ESET Service doesn't start on XenApp Servers after upgrade to ESET File Security 7.1.12006.0

[JME 0]

Hi,

We upgraded our XenApp Servers (version 7.9) from ESET File Security 6.5.12014.1 to 7.1.12006.0

Since this upgrade, ESET Service doesn't start even if we try to manually.
We tried uninstalling and reinstalling: no changes.

We tried repairing and it gives us an error: the .dll files cannot be removed because of rights.

Can you help us resolving this issue ?

Regards,
 

 

[Marcos 4,707]

Does the problem persist if you uninstall EFSW and install v7.1 from scratch? I'd recommend raising a support ticket with your local customer care and providing them with logs collected with ESET Log Collector for a start.

[JME 0]

Yes, the problem persists.
I already raised a ticket with my local customer.

Regards,

[JME 0]

Hi,

I found something.

1/ ESET 7.x registry key
The ESET Service doesn't start at boot up => Need to be started manually

The registry value "LaunchedProtected" used to protect ESET Service.
This value doesn't exist on ESET 6.x version

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekrn
LaunchedProtected = 3

Deleting this value or changing it to "0" doesn't do the trick because it is recreated at every server restart
 

2/ .NET Framework updates on XenApp servers only
After some new Windows updates, the ESET Service doesn't start at all.
KB4514604 // KB4514599 // KB4498963

The solution is to revert to ESET File Security 6.x. but it's a mess because we have lots of XenApp servers.

I found a workaround. This workaround creates a security hole, so use it with caution.

1/ Start Windows in Safe Mode
2/ Change the value LaunchedProtected to 0
3/ Change Owner on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekrn
Server\Administrator insteaf of System
4/ Change Group / Users  permissions
"Read" instead of "Full Control"
5/ Reboot in Normal mode

*Do not revert Owner because ESET is using System and will changeLaunchedProtected to 3 after a second  server reboot.

Hope ESET / Microsoft / Citrix will publish a definitive solution.

Edited September 12, 2019 by JME

[Marcos 4,707]

Protected service was first supported by EFSW v7, hence the value doesn't exist with older versions.
We strongly recommend keeping Protected service enabled for maximum protection, ie. LaunchedProtected should always be set to 3.

Please provide 2 sets of ELC logs, one with Protected service enabled and the other with Protected service disabled (a reboot is needed after enabling/disabling it). Do you mean that the issue doesn't occur with Protected service disabled?

[JME 0]

Hi Marcos,

I know that Protected Service should be enabled, as I mention it on my previous post.
I have no choice:
- all our servers were working without antivirus and that's a bigger issue.
Downgrading to 6.x will break Protected Service too.
And if I need to upgrade after, it takes time again.
When we did the upgrade, sometimes the automatic upgrade (via ESMC) failed and we need to install EFS manually and in before uninstalling all in Safe Mode.
 

Do you mean that the issue doesn't occur with Protected service disabled?  Yes, right.

What do you mean by ESET Log Collector logs ?
 

Regards,

[Marcos 4,707]

Please follow the link in FAQ:

How do I use ESET Log Collector?

It sounds like XenApp or some other app was attempting to inject its dlls into ESET's processes which is not possible for protected services for security reasons.

[JME 0]

Hi Marcos,

Thanks, I will provide them as soon as I can.
Problem is related to Citrix, but also to Miccrosoft: some of their new patches break ESET Service).
Does ESET use .NET Framework ?

 

[Marcos 4,707]

1 minute ago, JME said:

Does ESET use .NET Framework ?

No, it doesn't.

[JME 0]

9 hours ago, Marcos said:

Hi,

I juste sent the 2 ESET Log Collector log files.

Regards,

 

[JME 0]

Answer from ESET support, workaround works:
Exclude ekrn.exe process from Citrix hooking:
https://support.citrix.com/article/CTX107825