CraigF 0 Posted December 9, 2023 Share Posted December 9, 2023 We've noticed this phenomenon occurring on multiple Windows Server 2016 remote desktop services session hosts. For one of our clients it appears to be causing resource exhaustion issues causing the servers to become unresponsive. It appears a new instance of ekrn.exe is attempting to be created whenever a new user session is created - is this normal? Serves are running ESET Server Security vers 10.0.12014.0 Here's what I've determined: Windows Application log records Application error ID 1000 logged everytime a new user session is created: Faulting application path: C:\Program Files\ESET\ESET Security\ekrn.exe Faulting module path: C:\Program Files\ESET\ESET File Security\em039_64\2102\em039_64.dll Similarly, Windows System log records Service Control Manager ID 7031 error at the same time as the Application error is logged: The ESET Service service terminated unexpectedly. ESET event log indicates “File 'Ekrn_*.mdmp' was sent to ESET Virus Lab for analysis." each time. These events appear to have commenced immediately after the Detection engine was updated to vers 28271 (on 21 Nov). They started being logged a few hours prior to the Application error ID 1000 errors first being recorded. The ESET Audit log is now recording "Feature changed" events multiple times a day (I assume whenever a new user session is created and the ekrn.exe is run). Prior to 21 Nov, these events were only logged whenever the server was restarted. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted December 9, 2023 Administrators Share Posted December 9, 2023 Please provide logs collected with ESET Log Collector. I assume that not all modules are updated. Link to comment Share on other sites More sharing options...
CJD138 0 Posted December 12, 2023 Share Posted December 12, 2023 Hi Marcos, My name is Colin and I work with Craig who posted this. Sorry for the delay but I attached the log files from the affected server. efsw_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted December 12, 2023 Administrators Share Posted December 12, 2023 1 hour ago, CJD138 said: My name is Colin and I work with Craig who posted this. Sorry for the delay but I attached the log files from the affected server. Please uninstall ESET Server Security and install the latest version while keeping the default modules folder. You have changed it to the program install folder which might cause issues and it's not recommend. At least the path should point to a separate modules folder. By default modules are installed in "C:\Program Files\ESET\ESET Security\Modules", you have them in "C:\Program Files\ESET\ESET File Security" . Link to comment Share on other sites More sharing options...
CraigF 0 Posted December 14, 2023 Author Share Posted December 14, 2023 It appears this issue resolved following install of Detection Engine version 28382 (or one of the subsequent updates - there were 4 in a space of 10 hours), as we haven't seen the issue logged since. We have performed the uninstall/reinstall as suggested on one of our RDS farm servers, so we can see whether this makes any difference if we notice the errors return. Link to comment Share on other sites More sharing options...
Recommended Posts