Real-time protection not funtional

[offbyone 10]

Hi.

Is this a known issue that after deploying ESET AV on a newly deployed computer, "Real-time file system protection is non-functional" error is present until a user logs in for the very first time on that machine. Rebooting does not fix it, someone has to login first.

We have this on all newly deployed machines.

 

 

Regards.

Edited August 17, 2020 by offbyone
"not" was missing.

[Marcos 4,550]

How did you install Endpoint on these machines? First you deployed the ESMC agent and then installed Endpoint via a software install task sent from the ESMC console followed by sending a product activation task which activates the product and enables modules? At any rate, neither installation nor activation is depended on user logon and both work in the background even if no user is logged in.

[offbyone 10]

All clients are installed unattended via offline installer which include Agent and AV. The installation is done via GP script.

[offbyone 10]

I suspect that not many customers will be faced by this problem, as there are not many which do a fully automated deployment of computers including os and apps. In most cases a user has logged on at least one time before ESET is installed.

[FRiC 8]

We use deployed Windows and I've noticed the same thing. It also happens if Windows is updated to a new release and before the user logs in.

Edit: I just noticed this recently, so not sure if this is something new. Another new thing I noticed is that it's now harder to drag computers into another group since the group panel scrolls too early and too fast.

Edited August 21, 2020 by FRiC

[offbyone 10]

@FRiC

THX for confirmation. I wasn't sure if it is something special to our environments.

Till now we deployed about 100 new clients in 3 different customer environments and its the same with all of them.

 

[Marcos 4,550]

Since they are newly deployed computers, do you deploy an image prepared with Sysprep? Ie. when the computer is turned on, Windows doesn't start right away but first prepares for first use (so-called OOBE)?

[offbyone 10]

No its not a sysprep image, its the default image. It is deployed via autounattend.xml by WDS. The OOBE phase is running of course on first logon but it's automated.

 

Edited August 21, 2020 by offbyone
correcting OOBE infomration.

[robg 3]

Hi

Any news on this, is still happening for me

 

 

[Marcos 4,550]

Did you install the latest Endpoint 7.3 on the machines and rebooted them then, just in case?

If so, please carry on as follows:
- in the adv. setup -> tools -> diagnostics enable full application dumps and click ok
- in the adv. setup -> tools -> diagnostics click Create to generate a dump of ekrn
- collect logs with ESET Log Collector
- upload the generated archive here (if too big upload it to a safe location and drop me a pm with a download link).

[kamiran.asia 4]

Hi dears ,

Same Problem for many of our Customers.

We Think that old Version of V7 ( 7.0 , 7.1 ) on Windows 10 have this problem , Repair old version will fix the problem or Upgrade to V 7.3 and restart is needed.

But what is the problem ? It seems that there is problem in new updates.

[Marcos 4,550]

Couldn't it be that you made a fresh installation of an old Endpoint? In such case issues would be expected. Please always use the latest installers from ESET's website.

[Salim 0]

We have the same problem, all ESET reports problems until user logs in, and i have somewhere near 600 PCs.... All installation are made through SCCM (Agent and Antivirus).... All installers are downloaded from the website and SCCM file from the Security Management Center. Any updates?

[Marcos 4,550]

11 minutes ago, Salim said:

We have the same problem, all ESET reports problems until user logs in, and i have somewhere near 600 PCs....

Please generate a complete dump of ekrn via the adv. setup -> tools -> diagnostics. Then collect logs with ESET Log Collector, upload the archive to a safe location and provide me with a download link in a private message.

[Camilo Diaz 2]

Hi Marcos, we are experiencing exactly the same issue in about ~1000 workstations. all upgraded via Installation Task from ESMC . I have enabled FULL dump for logs and attached the results here.

btw. it's only affecting EEA 7.3.2041.0

eea_logs.zip

Edited November 27, 2020 by Camilo Diaz
adding version

[Marcos 4,550]

Looks like you didn't generate a dump of ekrn via the adv. setup -> tools -> diagnostics -> Create prior to collecting logs.

The Diagnostics folder is empty:

C:\ProgramData\ESET\ESET Security\Diagnostics\

2020-11-16 11:55  <DIR>           ECP
         0 files               0 bytes

 

[Camilo Diaz 2]

My Bad. Have sent you a link with the full logs.Thanks

[Marcos 4,550]

There are no issues logged in the Event log and also the real-time protection driver status reports AMON_STATUS_OK. I assume that logs were collected from a machine where the issue doesn't occur. Its name commences with "MA203-" but ESMC reported the issue on machines with the name commencing with "DT-".

[Camilo Diaz 2]

Hey Marcos, as mentioned by other members, as soon as an user logs in, Real-Time protection start working again, so I don't think it will be feasible to get the logs from a device experiencing the issue...

[Marcos 4,550]

You could provide a kernel memory dump by triggering a crash when no user is logged in as per https://support.eset.com/en/kb380. Does the issue occur after a user logs in and then logs out?

[offbyone 10]

Quote

error is present until a user logs in for the very first time on that machine.

From this time on the error will never occur again on that machine.

[Marcos 4,550]

1 hour ago, offbyone said:

From this time on the error will never occur again on that machine.

That's a reason to believe that OOBE was not completed yet and completes once the user logs in.