Jump to content

AV is blocking loading webpages


Recommended Posts

  • Administrators
Quote

I haven't managed to get a dump via the tool described before, but will try again tomorrow.

We will appreciate if you could get the dumps as soon as possible:

  • Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe
  • Under this path create the value DumpFolder of type REG_EXPAND_SZ
  • Set this value to the path on the disk where the dumps will be created. For example C:\dump
  • Create the value DumpType of type REG_DWORD and set this value to 2.
  • Reboot Windows to normal mode
  • Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator
  • Reproduce the issue and wait until a dump is generated at the path you have specified before.

 

After we pinpoint the issue, please uninstall Endpoint v5 and install Endpoint 7.3 which will be a minimum requirement for Windows 10 21H1.

Link to post
Share on other sites
  • Replies 70
  • Created
  • Last Reply
21 minutes ago, Marcos said:

Let's run "procdump.exe -ma -e 1 -n 10 ekrn.exe" after Windows starts and wait until a couple of dumps is generated when the issue occurs. Then you can disable AppVerifier in safe mode and provide us with the dumps.

The issue does not occur unless I turn on startup scan. My startup scan is currently turned off. Do I need to disable AppVerifier in safe mode, enable startup scan in normal mode, enable AppVerifier in safe mode and generate dumps in normal mode?

Link to post
Share on other sites
12 minutes ago, Marcos said:

We will appreciate if you could get the dumps as soon as possible:

  • Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe
  • Under this path create the value DumpFolder of type REG_EXPAND_SZ
  • Set this value to the path on the disk where the dumps will be created. For example C:\dump
  • Create the value DumpType of type REG_DWORD and set this value to 2.
  • Reboot Windows to normal mode
  • Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator
  • Reproduce the issue and wait until a dump is generated at the path you have specified before.

I'm getting an "Access Denied (5)" for ekrn.exe

Link to post
Share on other sites
  • Administrators
2 minutes ago, MRutkowski said:

I'm getting an "Access Denied (5)" for ekrn.exe

Please make registry changes in safe mode.

Link to post
Share on other sites
  • Administrators
15 minutes ago, junyuanma said:

The issue does not occur unless I turn on startup scan. My startup scan is currently turned off. Do I need to disable AppVerifier in safe mode, enable startup scan in normal mode, enable AppVerifier in safe mode and generate dumps in normal mode?

Yes, please turn on startup scan tasks first. You create more dumps, some with AppVerifier enabled and some with AppVerifier disabled and page heap enabled.

To enable page heap for ekrn, save the following as ekrn_pageheap_on.reg and run it in safe mode.

Quote

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
"GlobalFlag"=dword:02000000
"PageHeapFlags"=dword:00000003

After booting to normal mode and running procdump.exe -ma -e 1 -n 10 ekrn.exe, wait until the issue occurs and dumps are generated. Afterwards disable page heap in safe mode by running a reg file (e.g. ekrn_pageheap_off.reg) with the following content:
 

Quote

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
"GlobalFlag"=-
"PageHeapFlags"=-

 

Link to post
Share on other sites

Hello guys,

Okay, I removed (from safe mode) EEA with esetuninstaller.exe, then reinstalled my usual 5.0.2272.7 x64 on my Win7.
Then I go to > advanced configuration > computer > HIPS > [uncheck] Selfdefense, and I performed a virus database update, then I rebooted.
With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system.
I tried multiple times to generate a dump with selfdefense OFF, but it just totally freeze win7 (with / without "-e 1", "-ma", "32/64 procdump.exe", etc.)

So I decided to enable again Selfdefense and start the command "procdump.exe -ma -s 10 -n 720 ekrn.exe" to have one dump every 10 seconds (because with selfdefense ON, I can't use "-e 1" unfortunatly).
I also runned "process monitor", and wait the issue to reproduce.
I feel that when the exception occurs, EEA is performing one of the startup scan because I can see the eset icon turning into taskbar, and overlib speak about startup scan, not virus database update.

Could it be related to memory ?
This startup task is eating a lot or ram (1.7 GB!), maybe there is one kind of infinite loop here.
About dump, the bigger eea was using memory, the less dump file I could generate (See screenshot, "Error writing dump file: 0x8007000D").

Another information, once the ekrn.exe engine is broken, disabling AV from GUI is useless, but I can have internet access again with the following settings modifications:
USELESS = advanced configuration > internet & mail > protection of web access > HTTP & HTTPS > [Uncheck] Activate control
USELESS = advanced configuration > internet & mail > protocol filtering > [Uncheck] Activate content filtering
FIXED = advanced configuration > internet & mail > protocol filtering > [Uncheck] System integration

So finally, I was able to trigger the bug and have a 1.3 GB dump before and a 1.9 GB after freeze, let's hope it will help :)
I also have one whole 4GB logfile from ProcessMonitor.
Please find my complete debug session files (14GB) at the following URL (it's one ultra 1GB 7z file with 512MB dictionnary RAM compression):
hxxp://tmp.zool.fr/tmp/eset/20200713_NoOutgoingPacket.7z

Thanks !

memory.png

procdump.png

process.png

Link to post
Share on other sites
18 minutes ago, Marcos said:

Yes, please turn on startup scan tasks first. You create more dumps, some with AppVerifier enabled and some with AppVerifier disabled and page heap enabled.

