Jump to content
An upgrade will take place on September 23, 2020 at 16:00 CEST (14:00 GMT). The Forum will not be accessible for a short period of time. ×

Archived

This topic is now archived and is closed to further replies.

Arch83

AV is blocking loading webpages

Recommended Posts

For two days I have a serious problem with ESET antivirus on two different computers. One is stationary DELL Precision Workstation with an old version of ESET AV on Windows 7 and the second is DELL Precision laptop with ESET Endpoint Antivirus 6.3.2016 on Windows 10. After restarting each device everything is OK for about 10 – 20 minutes. During this period ESET software CPU usage is quite high (about 15 – 20%). And then suddenly I cannot open almost any webpage (sometimes Google is working) – ESET CPU usage drops to 0%. Internet connection is fine and ping is working but Firefox, MS Edge, and Chrome cannot load pages (with different errors). So I have to kill the ESET service process, refresh tabs and then everything is OK for a few minutes. After this everything starts from the beginning (cannot surf the internet, need to kill the ESET service process, and so on). Is there any other way to solve it, instead of uninstalling ESET AV?

Share this post


Link to post
Share on other sites

Having an old Endpoint 6.3 installed on Windows 10 is not good. For instance, Windows 10 21H1 will require Endpoint 7.3 or newer to be installed and older versions will not run there.

Please uninstall Endpoint 6.3, reboot the machine and install the latest version 7.3.2036 from scratch. Let us know if it resolves the issue.

Share this post


Link to post
Share on other sites

We are on AV 7.1.2045.5 and this week, we've had 7 staff unable to make external TCP connections.

The only thing that's changed on their windows PCs is ESET (i.e. no windows updates, dell updates, software installs, etc.).

On all PCs, networking is fine, but stops working some time later.  Users cannot browse websites, etc., under any browser, and we cannot make http/https connections from commandline.  A reboot solves it.  If we disable ESET via its GUI, we still encounter the same issue for these 7 users.  We are currently trying to uninstall ESET to see if that stops the issues.

Can you let us know if you have a known fault, or ESET could be intercepting connections like this?  Thanks!!

Share this post


Link to post
Share on other sites

Update: we have uninstalled ESET on a couple of machines, and fault has not reoccurred, so we are now reasonably confident that this problem is originating from ESET AV.

Share this post


Link to post
Share on other sites

What OS do you have? Especially if you use Windows 10, make sure to use the latest version 7.3.2036. Does the problem persist if you install the latest version from scratch with default settings? Does temporarily disabling protocol filtering in the advanced setup make a difference?

Share this post


Link to post
Share on other sites

Hello guys,

we are in contact with the dev team regarding this issue.

To investigate it we need:

1.    Output from ESET log collector
2.    Process monitor log with advanced output enabled recording lasting at least tens of seconds
3.    Procdump  from ekrn in such state 
4.    Info if ESET updates are working or not
 

If possible please pack the logs, upload them to a safe location and send send me, @TomasP and @Marcos the download details to we can check them.

Peter

Share this post


Link to post
Share on other sites

Hello guys,

I have the exact same problem since two days !
- Windows 7 sp 1 x64
- ESET Endpoint Antivirus - 5.0.2272.7 - Fr - x64

No problem to have internet at computer start, but freeze of all HTTP outgoing packets after 20~30 min.
When EEA is starting to block packet, I can still connect a telnet to port 80, but I can NOT send any packet on the server.

No packet is leaving computer for HTTP 80 / 443, so no websites are loaging anymore :)
ESET service seems freeze, if I disabled "ESET service" from Win7 safe mode, no more problem.

If I can test somethings of send more logs, tell me.

Share this post


Link to post
Share on other sites

Please create:
- an ekrn dump created with procdump (https://docs.microsoft.com/en-us/sysinternals/downloads/procdump), ie. run "procdump -ma ekrn"
- a Process monitor log logging operations for 1-2 minutes when the issue is manifesting
- logs collected with ESET Log Collector.

After the issue is resolved, we strongly recommend unistalling Endpoint v5 and installing the latest Endpoint 7.3.

Do ESET updates work when the issue is manifesting?

