server 2008r2 hangs randomly after install EFS 6

[czechoto 0]

Hello

I have a problem with servers 2008r2 which hang randomly after install EFS6.

 

Some servers have version 6.0.12035 and some 6.0.12032

 

The servers response on a ping but I can not logon via RDP or open VMware console. When I was logged on the server when it hanged  I could move the cursor clik on the start but could not open any software and could not reboot the server. Only hard reset works.

 

 

Please can you help.

[Marcos 4,935]

If you can reproduce the issue easily, could you try temporarily disabling real-time protection for a test just to see if it makes a difference? If the issue occurs, we'd need to get a kernel or better complete memory dump created as per the instructions in hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN380.

[czechoto 0]

I cannot reproduce the issue. I already have setup Kernel memory dump on all of my servers but the dump is not created during this issue. I already removed the EFS from one of my server week ago and the server is still OK.

[Marcos 4,935]

... the dump is not created during this issue

 

Did the server actually crash to BSOD when you triggered a crash manually?

[pesphil 1]

I too am experiencing this exact problem. Have a 2008R2 server with File Security 6.0.12035.0 installed and system locks up every 3 to 5 days. No BSOD just frozen up. Is a VM and machine performance graph shows CPU usage jumps up at time of crash and stays high until I do a hard reset of the VM. Memory usage stays normal throughout and disk usage stops at time of crash. Windows logs show nothing, ESET logs show nothing. Thankfully this is not a critical server. No issues with EFS version 6 on 2012 servers.

[Marcos 4,935]

Does disabling network drives in EFSW real-time protection setup make a difference?

[czechoto 0]

I disabled real-time protection with no success, only uninstall works for me. I already created logs and dump file and sent it to polish eset support. Waiting for any feedback.

[Marcos 4,935]

I disabled real-time protection with no success, only uninstall works for me. I already created logs and dump file and sent it to polish eset support. Waiting for any feedback.

 

Please let me know if you have received a response and supply me with a ticket ID so that I can check if the Polish distributor has already relayed the dump to us for analysis.

It'd also help if you could narrow it down by renaming the following drivers in safe mode, one at a time:

C:\Windows\System32\drivers\eamonm.sys

C:\Windows\System32\drivers\ehdrv.sys

 

After booting to normal mode you'll get some warnings which you can disregard as long as drivers have been renamed intentionally.

[czechoto 0]

The ticket number is: [Ticket#005095138]

[tomha 3]

Same problem here on a SBS 2011 which is based on Server 2008R2.

No Information from the eventlogs, only some messages from Exchange regarding the DC not responding.

 

In the Eset logs we saw that protocol filtering does not log filtered URLs anymore, when the Server is frozen.

We disabled protocol filtering and there was no freeze since. But we have to wait some more time, because the protocol filtering was disabled a week ago and the freezes occured in an interval between 3 Days and 3 Weeks.

[wind-e 1]

We too are experiencing random hangs (every few days to couple weeks) on Server 2008R2 server using version 6.0.120.25.

No event logs, no memory dumps generated, and no ESET logs provide any kind of clue.

Does anyone have any updates/fixes yet? I'm debating if I should even upgrade to  6.0.12035 as it seems this version has the same issue.

 

@czechoto, any feedback from Polish support team?

@tomha, any crashes after disabling Protocol Filtering yet? I may give this a try as it seems to be the only suggestion other than completely uninstalling.

[pesphil 1]

This forum post: https://forum.eset.com/topic/4672-eset-endpoint-antivirus-locking-up-windows-7-pro/page-2

is dealing with a similar lockup issue on Windows 7 and the last couple of entries refer to a Microsoft hotfix: https://support.microsoft.com/en-us/kb/2664888

I just installed the hotfix on my 2008R2 server (requires reboot) so will wait and see if this helps

[wind-e 1]

This forum post: https://forum.eset.com/topic/4672-eset-endpoint-antivirus-locking-up-windows-7-pro/page-2

is dealing with a similar lockup issue on Windows 7 and the last couple of entries refer to a Microsoft hotfix: https://support.microsoft.com/en-us/kb/2664888

I just installed the hotfix on my 2008R2 server (requires reboot) so will wait and see if this helps

 

Thanks, going to install over the weekend.

[czechoto 0]

Still waiting for any feedback.

 

We have also problem with Windows Server 2012R2 and this hotfix is for Server2008r2.

[wind-e 1]

Installed hotfix from Microsoft as mentioned by @pesphil in post #12 over the weekend. Though it's only been a couple of days, so far so good. I will follow up 2 or 3 times over the next few weeks and post status. Hopefully this resolves the issue.

@czechoto, are you having the same issue on Server 2012 R2? Please keep up posted, thanks!

[tomha 3]

We had no freeze after disabling the protocol filtering. We did this 10 days ago, but had to restart the Server 2 times due to MS Updates. So we cannot confirm that disabling protocol filtering does the trick.

[czechoto 0]

@wind-e, yes I have this same problem on Server 2012 R2 and the logs and dump file were sent to Eset from server 2012R2.

 

Please wait 3-4 weeks to check if everything Is ok with your server.

 

I reinstalled EFS 6 on one of my server and everything was fine for 3 weeks, after 3 weeks I had this same issue again.

[wind-e 1]

Following up to post install of hotfix. It's been 3 weeks (21 days) and have not experienced hanging issue.

We plan on rebooting server tonight for unrelated reasons for the first time since hotfix was applied.

[Marcos 4,935]

We had no freeze after disabling the protocol filtering. We did this 10 days ago, but had to restart the Server 2 times due to MS Updates. So we cannot confirm that disabling protocol filtering does the trick.

 

Please make sure that protocol filtering is enabled after installing the above mentioned hotfixes from Microsoft. Protocol filtering is an important protection layer as it protects you also against otherwise unrecognized pieces of malware.

[tomha 3]

I Installed Hotfix KB2664888-v2, restarted the Server and reenabled protocol filtering. Time will tell.

[nloiselle 0]

I am also having this issue and just stumbled onto this thread.  I installed the Hotfix this morning, and will keep everyone here updated.

[deszynda 0]

We've installed hot fix KB2664888 on Server 2008R2 but it didn't help. After disabling bwColumbus (asked by polish ESET support) our print server is working for 17 days. Previous version of EFS - 4.5.12017 is working with Columbus without any issues. So the question is what to do to avoid conflict of EFS v 6.0.12035.0 with Columbus.exe?

[Marcos 4,935]

We've installed hot fix KB2664888 on Server 2008R2 but it didn't help. After disabling bwColumbus (asked by polish ESET support) our print server is working for 17 days. Previous version of EFS - 4.5.12017 is working with Columbus without any issues. So the question is what to do to avoid conflict of EFS v 6.0.12035.0 with Columbus.exe?

 

This is most likely a different issue. Is it a terminal server? If not, make sure that protocol filtering is not enabled.

[deszynda 0]

The biggest issues we met with our print and file servers. I would test it on print server. So you suggest to disable protocol filtering?

[tomha 3]

Short Update:

No freezes so far, after installing MS Hotfix.

Protocol filtering is enabled.