n8123 0 Posted July 14, 2020 Share Posted July 14, 2020 Thanks for the quick response. Do you know what actually caused this issue? What was the root cause? Thank you! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 15, 2020 Administrators Share Posted July 15, 2020 4 hours ago, n8123 said: Do you know what actually caused this issue? What was the root cause? It was related to the wmi & reg scan and the errors that were reported. Link to comment Share on other sites More sharing options...
RCK 1 Posted July 15, 2020 Share Posted July 15, 2020 (edited) Thanks for the quick fix guys, I'm actually running em005_32.dat (CRC = EAB553CC) on EEA 5.0.2272.7 and it seems fine . Q1: Can I enable again "autodefense" or will it kick this file ? Q2: Will the regular database update that is coming from Server Admin 5.x will also distribute the fixed dll ? Q3: How can I check if the fixed dll have been auto installed in EEA 5.x, I don't know where is "show all modules" page, should I check the CRC with EAB553CC ? Edited July 15, 2020 by RCK Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted July 15, 2020 ESET Moderators Share Posted July 15, 2020 Hello guys, first I would like to thank all of you, who provided us with dumps and logs needed to analyze this issue and also to those, who helped us to verify the fix. The fix will be distributed via standard module updates, in few moments we will start with pre-release users, followed by batch for general public users and full release should happen tomorrow. All times are CEST and in case of any issues reported with the module, we may delay / cancel the release. We apologize for the inconvenience caused by this issue. Peter Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 15, 2020 Administrators Share Posted July 15, 2020 46 minutes ago, RCK said: Q1: Can I enable again "autodefense" or will it kick this file ? Self-defense has nothing to do with this since the dat file is to be replaced in safe mode. I'd recommend upgrading to the latest version first and then enable SD (followed by a reboot). Quote Q2: Will the regular database update that is coming from Server Admin 5.x will also distribute the fixed dll ? Endpoint 6.5 and older use a dat file, not dll. The dat file will be downloaded automatically unless you manually installed the fixed version of it that we provided yesterday for download. Quote Q3: How can I check if the fixed dll have been auto installed in EEA 5.x, I don't know where is "show all modules" page, should I check the CRC with EAB553CC ? In the Update section there was an About button in Endpoint v5 if I remember correctly. It will show information about installed modules. Generally with regard to Endpoint v5, this is a legacy product currently in limited support with EOL to reach by the end of this year. V5 pales in comparison with v6 and especially v7 in terms of protection and also suffers from issues that were addressed in newer versions. Moreover, Microsoft is supposed to block any version of Endpoint older than 7.3 on Windows 10 as of the update planned for H1 2021. We strongly recommend upgrading to the latest version 7.3 or at least 6.5 on systems with Windows XP where upgrade to a fully supported OS is not possible for whatever reason. https://support.eset.com/en/kb3592-is-my-eset-product-supported-eset-end-of-life-policy-business-products Link to comment Share on other sites More sharing options...
RCK 1 Posted July 15, 2020 Share Posted July 15, 2020 Thanks for the awesome support to all ESET guys 👍 Marco, I find the about box ! In normal version, I have a 1211 (20200622) module date, and on the manual patched version I have one strange 10001 (20200714) version ! I suppos e the upcoming official .dat will have a number between them Cheers Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 15, 2020 Administrators Share Posted July 15, 2020 2 minutes ago, RCK said: In normal version, I have a 1211 (20200622) module date, and on the manual patched version I have one strange 10001 (20200714) version ! I suppos e the upcoming official .dat will have a number between them Yes, the fixed version of the Cleaner module will be numbered 1211.1. It's currently available on the pre-release update channel. Link to comment Share on other sites More sharing options...
MRutkowski 1 Posted July 15, 2020 Share Posted July 15, 2020 (edited) After further testing of the patch we have a computer where it resolves the network connectivity issues, however the startup scan doesn't finish. Spoken computer is running Windows 10 1809 with ESET Endpoint Antivirus 5.0.2272.7 and the patch provided yesterday (Cleaner 10001). Memory usage about normal compared to the other computers I have seen. The known workarounds with disabling the systemintegration or disabling http scanning doesn't resolve the network issues (without the patch). With the patch the scan doesn't complete. Disabling the startup scan/not running it doesn't trigger the network problem as expected. The patch has been installed following the intructions (safe mode, etc.). A dump of the ekrn.exe can be found here:https://nextcloud.gfz-potsdam.de/s/RKmyta2fQQnMMQN Edited July 15, 2020 by MRutkowski typos Link to comment Share on other sites More sharing options...
junyuanma 2 Posted July 15, 2020 Share Posted July 15, 2020 I had another try today and found the connection not stable. At the beginning of the startup scan, there are maybe 20~30 seconds that pages can be opened smoothly. Then there are minutes when pages cannot be opened. CPU remains at about 10%, but when it rise to 20%, I can open pages normally. (see picture) Then CPU may have another drop and pages can't be opened until at the end of the scan things return to normal. I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 15, 2020 Administrators Share Posted July 15, 2020 Please uninstall Endpoint v5 and install the latest v7.3.2036. Endpoint v5 is in the limited support phase which means that we basically only guarantee module updates for it. It will reach end of life by the end of this year. Also I'd like to mention that disabling protocol filtering must prevent network communication issues. If not, the issue must be unrelated to the issue discussed in this topic. Link to comment Share on other sites More sharing options...
