Administrators Marcos 5,465 Posted July 13, 2020 Administrators Posted July 13, 2020 Quote I haven't managed to get a dump via the tool described before, but will try again tomorrow. We will appreciate if you could get the dumps as soon as possible: Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe Under this path create the value DumpFolder of type REG_EXPAND_SZ Set this value to the path on the disk where the dumps will be created. For example C:\dump Create the value DumpType of type REG_DWORD and set this value to 2. Reboot Windows to normal mode Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator Reproduce the issue and wait until a dump is generated at the path you have specified before. After we pinpoint the issue, please uninstall Endpoint v5 and install Endpoint 7.3 which will be a minimum requirement for Windows 10 21H1.
junyuanma 2 Posted July 13, 2020 Posted July 13, 2020 21 minutes ago, Marcos said: Let's run "procdump.exe -ma -e 1 -n 10 ekrn.exe" after Windows starts and wait until a couple of dumps is generated when the issue occurs. Then you can disable AppVerifier in safe mode and provide us with the dumps. The issue does not occur unless I turn on startup scan. My startup scan is currently turned off. Do I need to disable AppVerifier in safe mode, enable startup scan in normal mode, enable AppVerifier in safe mode and generate dumps in normal mode?
MRutkowski 1 Posted July 13, 2020 Posted July 13, 2020 12 minutes ago, Marcos said: We will appreciate if you could get the dumps as soon as possible: Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe Under this path create the value DumpFolder of type REG_EXPAND_SZ Set this value to the path on the disk where the dumps will be created. For example C:\dump Create the value DumpType of type REG_DWORD and set this value to 2. Reboot Windows to normal mode Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator Reproduce the issue and wait until a dump is generated at the path you have specified before. I'm getting an "Access Denied (5)" for ekrn.exe
Administrators Marcos 5,465 Posted July 13, 2020 Administrators Posted July 13, 2020 2 minutes ago, MRutkowski said: I'm getting an "Access Denied (5)" for ekrn.exe Please make registry changes in safe mode.
Administrators Marcos 5,465 Posted July 13, 2020 Administrators Posted July 13, 2020 15 minutes ago, junyuanma said: The issue does not occur unless I turn on startup scan. My startup scan is currently turned off. Do I need to disable AppVerifier in safe mode, enable startup scan in normal mode, enable AppVerifier in safe mode and generate dumps in normal mode? Yes, please turn on startup scan tasks first. You create more dumps, some with AppVerifier enabled and some with AppVerifier disabled and page heap enabled. To enable page heap for ekrn, save the following as ekrn_pageheap_on.reg and run it in safe mode. Quote Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] "GlobalFlag"=dword:02000000 "PageHeapFlags"=dword:00000003 After booting to normal mode and running procdump.exe -ma -e 1 -n 10 ekrn.exe, wait until the issue occurs and dumps are generated. Afterwards disable page heap in safe mode by running a reg file (e.g. ekrn_pageheap_off.reg) with the following content: Quote Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] "GlobalFlag"=- "PageHeapFlags"=-
RCK 1 Posted July 13, 2020 Posted July 13, 2020 Hello guys, Okay, I removed (from safe mode) EEA with esetuninstaller.exe, then reinstalled my usual 5.0.2272.7 x64 on my Win7. Then I go to > advanced configuration > computer > HIPS > [uncheck] Selfdefense, and I performed a virus database update, then I rebooted. With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system. I tried multiple times to generate a dump with selfdefense OFF, but it just totally freeze win7 (with / without "-e 1", "-ma", "32/64 procdump.exe", etc.) So I decided to enable again Selfdefense and start the command "procdump.exe -ma -s 10 -n 720 ekrn.exe" to have one dump every 10 seconds (because with selfdefense ON, I can't use "-e 1" unfortunatly). I also runned "process monitor", and wait the issue to reproduce. I feel that when the exception occurs, EEA is performing one of the startup scan because I can see the eset icon turning into taskbar, and overlib speak about startup scan, not virus database