A-VT 0 Posted May 25, 2020 Posted May 25, 2020 Hello! I've seen several topics regarding this error in Windows Event System Log but none of them provided definite solution what has to be done to eliminate these errors. So I thought about starting new one. This message about ehdrv.sys appears in the logs every time I run ESET Online Scanner. Similarily, if I don't run ESET Online Scanner, I never observe these records in the System log. Seems like this error doesn't directly affect ability to scan local disk and the tool even finds some undesired software. Still the fact that it's been reported for quite a while and I'm not the only person who noticed that raises additional uncertainty. In my case it is observed on fresh recently installed Windows 10 Pro 1909 18363.836 with all the lastest updates and available patches. Other antivirus is not installed except for native Windows Defender. But I have to mention that logs of Windows Defender do not contain any records related to ehdrv.sys or ESET in general. The file ehdrv.sys itself is present in that location and looks valid. It can be read with ordinary user account. So I have a couple of questions. 1. Is this a critical issue that this file cannot be loaded? Does it affect quality or speed of scanning? 2. Is there a well-known way to eliminated this error for ESET Online Scanner? 3. How can I help collecting information needed to address this issue?
A-VT 0 Posted May 26, 2020 Author Posted May 26, 2020 More details. I have disabled everything in Windows Defender: Real-time protection Tamper Protection Memory integrity And still the same errors are reported to Windows Event System Log. The file ehdrv.sys exists indeed in the mentioned folder and is readable as normal user. SHA1: 8C244899A2082C28B24E7B0DA41904B8663B5A8B Logs in AppData\Local\Temp\log.txt don't show problems either.
Administrators Marcos 5,453 Posted May 26, 2020 Administrators Posted May 26, 2020 The driver is necessary for detection of active rootkits. We do not know the cause of the error, something is preventing the driver from being loaded. Since the Online Scanner cannot actively protect you from malware and provides only an on-demand scan, it may be already too late when you run it since there's a lot of malware which removes itself after the damage has been done and any subsequent scan cannot detect the malware any more. beachtime 1
itman 1,801 Posted May 26, 2020 Posted May 26, 2020 21 hours ago, A-VT said: This message about ehdrv.sys appears in the logs every time I run ESET Online Scanner. Similarily, if I don't run ESET Online Scanner, I never observe these records in the System log. I assume you are referring to Win Event Logs? If so, there are multiple Log files. Post a screen shot with as much detail as possible from the respective Event log entry.
A-VT 0 Posted May 27, 2020 Author Posted May 27, 2020 Yes indeed! Mind if I start with their XML representation? They should contain all the details. <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7045</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2049</EventRecordID> <Correlation /> <Execution ProcessID="724" ThreadID="4424" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" /> </System> <EventData> <Data Name="ServiceName">eapihdrv</Data> <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Data Name="ServiceType">kernel mode driver</Data> <Data Name="StartType">demand start</Data> <Data Name="AccountName"> </Data> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="16384">26</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2050</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6812" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> <Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="49152">1060</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2051</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6812" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Binary>000000000200300000000000240400C0000000006B0300C000000000000000000000000000000000</Binary> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7045</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.981173700Z" /> <EventRecordID>2053</EventRecordID> <Correlation /> <Execution ProcessID="724" ThreadID="4424" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" /> </System> <EventData> <Data Name="ServiceName">eapihdrv</Data> <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Data Name="ServiceType">kernel mode driver</Data> <Data Name="StartType">demand start</Data> <Data Name="AccountName" /> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="16384">26</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.996807000Z" /> <EventRecordID>2054</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6460" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> <Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> </EventData> </Event>
itman 1,801 Posted May 27, 2020 Posted May 27, 2020 1 hour ago, A-VT said: Yes indeed! Mind if I start with their XML representation? They should contain all the details. Eset ehdrv.sys is Eset's Helper driver. The Event log entry is being generated due to Win driver protection which will prevent a kernel mode driver from loading from any directory other than C:\Windows\System32\Drivers directory. I assume this is just some residual code from Eset installed product that was inadvertently left in the Online Scanner version. I would just ignore the Win Event log entries related to it.
A-VT 0 Posted May 28, 2020 Author Posted May 28, 2020 Thanks! Does it make sense to copy file ehdrv.sys to C:\Windows\System32\Drivers and keep it there? Will this work?
itman 1,801 Posted May 28, 2020 Posted May 28, 2020 (edited) 13 hours ago, A-VT said: Thanks! Does it make sense to copy file ehdrv.sys to C:\Windows\System32\Drivers and keep it there? Will this work? No. Edited May 28, 2020 by itman
A-VT 0 Posted May 29, 2020 Author Posted May 29, 2020 Thanks for such succinct response. Can you maybe share any insights on how this driver is used? Does this error mean that none of rootkit are detected by ESET Online Scanner&
Administrators Marcos 5,453 Posted May 29, 2020 Administrators Posted May 29, 2020 To my best knowledge the driver is required to detect active rootkits.
itman 1,801 Posted May 29, 2020 Posted May 29, 2020 (edited) 2 hours ago, A-VT said: Thanks for such succinct response. Can you maybe share any insights on how this driver is used? Does this error mean that none of rootkit are detected by ESET Online Scanner& Eset is very "tight lipped" about what its drivers are used for; just like about almost all of their internal protection mechanisms. My prior testing with Eset yielded that the Eset helper driver is a component of their real-time scanning protection. It's primary purpose is to inject an Eset .dll into select processes when suspect malware activity is detected. This processing is also infrequently invoked and requires continuous monitoring by Eset real-time protection compnent. Since Eset Online Scanner is off-line scanning for malware primarily via signature means, real-time components that would deploy this driver are never invoked. Finally, Eset newer real-time deep behavior inspection and advanced machine learning components have superseded by need for .dll injection monitoring. As far as rootkit detection goes, they are somewhat of a moot point on Win x(64) based systems due to its built-in kernel patch protection. Additionally, most rootkits manifest at system startup time. Therefore, Eset Online Scanner won't detect this activity unless the malware creator was careless enough to place the rootkit in a disk or memory area readily accessed by both the OS and Eset, and Eset has an existing signature for the rootkit. My advice is purchase a paid license for either NOD32 or Internet Security which will fullt deploy all Eset protection mechanisms. Edited May 29, 2020 by itman
itman 1,801 Posted May 31, 2020 Posted May 31, 2020 (edited) I guess I should add that if rootkit is suspected, the best way of "rooting" them out is to perform a scan with one of the AV's boot-able media scanners such as Eset SysRescue scanner. This is because most use a Linux release which allow scanning of directories and files locked from scanning by the Win OS. Edited May 31, 2020 by itman CEO888 1
Recommended Posts