Jump to content

Recommended Posts

Posted

Thanks for the quick response.

Do you know what actually caused this issue?  What was the root cause?

 

Thank you!

  • Administrators
Posted
4 hours ago, n8123 said:

Do you know what actually caused this issue?  What was the root cause?

It was related to the wmi & reg scan and the errors that were reported.

Posted (edited)

Thanks for the quick fix guys, I'm actually running em005_32.dat (CRC = EAB553CC) on EEA 5.0.2272.7 and it seems fine .

  • Q1: Can I enable again "autodefense" or will it kick this file ?
  • Q2: Will the regular database update that is coming from Server Admin 5.x will also distribute the fixed dll ?
  • Q3: How can I check if the fixed dll have been auto installed in EEA 5.x, I don't know where is "show all modules" page, should I check the CRC with EAB553CC ?
Edited by RCK
  • ESET Moderators
Posted

Hello guys,

first I would like to thank all of you, who provided us with dumps and logs needed to analyze this issue and also to those, who helped us to verify the fix.

The fix will be distributed via standard module updates, in few moments we will start with pre-release users, followed by batch for general public users and full release should happen tomorrow. All times are CEST and in case of any issues reported with the module, we may delay / cancel the release.

We apologize for the inconvenience caused by this issue.

Peter

  • Administrators
Posted
46 minutes ago, RCK said:
  • Q1: Can I enable again "autodefense" or will it kick this file ?

Self-defense has nothing to do with this since the dat file is to be replaced in safe mode. I'd recommend upgrading to the latest version first and then enable SD (followed by a reboot).

Quote
  • Q2: Will the regular database update that is coming from Server Admin 5.x will also distribute the fixed dll ?

Endpoint 6.5 and older use a dat file, not dll. The dat file will be downloaded automatically unless you manually installed the fixed version of it that we provided yesterday for download.

Quote
  • Q3: How can I check if the fixed dll have been auto installed in EEA 5.x, I don't know where is "show all modules" page, should I check the CRC with EAB553CC ?

In the Update section there was an About button in Endpoint v5 if I remember correctly. It will show information about installed modules.

Generally with regard to Endpoint v5, this is a legacy product currently in limited support with EOL to reach by the end of this year.
V5 pales in comparison with v6 and especially v7 in terms of protection and also suffers from issues that were addressed in newer versions. Moreover, Microsoft is supposed to block any version of Endpoint older than 7.3 on Windows 10 as of the update planned for H1 2021. We strongly recommend upgrading to the latest version 7.3 or at least 6.5 on systems with Windows XP where upgrade to a fully supported OS is not possible for whatever reason.

https://support.eset.com/en/kb3592-is-my-eset-product-supported-eset-end-of-life-policy-business-products

image.png

Posted

Thanks for the awesome support to all ESET guys 👍

Marco, I find the about box !
In normal version, I have a 1211 (20200622) module date, and on the manual patched version I have one strange 10001 (20200714) version ! I suppos e the upcoming official .dat will have a number between them ;)

Cheers

eset_apropos_before.png

eset_apropos_after.png

  • Administrators
Posted
2 minutes ago, RCK said:

In normal version, I have a 1211 (20200622) module date, and on the manual patched version I have one strange 10001 (20200714) version ! I suppos e the upcoming official .dat will have a number between them ;)

Yes, the fixed version of the Cleaner module will be numbered 1211.1. It's currently available on the pre-release update channel.

Posted (edited)

After further testing of the patch we have a computer where it resolves the network connectivity issues, however the startup scan doesn't finish. Spoken computer is running Windows 10 1809 with ESET Endpoint Antivirus 5.0.2272.7 and the patch provided yesterday (Cleaner 10001). Memory usage about normal compared to the other computers I have seen.

The known workarounds with disabling the systemintegration or disabling http scanning doesn't resolve the network issues (without the patch). With the patch the scan doesn't complete. Disabling the startup scan/not running it doesn't trigger the network problem as expected.

The patch has been installed following the intructions (safe mode, etc.).

A dump of the ekrn.exe can be found here:
https://nextcloud.gfz-potsdam.de/s/RKmyta2fQQnMMQN

 

Edited by MRutkowski
typos
Posted

I had another try today and found the connection not stable.

At the beginning of the startup scan, there are maybe 20~30 seconds that pages can be opened smoothly.

Then there are minutes when pages cannot be opened. CPU remains at about 10%, but when it rise to 20%, I can open pages normally. (see picture)

Then CPU may have another drop and pages can't be opened until at the end of the scan things return to normal.

I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal.

IMG_20200715_221036.jpg

  • Administrators
Posted

Please uninstall Endpoint v5 and install the latest v7.3.2036. Endpoint v5 is in the limited support phase which means that we basically only guarantee module updates for it. It will reach end of life by the end of this year.

