ESET Endpoint Security 11.0.2032 Real-time protection freezing/hanging Windows 10

[OP System 0]

Hello,

this is a first hint of a problem we're facing since Endpoint ver. 11.0.2032.0 has been rolled out on our Windows 10 customers. I searched for similar recent posts in Forum but couldn't find anything similar so I assume it's related with our locale (IT) or our specific endpoint policies.

About 2% of our managed endpoints are becoming unresponsive after boot: apps freeze, cannot interact with Explorer elements, network traffic stops, whole Windows GUI becomes unusable for several minutes. Sometimes all gets back to normal after waiting, sometimes we have to physically power cycle. Disabling Realtime protection or uninstalling Endpoint Protection is the only way to let users work normally.

So far we've started working with our local reseller to collect logs and relevant information. CPU usage is normal, seems a memory lock issue to us, specifically during startup scan. I've tried disabling HIPS Advanced memory scanner but to no avail.

If someone else is facing this issue or have suggestions, please let me know. Due to the nature of problem, performing any diagnostics in real time is nearly impossible, so any additional help will be appreciated.

Thanks
Gabriele

[Marcos 5,074]

Could you please provide your support ticket number so that we could get the collected logs? It would also help if we get a complete memory dump from time when the system becomes unresponsive or sluggish.

Please configure Windows to generate complete memory dumps as per https://support.eset.com/en/kb380. After a system reboot, reproduce the issue and manually trigger a crash to generate a dump. When done, compress it, upload it to a safe location and drop me a private message with a download link.

[Marcos 5,074]

@OP System do you think it would be possible to provide a complete memory dump for perusal?

[SBIT 0]

We had this too. For us it was initially triggered by running Firefox or VS Code but latterly, just like you, from boot.
In some rare cases it sorted itself out after a long time. Never seemed to happen if the machine was not on a network.
Collecting diagnostic logs was pretty difficult since the systems were so unresponsive. We checked the forum and your post is the first we've seen mirroring our experience.
We opened a support case but never got to the bottom of it.
Since then we've downgraded all our workstations to v10.1 since it's supported until late next year.

[OP System 0]

Hello all and sorry for this delay.

@SBIT thank you for your comment, that gives us a possible workaround.
@Marcos I've managed to create a manual dump and I sent you a download link as you requested.
Our ticket is #00677791. Please let me know if advanced diagnostic logs are needed.

I can confirm that the issue arises more often when a browser (firefox or Chrome) is opening.

[OP System 0]

I thought this could be somehow related to this . Unfortunately, even after Browser protection module update 1336, the problem persists and is affecting more and more clients.

We're keeping uninstalling the product, as this is the only solution we found for now. @Marcos should we keep going with our ticket with local ESET support?

[Marcos 5,074]

It appears to be a bug in the real-time protection driver which should be fixed in the next hotfix of Endpoint 11.

P_EESW-11100

[ShaneDT 13]

I'm seeing this also from yesterday on two computers that just auto upgraded to 11.0.2032.0.

When it happens Windows is completely non responsive, can't even Ctl+Alt+Del to bring up Task Manager.

Scrambling now to disable auto program updates on all my customer computers...

[ShaneDT 13]

Turns out only my personal office PC and notebook have so far upgraded. 

All 300 odd customer computers still on v10. To be safe I've selected the 'Pause Update' setting in policy.

On my customers ESET PROTECT CLOUD server when setup I had removed the Common Features auto update policy. So probably explains why none of these have updated yet. I've now also disabled Product Update >v9 in policy.

On my internal ESET PROTECT CLOUD server i did have the Common Features policy still applied, but only the 2 computers so far auto updated to v11. I've now removed this policy on this server also.

Please let us know when this has been fixed.

So far on my notebook I have had to force restart a couple of times. On my PC it seems to respond again after 5mins or so.

[ShaneDT 13]

Though it seems disabling the Product Update setting / enabling Product Updates Pause has no effect anyway...

I changed these policies earlier today. I've just installed ESET on a new Windows 10 build, installed as v10.1.2046.

First thing it did was auto update to v11.0.2032. 

I've double checked the applied policies and there is no policy with Product Updates enabled.

Gotta love it when ESET policies work as expected

[Marcos 5,074]

If you check the policies assigned to "All" group, isn't there an auto-update policy?

[ShaneDT 13]

Hi Marcos, no I unassigned that policy. 

Initially primarily as I didn't want servers auto updating. 