To enable page heap for ekrn, save the following as ekrn_pageheap_on.reg and run it in safe mode.

After booting to normal mode and running procdump.exe -ma -e 1 -n 10 ekrn.exe, wait until the issue occurs and dumps are generated. Afterwards disable page heap in safe mode by running a reg file (e.g. ekrn_pageheap_off.reg) with the following content:
 

 

I turned on startup scan in normal mode and enabled AppVerifier in safe mode. When I returned to normal mode, ESET did not load into the system, and the issue cannot be triggered. I tried manually open ESET Security through Start Menu, but nothing happened after I clicked the icon.

Link to post
Share on other sites
  • Administrators
4 minutes ago, junyuanma said:

I turned on startup scan in normal mode and enabled AppVerifier in safe mode. When I returned to normal mode, ESET did not load into the system, and the issue cannot be triggered. I tried manually open ESET Security through Start Menu, but nothing happened after I clicked the icon.

Is it possible to generate dumps after disabling AppVerifier in safe mode and importing the reg file to enable page heap for ekrn as per the instructions above?

Link to post
Share on other sites
1 hour ago, RCK said:

With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system.

I haven't been able to create the procdump one for exactly the same reason (Win10 2004), I got a Windows one however:

https://cloud.maxlxl.de/index.php/s/it2ZqYa5M6S8nz8

 

Link to post
Share on other sites
  • ESET Staff

Thanks everyone for providing the dumps, using them we now have a theory about what is hapenning and a potential fix. It would be helpful if you could test it. To do that first disable all workarounds (like app verifier, enable startup scan) then download the appropriate zip file attached to this post.

If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_64" then cleaner_test_dll_64bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_64 subdirectory) with selfdefense disabled and reboot.

If you have a directory called "c:\Program Files\ESET\[product name]\Modules\em005_32" then cleaner_test_dll_32bit is for you. Unpack the file into "c:\Program Files\ESET\[product name]\Modules" (not into the em005_32 subdirectory) with selfdefense disabled and reboot.

If you have a file called "c:\Program Files\ESET\[product name]\em005_32.dat" then you need to use cleaner_test_dat_32bit.zip. Unpack it into "c:\Program Files\ESET\[product name]\" replacing the existing file with selfdefense disabled and reboot.

Then report back if the problem is fixed.

cleaner_test_dat_32bit.zip cleaner_test_dll_64bit.zip

cleaner_test_dll_32bit.zip

Link to post
Share on other sites
  • Administrators

We're gonna share the files via the Downloads section momentarily.  Please keep in mind that it will be necessary to remove the new cleaner module after we release it on update servers, otherwise the module would stop updating which would account for future issues, e.g. with cleaning malware.

Link to post
Share on other sites
  • Administrators

You can download a fixed Cleaner module from:
https://forum.eset.com/files/file/26-em005_32dll/ (32-bit)

https://forum.eset.com/files/file/27-em005_64dll/ (64-bit)

Installation:
- start Windows in safe mode
- copy the dll to "C:\Program Files\ESET\ESET Security\Modules" (not to subfolders)
- reboot Windows to normal mode

Notice: After the cleaner module has been released (probably as version 1213), it is important to delete this dll in safe mode to ensure that the cleaner module will be updated in the future.

Link to post
Share on other sites
12 minutes ago, MRutkowski said:

I need the cleaner_test_dat32bit.zip tho. Thank you in advance.

These aren't for ESET Internet Security, right? 

Link to post
Share on other sites

The patch solves the issue for Windows10 2004 with ESET Endpoint Antivirus 5.0.2271.1.

Also RAM allocation and scan time looking way better (attached image).

memory_usage_patched_scan_marked.png

Link to post
Share on other sites
  • Administrators

Please don't forget to uninstall Endpoint v5 and install the latest Endpoint 7.3 on Windows 10. Most likely Endpoint 7.3 will be the minimum version that will run on Windows 10 21H1.

Link to post
Share on other sites
Just now, Marcos said:

Please don't forget to uninstall Endpoint v5 and install the latest Endpoint 7.3 on Windows 10. Endpoint 7.3 will be most likely the minimum version that will run on Windows 10 21H1.

We are already prepared for that and will update in the near future after our tests have completed. Thanks for the reminder tho.

Link to post
Share on other sites
  • Administrators
13 minutes ago, MRutkowski said:

We are already prepared for that and will update in the near future after our tests have completed. Thanks for the reminder tho.

Thank you for patience and cooperation in this matter :)

Link to post
Share on other sites
  • Administrators
20 minutes ago, junyuanma said:

It solved my problem. When will I know that I can delete the files?

It will take a few days until the new cleaner module is distributed to all users. You can keep it for let's say 2 weeks, then remove it and the program should download the latest version from update servers then.

Link to post
Share on other sites

Marcos,

Thanks for your help on this!

A few things though...

1)  You say that it will take a few days for the new cleaner module to distribute.  So you're saying that will be publicly available to all and systems will automatically get that update with their signature updates?

 

2)  How do we tell if a system has this update already and are no longer affected by this issue?

 

3)  Could you enlighten us about what actually caused this problem.

 

Thank again you!

Link to post
Share on other sites
  • Administrators

1, Correct, the module will be downloaded automatically with engine and other module updates.

2, Under Update -> Show all modules you can check the version of installed module. The version of the fixed Cleaner module will most be 1213.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...