update. Could it be related to memory ? This startup task is eating a lot or ram (1.7 GB!), maybe there is one kind of infinite loop here. About dump, the bigger eea was using memory, the less dump file I could generate (See screenshot, "Error writing dump file: 0x8007000D"). Another information, once the ekrn.exe engine is broken, disabling AV from GUI is useless, but I can have internet access again with the following settings modifications: USELESS = advanced configuration > internet & mail > protection of web access > HTTP & HTTPS > [Uncheck] Activate control USELESS = advanced configuration > internet & mail > protocol filtering > [Uncheck] Activate content filtering FIXED = advanced configuration > internet & mail > protocol filtering > [Uncheck] System integration So finally, I was able to trigger the bug and have a 1.3 GB dump before and a 1.9 GB after freeze, let's hope it will help I also have one whole 4GB logfile from ProcessMonitor. Please find my complete debug session files (14GB) at the following URL (it's one ultra 1GB 7z file with 512MB dictionnary RAM compression):hxxp://tmp.zool.fr/tmp/eset/20200713_NoOutgoingPacket.7z Thanks ! Mirek S. 1
junyuanma 2 Posted July 13, 2020 Posted July 13, 2020 18 minutes ago, Marcos said: Yes, please turn on startup scan tasks first. You create more dumps, some with AppVerifier enabled and some with AppVerifier disabled and page heap enabled. To enable page heap for ekrn, save the following as ekrn_pageheap_on.reg and run it in safe mode. After booting to normal mode and running procdump.exe -ma -e 1 -n 10 ekrn.exe, wait until the issue occurs and dumps are generated. Afterwards disable page heap in safe mode by running a reg file (e.g. ekrn_pageheap_off.reg) with the following content: I turned on startup scan in normal mode and enabled AppVerifier in safe mode. When I returned to normal mode, ESET did not load into the system, and the issue cannot be triggered. I tried manually open ESET Security through Start Menu, but nothing happened after I clicked the icon. Mirek S. 1
Administrators Marcos 5,465 Posted July 13, 2020 Administrators Posted July 13, 2020 4 minutes ago, junyuanma said: I turned on startup scan in normal mode and enabled AppVerifier in safe mode. When I returned to normal mode, ESET did not load into the system, and the issue cannot be triggered. I tried manually open ESET Security through Start Menu, but nothing happened after I clicked the icon. Is it possible to generate dumps after disabling AppVerifier in safe mode and importing the reg file to enable page heap for ekrn as per the instructions above?
MRutkowski 1 Posted July 13, 2020 Posted July 13, 2020 1 hour ago, RCK said: With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system. I haven't been able to create the procdump one for exactly the same reason (Win10 2004), I got a Windows one however: https://cloud.maxlxl.de/index.php/s/it2ZqYa5M6S8nz8
ESET Staff MMx 28 Posted July 14, 2020 ESET Staff Posted July 14, 2020 (edited) Thanks everyone for providing the dumps, using them we now have a theory about what is hapenning and a potential fix. It would be helpful if you could test it. To do that first disable all workarounds (like app verifier, enable startup scan) then download the appropriate zip file attached to this post. If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_64" then cleaner_test_dll_64bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_64 subdirectory) with selfdefense disabled and reboot. If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_32" then cleaner_test_dll_32bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_32 subdirectory) with selfdefense disabled and reboot. If you have a file called "c:\Program Files\ESET\[product name]\em005_32.dat" then you need to use cleaner_test_dat_32bit.zip. Unpack it into "c:\Program Files\ESET\[product name]\" replacing the existing file with selfdefense disabled and reboot. Then report back if the problem is fixed. cleaner_test_dat_32bit.zip cleaner_test_dll_64bit.zip cleaner_test_dll_32bit.zip Edited July 14, 2020 by MMx
MRutkowski 1 Posted July 14, 2020 Posted July 14, 2020 42 minutes ago, MMx said: cleaner_test_dat_32bit.zipUnavailable cleaner_test_dll_64bit.zipUnavailable cleaner_test_dll_32bit.zipUnavailable I cannot download the files. They show unvailable to me.