BABUEE 0 Posted July 16, 2020 Share Posted July 16, 2020 Hello Marcos, Please could you tell me when this update will be availabe on release update ? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 16, 2020 Administrators Share Posted July 16, 2020 1 hour ago, BABUEE said: Please could you tell me when this update will be availabe on release update ? It's a staggered update. We started to provide it to users on the regular update channel yesterday. It make take some time until you receive it if you haven't already got it. Link to comment Share on other sites More sharing options...
MRutkowski 1 Posted July 16, 2020 Share Posted July 16, 2020 17 hours ago, Marcos said: Also I'd like to mention that disabling protocol filtering must prevent network communication issues. If not, the issue must be unrelated to the issue discussed in this topic. It does indeed. The network problems are gone. However the scan itself doesn't complete now on this one machine. So it's not necessarily related to the network problems, however the problem is only partly solved by the patch. It was just an attempt to warn you that the patch might not work on every machine as you probably at least want to recheck that. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted July 17, 2020 ESET Moderators Share Posted July 17, 2020 @MRutkowski, On 7/15/2020 at 4:21 PM, MRutkowski said: After further testing of the patch we have a computer where it resolves the network connectivity issues, however the startup scan doesn't finish. Spoken computer is running Windows 10 1809 with ESET Endpoint Antivirus 5.0.2272.7 and the patch provided yesterday (Cleaner 10001). On 7/16/2020 at 10:25 AM, MRutkowski said: It does indeed. The network problems are gone. However the scan itself doesn't complete now on this one machine. So it's not necessarily related to the network problems, however the problem is only partly solved by the patch. It was just an attempt to warn you that the patch might not work on every machine as you probably at least want to recheck that. thank you for the info. please remove the Cleaner 10001 from the modules folder (either just delete it or in case you have a backup of the original cleaner, restore it), it should not be used except of the issue verification. Let the product update, enable Self-defense back and reboot the system. Official fixing version 1211.1 is already available on the update servers. If the startup scan stucks again, provide us with a dump from ekrn.exe and let us know how long the scan had been running. Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted July 17, 2020 ESET Moderators Share Posted July 17, 2020 @junyuanma On 7/15/2020 at 4:30 PM, junyuanma said: I had another try today and found the connection not stable. At the beginning of the startup scan, there are maybe 20~30 seconds that pages can be opened smoothly. Then there are minutes when pages cannot be opened. CPU remains at about 10%, but when it rise to 20%, I can open pages normally. (see picture) Then CPU may have another drop and pages can't be opened until at the end of the scan things return to normal. I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal. the issue seems to be really strange to me. I would probably start with a reboot of the PC and wifi to see if the issue manifests after it... especially this part "I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal." does not make much sense to me... Peter Link to comment Share on other sites More sharing options...
MRutkowski 1 Posted July 17, 2020 Share Posted July 17, 2020 @Peter Randziak We have installed 7.3 on the machine and are testing if the problem re-appears. If we find another computer where the publicly released patch reproduces the same issue, I will let you know and provide a memory dump of ekrn.exe. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted July 17, 2020 ESET Moderators Share Posted July 17, 2020 Hello @MRutkowski, good, thank you for keeping us posted. Hopefully 7.3 will behave as expected. P.S. we plan to release an hotfix for 7.3 during the next week, I would probably wait with a larger deployment for it, but of testing on a limited set of computers is O.K. Peter Link to comment Share on other sites More sharing options...
AlexTMI 0 Posted July 21, 2020 Share Posted July 21, 2020 Will ESET release new 5.x version for fix it ? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted July 21, 2020 ESET Moderators Share Posted July 21, 2020 Hello @AlexTMI, 31 minutes ago, AlexTMI said: Will ESET release new 5.x version for fix it ? The issue is resolved by a module update so there is no need for new installation package for any version. When it comes to version 5 it is quite old and is not able to provide the level of protection as the modern versions, please see our EoL policy at https://support.eset.com/en/kb3592-is-my-eset-product-supported-eset-end-of-life-policy-business-products I would recommend to schedule an upgrade to a modern and fully supported version according to it. Peter Link to comment Share on other sites More sharing options...
AlexTMI 0 Posted July 21, 2020 Share Posted July 21, 2020 5 version come with ERA app based GUI. 6 and above come with web based ERA GUI, its critical issue and isnt accpetable for our servers. I think we will migrate to another AV when our license expires this december. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 21, 2020 Administrators Share Posted July 21, 2020 10 minutes ago, AlexTMI said: 6 and above come with web based ERA GUI, its critical issue and isnt accpetable for our servers. Could you please elaborate more on this? Why a web-based console is not acceptable for your servers? Nowadays everything moves to web/cloud due to many benefits that it provides. 10 minutes ago, AlexTMI said: I think we will migrate to another AV when our license expires this december. I've tried searching for a non-web remote admin console offered by competitors to no avail. ERAv5 is most likely one of the remaining gui consoles for AV remote administration. Link to comment Share on other sites More sharing options...
Recommended Posts