethercat packed on the ethernet port for testing an ethercat device. With Eset Enpoint Antivirus 6 there's no problem, but using version 7 i unable to communicate to the board. The test is simple, i open the softare and "check for slave device", with eset 6 i found the device, with eset 7 i don't find any device. If i unistall the eset 7 product and "check for the slave device" i finally found the device. So, the problem is the eset version 7. I try disable everything from the eset 7 menu, but the real solution is unistall the product or use the old version ( 6 ) .
I attach a wireshark log, for check the ok e the ko configuration. Looking wireshark seems that without eset, the message are ordered. 1) request 2)reply 3)request 4) reply. Using the version 7 the message is 1)request 2) request 3) reply 4) reply. Maybe eset 7 want inspect the ethernet packed and this introduce a delay that cause this behaviour?

thanks for help

log eset.zip

Link to comment
Share on other sites

  • Administrators

I was unable to download the tool since authentication is required. Please narrow it down by disabling protocol filtering, real-time protection and HIPS (requires a computer restart). Then open a ticket for your local customer care and provide them with:
- step-by-step instructions to reproduce the issue
- ELC logs
- information about the protection module or setting you had to disable for the issue to go away.

Link to comment
Share on other sites

I just try disable protocol filtering, real time, hips, network everything..but only unistall work. I'm in contact with my local customer care but after 6 months i will try the forum.

Link to comment
Share on other sites

  • Administrators

Then

23 hours ago, Stefano said:

I just try disable protocol filtering, real time, hips, network everything..but only unistall work.

Then the customer care should have asked you to rename drivers, one by one (except edevmon.sys) in safe mode. There are two instances of each driver, one in C:\Windows\System32\drivers and the other one in "C:\Program Files\ESET\ESET Security\Drivers" and both need to be renamed.

Customer care should then reach out to ESET HQ for further assistance. Forums do not work as CRM systems where we could track the development of cases and ensure timely response.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

Then

Then the customer care should have asked you to rename drivers, one by one (except ehdrv.sys) in safe mode. There are two instances of each driver, one in C:\Windows\System32\drivers and the other one in "C:\Program Files\ESET\ESET Security\Drivers" and both need to be renamed.

Customer care should then reach out to ESET HQ for further assistance. Forums do not work as CRM systems where we could track the development of cases and ensure timely response.

Sure, but eelam.sys and ehdrv.sys can't be renamed otherwise windows crash.
 

Link to comment
Share on other sites

  • Administrators
1 minute ago, Stefano said:

Sure, but eelam.sys and ehdrv.sys can't be renamed otherwise windows crash.

Yes, as I mentioned, ehdrv.sys must not be renamed since it would result in BSOD if not unregistered properly from the registry.
Since eelam.sys cannot have any effect on issues, it's actually another driver which doesn't need to be renamed. However, renaming it shouldn't cause BSOD I'd say.

Link to comment
Share on other sites

14 hours ago, Marcos said:

Yes, as I mentioned, ehdrv.sys must not be renamed since it would result in BSOD if not unregistered properly from the registry.
Since eelam.sys cannot have any effect on issues, it's actually another driver which doesn't need to be renamed. However, renaming it shouldn't cause BSOD I'd say.

No, if i rename the eelan i got the BSOD, maybe have the same problem of ehdrv.sys. Anyway is there a way to disable the protocol sniffer?

Link to comment
Share on other sites

  • Administrators
3 minutes ago, Stefano said:

Looking the wireshark log, seems that Eset 7 block the 'NOP' and 'APRD' ethercat datagram. This is the problem.

Such files are not scanned by ESET. Should that be the issue, renaming both instances of eamonm.sys in safe mode would make the problem go away.

Link to comment
Share on other sites

58 minutes ago, Marcos said:

Such files are not scanned by ESET. Should that be the issue, renaming both instances of eamonm.sys in safe mode would make the problem go away.

Same result, for me eset7 block something... the only solution is unistall eset.Having 30 license of eset would mean change the antivirus software for the next years. Thanks for support.

Link to comment
Share on other sites

  • Administrators

Please do the following in safe mode:
- rename "C:\Program Files\ESET\ESET Security\Drivers" to Drivers_bak
- rename:
C:\Windows\System32\drivers\eamonm.sys
C:\Windows\System32\drivers\ehdrv.sys
C:\Windows\System32\drivers\epfw.sys
C:\Windows\System32\drivers\epfwwfp.sys

Afterwards reboot Windows to normal mode and check if the issue still occurs. If so, please provide me with fresh ELC logs so that I can check if none of the above drivers is running.

At the end of testing, C:\Program Files\ESET\ESET Security\Drivers_bak will have to be renamed back to Drivers.

Link to comment
Share on other sites

51 minutes ago, Marcos said:

Please do the following in safe mode:
- rename "C:\Program Files\ESET\ESET Security\Drivers" to Drivers_bak
- rename:
C:\Windows\System32\drivers\eamonm.sys
C:\Windows\System32\drivers\ehdrv.sys
C:\Windows\System32\drivers\epfw.sys
C:\Windows\System32\drivers\epfwwfp.sys

Afterwards reboot Windows to normal mode and check if the issue still occurs. If so, please provide me with fresh ESET Log Collector logs so that I can check if none of the above drivers is running.

At the end of testing, C:\Program Files\ESET\ESET Security\Drivers_bak will have to be renamed back to Drivers.

Same problem, attach the log

eea_logs.zip

Link to comment
Share on other sites

  • Administrators

What happens if you rename "C:\Program Files\ESET\ESET Security\ekrn.exe" in safe mode? ESET will not start after a reboot but I wonder if the issue will also go away.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...