Jump to content

ESET File Security + WS2016 = completely blocked network


Recommended Posts

Hello,

we recently installed for the very first time latest EFS on our WS2016 server (simple domain server with AD services, DNS, RRaS VPN ... ) and it resulted in completely blocked network on the server side:

- local clients cant connect to shared drives nor authenitcate on logon to domain

- on server any attempt to test internet connection, or to ping even local clients machines fails

- strangely enough - EFS is happily reporting that it sucessfully blocked possible RDP attack from outside (dozens of public IP addresses)

- network utility in EFS reports blocking live IP adresses trying to connect via svchost.exe in RDP/Host role

- none of blocked IP addresses in ESF are from our local IP addresses

- complete disabling ESF wont change anything

- complete disabling ESF and also Windows Firewall wont change anything

- with or without exception in IDS for our local IP range ( starting IP/255.255.255.0 ) nothing changes

- every test was made with complete server reboot

 

At this point, Im really clueless what is causing such behaviour. I am completely sure that the problem is cause by EFS, since before EFS, the server was happily working for years without any hiccup.

Only thing I am probably left with, is to uninstall EFS, but that is not solution for paying customer, right? (/sarcasm off).

 

So, at least any meaningfull help would be nice to have.

Thanks.

Link to comment
Share on other sites

UPDATE: I spent another hours tinkering with ESF and WS2016 network/firewall/policies settings, without any success. So, I uninstalled ESF and everthing is working silky smooth as before. This experience with ESF is very sad tbh, as only reason to buy ESF for our server was, that we were highly satisfied with Eset Smart Security / Internet Security.

Link to comment
Share on other sites

  • Administrators

We are aware of an issue that could explain your situation (in short, the pool of NetBufferLists that belongs to a network card might get corrupted when we block something - i.e. that RDP in your case). We can confirm it if you send us a kernel memory dump. In the meantime, unchecking "block unsafe address after attack detection" (and reboot) should help you to mitigate the problem (although it is not 100% workaround). Or please try turning IDS off (and reboot), that should help as well.

Link to comment
Share on other sites

3 hours ago, Marcos said:

We are aware of an issue that could explain your situation (in short, the pool of NetBufferLists that belongs to a network card might get corrupted when we block something - i.e. that RDP in your case). We can confirm it if you send us a kernel memory dump. In the meantime, unchecking "block unsafe address after attack detection" (and reboot) should help you to mitigate the problem (although it is not 100% workaround). Or please try turning IDS off (and reboot), that should help as well.

Hi,

thanks for the reply. As for the kernel dump, I`ll send it when I will do the next instalation/testing of EFS - also which one you need ? Complete or small dump?

Btw, do you have some ETA when that mentioned issue would be resolved?

Thanks.

Link to comment
Share on other sites

Is there a certain combo of endpoint version and/or network card driver that has the bug? I am in middle of upgrading all my endpoints/agents but will hold off on the 2016 servers after seeing this...

Link to comment
Share on other sites

  • Administrators

Please provide a kernel memory dump from time when the issue is manifesting. Without the dump we cannot be sure if it's the issue that we assume it to be.

Link to comment
Share on other sites

I had this issue with Endpoint Security on a normal workstation with Windows 10. It blocked the WHOLE network. I didn't configured Safe Zones but I never thought it would not have an automatic recognition of safe zones.

 

I ended up switching off FIrewall and using the W10 Firewall.

Edited by Scytale
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...