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 We're gonna share the files via the Downloads section momentarily. Please keep in mind that it will be necessary to remove the new cleaner module after we release it on update servers, otherwise the module would stop updating which would account for future issues, e.g. with cleaning malware.
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 You can download a fixed Cleaner module from:https://forum.eset.com/files/file/26-em005_32dll/ (32-bit) https://forum.eset.com/files/file/27-em005_64dll/ (64-bit) Installation: - start Windows in safe mode - copy the dll to "C:\Program Files\ESET\ESET Security\Modules" (not to subfolders) - reboot Windows to normal mode Notice: After the cleaner module has been released (probably as version 1213), it is important to delete this dll in safe mode to ensure that the cleaner module will be updated in the future.
MRutkowski 1 Posted July 14, 2020 Posted July 14, 2020 5 minutes ago, Marcos said: You can download a fixed Cleaner module from:https://forum.eset.com/files/file/26-em005_32dll/ (32-bit) https://forum.eset.com/files/file/27-em005_64dll/ (64-bit) I need the cleaner_test_dat32bit.zip tho. Thank you in advance.
r1man 3 Posted July 14, 2020 Posted July 14, 2020 12 minutes ago, MRutkowski said: I need the cleaner_test_dat32bit.zip tho. Thank you in advance. These aren't for ESET Internet Security, right?
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 19 minutes ago, MRutkowski said: I need the cleaner_test_dat32bit.zip tho. Thank you in advance. Please find the dat file for Endpoint 6.5 and older here: https://forum.eset.com/files/file/28-em005_32dat-for-endpoint-up-to-v65/ MRutkowski 1
MRutkowski 1 Posted July 14, 2020 Posted July 14, 2020 The patch solves the issue for Windows10 2004 with ESET Endpoint Antivirus 5.0.2271.1. Also RAM allocation and scan time looking way better (attached image). Peter Randziak 1
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 Please don't forget to uninstall Endpoint v5 and install the latest Endpoint 7.3 on Windows 10. Most likely Endpoint 7.3 will be the minimum version that will run on Windows 10 21H1.
MRutkowski 1 Posted July 14, 2020 Posted July 14, 2020 Just now, Marcos said: Please don't forget to uninstall Endpoint v5 and install the latest Endpoint 7.3 on Windows 10. Endpoint 7.3 will be most likely the minimum version that will run on Windows 10 21H1. We are already prepared for that and will update in the near future after our tests have completed. Thanks for the reminder tho.
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 13 minutes ago, MRutkowski said: We are already prepared for that and will update in the near future after our tests have completed. Thanks for the reminder tho. Thank you for patience and cooperation in this matter
junyuanma 2 Posted July 14, 2020 Posted July 14, 2020 It solved my problem. When will I know that I can delete the files? Peter Randziak 1
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 20 minutes ago, junyuanma said: It solved my problem. When will I know that I can delete the files? It will take a few days until the new cleaner module is distributed to all users. You can keep it for let's say 2 weeks, then remove it and the program should download the latest version from update servers then.
n8123 0 Posted July 14, 2020 Posted July 14, 2020 Marcos, Thanks for your help on this! A few things though... 1) You say that it will take a few days for the new cleaner module to distribute. So you're saying that will be publicly available to all and systems will automatically get that update with their signature updates? 2) How do we tell if a system has this update already and are no longer affected by this issue? 3) Could you enlighten us about what actually caused this problem. Thank again you!
Administrators Marcos 5,465 Posted July 14, 2020 Administrators Posted July 14, 2020 1, Correct, the module will be downloaded automatically with engine and other module updates. 2, Under Update -> Show all modules you can check the version of installed module. The version of the fixed Cleaner module will most be 1213. Aryeh Goretsky 1
Recommended Posts