Also do the following:
1. Run as administrator:
netsh wfp capture start
2. Replicate the problem
3. Run as administrator:
netsh wfp capture stop
4. Send us the file wfpdiag.cab that will be created

Share this post


Link to post
Share on other sites

Hello Marcos,

Unfortunatly I can't update to v7 because our company is still using Server Admin 5.x
So we have latest EEA 5.0.2272.7 on multiple computers, and recent certfix says it's ok:
 

Quote

Certfix for eea, ees v5.0
Version of this tool: 1.0.0.9
-------------------------------------------------------------------------------
Ekrn version: 5.0.2272.0, LanguageId: 1036, ProductVersion: '5.0.2272.7'
Installation time: Fri Jul 10 12:00:55 2020
-------------------------------------------------------------------------------
Current time on machine: 2020.07.10 10:05:00
Machine uptime: 0 days 00:37:48.379
OS version: 6.1.7601 (1.0) "Service Pack 1", PlatformId: 2, ProductType: 0x00000001, SuiteMask: 0x00000100
OS processor architecture: x64 (0009),
BuildLab: 7601.win7sp1_ldr_escrow.200102-1707,
BuildLabEx: 7601.24545.amd64fre.win7sp1_ldr_escrow.200102-1707,
ProductName: Windows 7 Professional
-------------------------------------------------------------------------------
Version does not need fix


The ESET updates works correctly when computers boot, I don't know if updates can still perform correctly when outgoing packet are blocked, I will check.
Okay about the dump, I will perform them and give you link to download them.

Thanks !

Share this post


Link to post
Share on other sites

Hello guys,

to what Marcos already requested please add recording of WFP events, to get it 

  1. Run in admin CMD: netsh wfp capture start
  2. Reproduce the issue
  3. netsh wfp capture stop
  4. Collect C:\Windows\system32\wfpdiag.cab

Thank you, Peter

Share this post


Link to post
Share on other sites

Hello guys,

Ok I was able to make 3 full dump for you :)
In each folder I made the 4 dump you asked, and I issued the following command to test http:

Quote

telnet free.fr 80 (TCP connected = black screen OK)

coucoufree

When all is ok I got the normal response : "BAD HTTP REQUEST"
When all output packet are blocked I have no response with my "coucoufree" TCP query

In the following 7z file you will find:
hxxp://tmp.zool.fr/tmp/eset/20200710_NoOutgoingPacket.7z

  • 1_NoOutgoingPacket lolder (Logs + dmp + pml + cab) :
    Eset was blocking all output http packet, I made one telnet to show you the problem (ne response from coucoufree)
  • 2_AfterRebootAllOk:
    Same dump after fresh win7 restart, no problem with telnet or eset (bad request response OK)
  • 3_NoOutgoingPacket2:
    Usual blocking problem again, telnet freeze with no response.

When output packets are freezed, I can't have ANY new output packet from computer, but establised connection are still OK.
For exemple if I had one RDP connection established, I still have access to thecomputer, but I can't reconnect to RDP if I lost the link.

Tell me if those dump are enough, or if you want some more trace with wireshark or something else.
Thanks for support !

Share this post


Link to post
Share on other sites
25 minutes ago, RCK said:

Ok I was able to make 3 full dump for you :)

Please create one more dump via "procdump -ma -e 1 ekrn.exe".
Procdump can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.

Last but not least, after determining the root cause of the issue please uninstall Endpoint v5 and install the latest v7.3.2036.

Share this post


Link to post
Share on other sites

If you could test, please try temporarily disabling startup scan tasks in scheduler and let us know if it makes the issue go away.

Share this post


Link to post
Share on other sites

Thank you very much RCK for the dumps, they have been helpful. Unfortunately by the time they were created too many things have gone wrong to figure out what was the primary cause and was just a result. It would be helpful if you (or anybody else) could run the following command as admin as soon as possible after boot

procdump -ma -e 1 -n 10 ekrn.exe

Then replicate the problem, and send us all the dumps that will be created. Procdump can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.

Edit: Please disable selfdefense and reboot before using the procdump command, otherwise it would fail.

Share this post


Link to post
Share on other sites

hi guys, thanks for comments, i will make some new dump tomorrow with procdump64 :-)

question for MMX: i can i disable selfdefense ?

Share this post


Link to post
Share on other sites

You can temporarily disabling Self-defense in the HIPS setup. A computer restart will be needed for the change to take effect.

If somebody could provide dumps instantly, please do so; we are eagerly waiting for them to figure out the root cause of the issue.

Share this post


Link to post
Share on other sites

Hey guys, I was redirected here by Marcos. I was able to generate some dumps. Here is the link. https://1drv.ms/u/s!AtllRsHB199anE3TFwL520vyVsLG?e=lyxvWk

The package only contains 5 of the dumps. The code you provided only generates 10 dumps, which is hard to catch the time I started to lose access to webpages. Therefore I changed the code to 100. I noticed that when I lost access, the small icon on the bottom right starts circling for scan, so I picked the dumps generated around the time it started. The scan starts several minutes after ESET is loaded.

ESET.png.21e15bf3cffb4e432e9337473d932923.png

BTW, is this forum blocking connections from China? I have to use a VPN to browse this site.