Also I'd like to mention that disabling protocol filtering must prevent network communication issues. If not, the issue must be unrelated to the issue discussed in this topic.

 

Posted

Hello Marcos,

Please could you tell me when this update will be availabe on release update ?

Thanks

  • Administrators
Posted
1 hour ago, BABUEE said:

Please could you tell me when this update will be availabe on release update ?

It's a staggered update. We started to provide it to users on the regular update channel yesterday. It make take some time until you receive it if you haven't already got it.

Posted
17 hours ago, Marcos said:

Also I'd like to mention that disabling protocol filtering must prevent network communication issues. If not, the issue must be unrelated to the issue discussed in this topic.

 

It does indeed. The network problems are gone. However the scan itself doesn't complete now on this one machine.

So it's not necessarily related to the network problems, however the problem is only partly solved by the patch. It was just an attempt to warn you that the patch might not work on every machine as you probably at least want to recheck that.

  • ESET Moderators
Posted

@MRutkowski,

On 7/15/2020 at 4:21 PM, MRutkowski said:

After further testing of the patch we have a computer where it resolves the network connectivity issues, however the startup scan doesn't finish. Spoken computer is running Windows 10 1809 with ESET Endpoint Antivirus 5.0.2272.7 and the patch provided yesterday (Cleaner 10001).

 

On 7/16/2020 at 10:25 AM, MRutkowski said:

It does indeed. The network problems are gone. However the scan itself doesn't complete now on this one machine.

So it's not necessarily related to the network problems, however the problem is only partly solved by the patch. It was just an attempt to warn you that the patch might not work on every machine as you probably at least want to recheck that.

thank you for the info.

please remove the Cleaner 10001 from the modules folder (either just delete it or in case you have a backup of the original cleaner, restore it), it should not be used except of the issue verification.

Let the product update, enable Self-defense back and reboot the system.

Official fixing version 1211.1 is already available on the update servers.

If the startup scan stucks again, provide us with a dump from ekrn.exe and let us know how long the scan had been running.

Peter

  • ESET Moderators
Posted

@junyuanma

 

 

On 7/15/2020 at 4:30 PM, junyuanma said:

I had another try today and found the connection not stable.

At the beginning of the startup scan, there are maybe 20~30 seconds that pages can be opened smoothly.

Then there are minutes when pages cannot be opened. CPU remains at about 10%, but when it rise to 20%, I can open pages normally. (see picture)

Then CPU may have another drop and pages can't be opened until at the end of the scan things return to normal.

I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal.

the issue seems to be really strange to me.

I would probably start with a reboot of the PC and wifi to see if the issue manifests after it...

especially this part 

"I also noticed that my phone, which is under the same Wifi, also has difficulty openning pages when the issue happens. Pages can be loaded, but much slower than normal."

does not make much sense to me...

 

Peter

Posted

@Peter Randziak

We have installed 7.3 on the machine and are testing if the problem re-appears.

If we find another computer where the publicly released patch reproduces the same issue, I will let you know and provide a memory dump of ekrn.exe.

 

  • ESET Moderators
Posted

Hello @MRutkowski,

good, thank you for keeping us posted.

Hopefully 7.3 will behave as expected. 

P.S. we plan to release an hotfix for 7.3 during the next week, I would probably wait with a larger deployment for it, but of testing on a limited set of computers is O.K.

Peter

Posted

Will ESET release new 5.x version for fix it ?

  • ESET Moderators
Posted

Hello @AlexTMI,

31 minutes ago, AlexTMI said:

Will ESET release new 5.x version for fix it ?

The issue is resolved by a module update so there is no need for new installation package for any version.

When it comes to version 5 it is quite old and is not able to provide the level of protection as the modern versions, please see our EoL policy at https://support.eset.com/en/kb3592-is-my-eset-product-supported-eset-end-of-life-policy-business-products

I would recommend to schedule an upgrade to a modern and fully supported version according to it.

Peter

Posted

5 version come with ERA app based GUI.

6 and above come  with web based ERA GUI, its critical issue and isnt accpetable for our servers.

I think we will migrate to another AV when our license expires this december.

  • Administrators
Posted
10 minutes ago, AlexTMI said:

6 and above come  with web based ERA GUI, its critical issue and isnt accpetable for our servers.

Could you please elaborate more on this? Why a web-based console is not acceptable for your servers? Nowadays everything moves to web/cloud due to many benefits that it provides.

10 minutes ago, AlexTMI said:

I think we will migrate to another AV when our license expires this december.

I've tried searching for a non-web remote admin console offered by competitors to no avail. ERAv5 is most likely one of the remaining gui consoles for AV remote administration.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...