Problem after 9.0.12012 Server Security

[PaoloneCM 1]

Hello

Upgraded a File Server 8 to Server Security 9.0.12012 on a Windows Server 2019 with DC Roles.

After update I've restarted. The machine is always on "applying computer settings"

After 3 brutal shutdown, in safe mode uninstalled ESET server security and Agent. Restart ok.

Re installed package, when I'm restarting the machine I've "applying computer settings".

Safe mode, delete and server starts well.

Do you have suggestions ?

My best regards

[Marcos 5,074]

Do you have ESET Inspect agent installed on the server? Does excluding the MUI extension in the real-time protection setup make a difference?

[LitBobOn 0]

Hi, I came here today and registered as a new forum user just to report this issue and find you've beaten me to it!

The solution for me was, when you are at that repair menu where you choose Safe mode (i.e. press F8 on start), choose the very last option to Disable Early Launch Anti-Malware protection. Only then was I able to get a normal boot and access the computer. 

Now, I have no idea if that is a permanent disable or a one-time thing, so I uninstalled all ESET products and installed them again (security product and agent).

I'd like to better understand what went wrong. This happened after latest Windows updates for Server 2019 and selecting in the ESET ERA Console to update the client modules to the latest version.

Afterwards I opened a ticket with ESET but the tech had no idea what  was talking about and never heard of  "ELAM" (Early Launch Anti-Malware) protection. He just said after the initial scan, run the scan again. Thanks, Pal!

Bob

[Marcos 5,074]

The ELAM driver does nothing; but it's required for ekrn to start. Please make sure it's not renamed and ekrn starts with Windows. Configure the system to generate complete memory dumps as per https://support.eset.com/en/kb380, reproduce the issue, trigger a manual crash to generate a dump and then provide it to us in a zipped form for perusal.

[PaoloneCM 1]

Thanks for all your suggestion.

I ask to Eset a working solution. Theese servers are Domain controller and I can't test or joke with it.

I'm on a production environment. Do you have an official solution?

I've 4 servers with same problem (the only 4 server supdated from 8 to 9 but I've other 30 servers).

My best regards

[Marcos 5,074]

If you have the ESET Inspect agent installed, it's most likely a known issue and excluding the MUI extension in the real-time protection setup should work around the issue.

Otherwise we recommend generating a complete memory dump from a frozen state of the system as per https://support.eset.com/en/kb380 and supply the dump to ESET for perusal and to determine the cause of the issue.

[FRiC 9]

8 hours ago, Marcos said:

If you have the ESET Inspect agent installed, it's most likely a known issue and excluding the MUI extension in the real-time protection setup should work around the issue.

Otherwise we recommend generating a complete memory dump from a frozen state of the system as per https://support.eset.com/en/kb380 and supply the dump to ESET for perusal and to determine the cause of the issue.

So if we're not using Inspect agent (EDR) then excluding the mui extension doesn't work?

[Marcos 5,074]

7 hours ago, FRiC said:

So if we're not using Inspect agent (EDR) then excluding the mui extension doesn't work?

In that case the cause of the issue in unknown and developers will need a complete memory dump from the freeze to determine the root cause.

[FRiC 9]

5 hours ago, Marcos said:

In that case the cause of the issue in unknown and developers will need a complete memory dump from the freeze to determine the root cause.

Thanks, can confirm exluding extension doesn't work since we don't have ESET Inspect agent.

[PaoloneCM 1]

Hello @Marcos

If I want to retry to install, after install I enter in Detection Engine - Realtime - Esclusions and I'll add *.mui ?

[Marcos 5,074]

11 minutes ago, PaoloneCM said:

If I want to retry to install, after install I enter in Detection Engine - Realtime - Esclusions and I'll add *.mui ?

Correct.

[Marcos 5,074]

We've already released an engine which addresses the issues related to processing mui files. Please check if the issue had been resolved and remove the mui extension from the list of extensions excluded from scanning, if applicable.