403.thumb.png.66f99b457a870f9859e026c34836b890.png

I tried to connect my VPN during the time I could not open webpages and it suceeded. The information my VPN software returned shows that it tested TCP and UDP, and then started TAP service. I am not a computer professional, but I think the scan may be blocking certain communications such as HTTP. Hope this information is useful.

Share this post


Link to post
Share on other sites

@junyuanma, does temporarily disabling the startup scan tasks in Scheduler and rebooting the machine make a difference?

Share this post


Link to post
Share on other sites
9 hours ago, Marcos said:

@junyuanma, does temporarily disabling the startup scan tasks in Scheduler and rebooting the machine make a difference?

Yes. So long as the scan does not start, pages can be loaded.

Share this post


Link to post
Share on other sites

We are having the exact same issue to with ESET blocking Internet access and access to internal servers in the same manner as others have described.

 

This needs to be resolved.  Any solution yet?

 

Thank you!

Share this post


Link to post
Share on other sites
10 hours ago, junyuanma said:

Yes. So long as the scan does not start, pages can be loaded.

Thanks for confirmation. Do you think it would be possible to arrange a remote session as soon as possible? Or if you can do it yourself, we'd need you to ask to install AppVerifier, in safe mode run appverif.exe, press CTRL + A (find the ekrn.exe file in c:\ProgramFiles\ESET ...) and leave the Basic checks defaults.

Next configure Windows to generate complete user dumps as per https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps. In particular:

  • Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe
  • Under this path create the value DumpFolder of type REG_EXPAND_SZ
  • Set this value to the path on the disk where the dumps will be created. For example C:\dump
  • Create the value DumpType of type REG_DWORD and set this value to 2.
  • Reboot Windows to normal mode
  • Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator
  • Reproduce the issue and wait until a dump is generated at the path you have specified before.

Share this post


Link to post
Share on other sites

I'd like to clarify Marcos' post. You can find the app verifier installer here

32bit: https://drive.google.com/file/d/1c4wQGJteGQb5EurEmhYaYLcmAqUbAIY-/view?usp=sharing

64bit: https://drive.google.com/file/d/1Sh_Yyp7Ie69dbGqBaitN_Nv5iAzuRdwb/view?usp=sharing

Before you are able to use it, you'll have to disable self-defense and reboot. The changes you make will be applied after you click Save in the verifier and restart ekrn by rebooting Windows.

You can skip the manual registry import he's describing by extracting and importing the file attached to this post. Dumps will then be created in c:\dumps.

Edit: There's one more option that needs to be changed in the app verifier. After you've added ekrn.exe you'll need to expand Basics, right-click Heaps, Properties, and enable UseLFHGuardPages (see attached screenshots).

local_dumps_registry.zip

avrf1.png

avrf2.png

Share this post


Link to post
Share on other sites

I installed AppVerifier and did the registry import in safe mode, but when I reboot to normal mode, there is no ESET interface. No icon in the tray. Can't open ESET window from start menu. Task manager shows some ESET items.

36138504_20200714000534.png.6fd57a38093c6a9072839e45cd17391c.png

Share this post


Link to post
Share on other sites

Let's run "procdump.exe -ma -e 1 -n 10 ekrn.exe" after Windows starts and wait until a couple of dumps is generated when the issue occurs. Then you can disable AppVerifier in safe mode and provide us with the dumps.

Share this post


Link to post
Share on other sites

Hello,

we noticed a few of our Windows computers to have network issues similar to the already described ones in here too.
One Windows 7 and two dozen of Windows 10 with primarily update 1909, but also 2004. ESET Versions 5.0.2237 to 5.0.2272.

We can reproduce the network issues by (either automatically or manually) running the "automatic startup file check" under schedule manager on the clients. This explains the different times after a reboot, when the problem occurs. ESET seems to not run the scan instantly and runs it a little bit delayed after system boot or latest on update of the virus signature database.

The scan then starts and continues to run seemingly without any problems. At some point the memory usage of ekrn.exe drops and at that point outgoing TCP connections are blocked. The scan also doesn't complete and the ESET client is showing the loading symbol in the taskbar.

A possible workaround I found is to disable the systemintegration for HTTPS and POP3 scans (via advanced settings on the client). [This obviously disables scanning network traffic which degrades the overall security. Be warned!]

I haven't managed to get a dump via the tool described before, but will try again tomorrow.

I have a screenshot of the running threads attached right after the memory usage drop where ekrn.exe seems to hang. Also a screenshot of the memory usage during the scan.

threads_after_memdrop.png

memory_usage_scan.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...