murko 0 Posted October 8, 2020 Share Posted October 8, 2020 Hello, we recently installed for the very first time latest EFS on our WS2016 server (simple domain server with AD services, DNS, RRaS VPN ... ) and it resulted in completely blocked network on the server side: - local clients cant connect to shared drives nor authenitcate on logon to domain - on server any attempt to test internet connection, or to ping even local clients machines fails - strangely enough - EFS is happily reporting that it sucessfully blocked possible RDP attack from outside (dozens of public IP addresses) - network utility in EFS reports blocking live IP adresses trying to connect via svchost.exe in RDP/Host role - none of blocked IP addresses in ESF are from our local IP addresses - complete disabling ESF wont change anything - complete disabling ESF and also Windows Firewall wont change anything - with or without exception in IDS for our local IP range ( starting IP/255.255.255.0 ) nothing changes - every test was made with complete server reboot At this point, Im really clueless what is causing such behaviour. I am completely sure that the problem is cause by EFS, since before EFS, the server was happily working for years without any hiccup. Only thing I am probably left with, is to uninstall EFS, but that is not solution for paying customer, right? (/sarcasm off). So, at least any meaningfull help would be nice to have. Thanks. Link to comment Share on other sites More sharing options...
murko 0 Posted October 8, 2020 Author Share Posted October 8, 2020 UPDATE: I spent another hours tinkering with ESF and WS2016 network/firewall/policies settings, without any success. So, I uninstalled ESF and everthing is working silky smooth as before. This experience with ESF is very sad tbh, as only reason to buy ESF for our server was, that we were highly satisfied with Eset Smart Security / Internet Security. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted October 9, 2020 Administrators Share Posted October 9, 2020 We are aware of an issue that could explain your situation (in short, the pool of NetBufferLists that belongs to a network card might get corrupted when we block something - i.e. that RDP in your case). We can confirm it if you send us a kernel memory dump. In the meantime, unchecking "block unsafe address after attack detection" (and reboot) should help you to mitigate the problem (although it is not 100% workaround). Or please try turning IDS off (and reboot), that should help as well. Link to comment Share on other sites More sharing options...
murko 0 Posted October 9, 2020 Author Share Posted October 9, 2020 3 hours ago, Marcos said: We are aware of an issue that could explain your situation (in short, the pool of NetBufferLists that belongs to a network card might get corrupted when we block something - i.e. that RDP in your case). We can confirm it if you send us a kernel memory dump. In the meantime, unchecking "block unsafe address after attack detection" (and reboot) should help you to mitigate the problem (although it is not 100% workaround). Or please try turning IDS off (and reboot), that should help as well. Hi, thanks for the reply. As for the kernel dump, I`ll send it when I will do the next instalation/testing of EFS - also which one you need ? Complete or small dump? Btw, do you have some ETA when that mentioned issue would be resolved? Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted October 10, 2020 Administrators Share Posted October 10, 2020 We don't need a complete memory dump, a kernel dump should suffice. For instructions how to generate kernel memory dumps manually, please read https://support.eset.com/en/kb380. Link to comment Share on other sites More sharing options...
slarkins 3 Posted October 14, 2020 Share Posted October 14, 2020 Is there a certain combo of endpoint version and/or network card driver that has the bug? I am in middle of upgrading all my endpoints/agents but will hold off on the 2016 servers after seeing this... Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted October 15, 2020 Administrators Share Posted October 15, 2020 Please provide a kernel memory dump from time when the issue is manifesting. Without the dump we cannot be sure if it's the issue that we assume it to be. Link to comment Share on other sites More sharing options...
slarkins 3 Posted October 20, 2020 Share Posted October 20, 2020 What is the combo of endpoint/nic that has issues...i am in a holding pattern upgrading my 2016 server endpoint until i hear what the cause is. Link to comment Share on other sites More sharing options...
Scytale 0 Posted October 27, 2020 Share Posted October 27, 2020 (edited) I had this issue with Endpoint Security on a normal workstation with Windows 10. It blocked the WHOLE network. I didn't configured Safe Zones but I never thought it would not have an automatic recognition of safe zones. I ended up switching off FIrewall and using the W10 Firewall. Edited October 27, 2020 by Scytale Link to comment Share on other sites More sharing options...
Recommended Posts