But in hindsight I think it's much safer not to have it

[ShaneDT 13]

Since my posts above though WIndows hasn't locked up again, so maybe a few restarts fixed it.

I'll post up again over the next few days if I have any further lockups.

[OP System 0]

Hello @ShaneDT , we're keeping removing ESET completely and letting users with native Windows 10 AV. This is the simplest solution for us.
I hope this will get fixed soon

Gabriele

[ShaneDT 13]

Marcos, I've had a couple more computers auto upgrade to v11 today even though I changed the policy.

This was on my 'internal' ESET PROTECT CLOUD service where up until yesterday I did still have the Common Features auto update policy. I also had Product Updates enabled in a separate ESET Endpoint for Windows policy applied to all computers. The following settings were enabled:

Update / Product Updates / Auto Updates (=>v9.0).

Update / Profiles / My Profile (only profile listed) / Product Updates / Update Mode / Auto Update (though this is for =<v8.x)

Yesterday I removed the Common Features auto update policy and disabled Update / Product Updates / Auto Updates (=>v9.0) (policy enabled but setting unselected) and also enabled the following setting.

Update / Profiles / My Profile (only profile listed) / Product Updates / Pause Auto-Updates (=>v9.0).

So why are my computers on this server still auto updating?

Note on my customer ESET PROTECT CLOUD service, the Common Features auto update policy was removed months ago, but Update / Product Updates / Auto Updates (=>v9.0) was enabled. I disabled this yesterday on this service and also enabled Pause Auto-Updates. So far none of these computers have auto updated to v11.

[Marcos 5,074]

Please provide logs collected with ESET Log Collector from that machine.

[OP System 0]

@Marcos, do you have any prediction on when the patch will be released? Many of our clients are asking us what to do with the affected workstations (we are at 10% of total installed endpoints and still growing).

Are there any settings we could tweak to mitigate the problem, beside installing v.10? I'm trying to avoid mass-redeployments on hundreds of machines.

Thanks

[Marcos 5,074]

I estimate the next hotfix of Endpoint v11 could be released in about 1 month,

[ShaneDT 13]

Marcos surely there should be a faster hotfix release to fix this level of bug?

Note I haven't had any further issues but I haven't had any of my customer devices update to v11 yet, it was only my internal computers that updated.

And sorry no I haven't had time to look at generating logs or investigating why removing the update policy didn't stop the v11 updates on my internal computers.

Edited January 25 by ShaneDT

[ShaneDT 13]

Well today I manually uninstalled v11 and reinstalled v10 on all my computers.

Since my last post my office PC has stopped responding multiple times and has been sluggish. My sons laptop he uses for gaming and school has been almost unusable. With school starting I finally found time to look at it

Uninstall v11 and reinstall v10 and both computers are now back to normal performance.

v11 is clearly the problem. I can't believe this hasn't been prioritised for an urgent update! It can't be doing the brand any reputation favors. The fallout from a version update this bad can hang around for years!

I'm just glad my customer computers didn't upgrade automatically and I caught it in time!

I would not have been happy having to uninstall v11 on hundreds of computers...

 

 

[slarkins 5]

Any eta on hotfix for this? I would rather roll out V11 with latest hotfix....

[Marcos 5,074]

2 hours ago, slarkins said:

Any eta on hotfix for this? I would rather roll out V11 with latest hotfix....

We expect the hotfix could be available by the beginning of March.

[Alan M 0]

Hi

Just wanted to say that I've experienced this issue on several computers that have upgraded to 11.0.2032.0. Initially had issues in January but appears to be happening again in recent days.  Have found that you can get 5 minutes before the system becomes unresponsive, or you can open a small number of programs before the system becomes unresponsive.  In some cases waiting for a few minutes and things will return to normal.  In other cases running sfc /scannow appeared to help.  In the worst cases where the computer is completely unusable the best solution I could find was to:

- Uninstall ESET

- Rebooting into safe mode and run the manual ESET uninstall tool

- Reboot into normal mode and then reinstall ESET

The issue appears to be quite random and hard to diagnose due to the way the computer becomes completely unresponsive.

[Marcos 5,074]

You can try switching to the pre-release update channel to get update to v11.0.2044 with a fix.

[OP System 0]

Thanks Marcos.

Currently, the only way to install the pre-release version in ESET Protect Cloud is to perform an upgrade from 11.0.2032, but this can be tricky on workstations that were affected by the problem.
Anyway this is good news, hoping that the fixed version will be officially released on stable channel ASAP.