"ESET Service" and "ESET Firewall" crashing many times a day

[Krzysztof Zalewski 0]

Thanks to Nod32 this world is a better place 😀

Since yesterday, Nod32 started to misbehave. There are many reports in the Windows logs that "ESET Service" and "ESET Firewall" services have been terminated unexpectedly. There is also an increased CPU load caused by ekrn.exe. The service consumes more and more memory until it crashes and starts again. I had to reinstall NOD32 shortly after the first symptoms occurred, as the sysytem began to slow down severely until it would hang completely. After reinstalling NOD32 it was possible to use the system, but the other symptoms remained.

Thank you in advance!

eav_logs.zip

[Krzysztof Zalewski 0]

And this is the memory usage shortly before crash:

 

[Marcos 4,838]

Did you disable these settings to prevent the crashes from occurring?

Protocol filtering
Web access protection
SSL protocol checking
HTTP protocol checking

Those are important ones and with protocol filtering disabled you open the door to Internet-borne threats.

Also we recommend enabling the LiveGrid Feedback system for maximum protection and upgrading to ESET Internet Security at least in order to get Network protection. In the past it protected our users also from the infamous Wannacry ransomware that exploited an unpatched vulnerability in Windows.

[Marcos 4,838]

Please carry on as follows:

- download Procdump from https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- temporarily disable Protected service in the advanced setup -> HIPS
- reboot the machine
- run Procdump as an administrator as follows:
procdump -ma -e ekrn.exe
- wait until ekrn crashes and a dump is generated
- compress the dump, upload it to a safe location and drop me a download link
- re-enable Protected service and reboot the machine.

[itman 1,594]

What Win OS version do you have installed?

 

[Krzysztof Zalewski 0]

@Marcos I followed closely your advice, and unfortunately procdump failed with "Access Denied" error (0x00000005). But configuring "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Error Reporting\LocalDumps" allowed me to take two crash dumps. You can download them from there: https://mega.nz/folder/tKBWjbDR#2HpjZ2YT19u3T9pfSGeOGw

Previously, I only had SSL MITM scanning disabled, but since the problem occurred, I have disabled more network-related functions. I realize that by disabling these services, I am leaving a larger surface to attack my system.

There are two .7z archives, I'll send you PM with a password to open them.

@itman I have Windows 11 Pro 22H2, 10.0.22621.1992.

[Marcos 4,838]

Thank you, the dump helped and we should be able to pinpoint the issue based on it.

As for running Procdump, it must be run as an administrator and Protected service (in HIPS settings) must be disabled and the machine rebooted prior to running Procdump. Just in case you'd need to make another dump in the future which we hope won't be needed.

[Krzysztof Zalewski 0]

Thank you very much for your help. The day Nod32 started acting weird, I uninstalled it and reinstalled it just a few hours ago. Now the AV is working great.
Congratulations, keep it up!