Era agent 6.2.11.0 causing computers to freeze

[rrichglow 0]

We are still getting lock ups on clients without the MS Hotfix installed, even after applying the change in the updated KB hxxp://support.eset.com/kb3668/ 

 

We use the appliance, stopped service, copied the .SO file and restarted service.  Still have lockups.  FYI

Edited November 10, 2015 by rrichglow

[dlaporte 14]

BUMP

 

Please update if you find that you didn't install the .dll correctly

Thanks for posting!!

[Marcos 4,718]

We are still getting lock ups on clients without the MS Hotfix installed, even after applying the change in the updated KB hxxp://support.eset.com/kb3668/ 

 

We use the appliance, stopped service, copied the .SO file and restarted service.  Still have lockups.  FYI

 

Does temporarily disabling protocol filtering in Endpoint make the issue go away? If so, does installing the hotfix KB2664888 solve the issue? It is the only 100% solution to the issue as lockups can be caused virtually by any application that utilizes Windows Filtering Platform. The ERA hotfix has a certain performance improvement removed (duplex communication) that was found to catalyze the issue in WFP.

[rrichglow 0]

 

We are still getting lock ups on clients without the MS Hotfix installed, even after applying the change in the updated KB hxxp://support.eset.com/kb3668/ 

 

We use the appliance, stopped service, copied the .SO file and restarted service.  Still have lockups.  FYI

 

Does temporarily disabling protocol filtering in Endpoint make the issue go away? If so, does installing the hotfix KB2664888 solve the issue? It is the only 100% solution to the issue as lockups can be caused virtually by any application that utilizes Windows Filtering Platform. The ERA hotfix has a certain performance improvement removed (duplex communication) that was found to catalyze the issue in WFP.

 

I believe we've had a few clients where the hotfix is installed and the lockups were still occurring.  We definitely have a mixed environment going on now.  I'll continue to install MS Hotfix.

[Marcos 4,718]

If installing the hotfix doesn't help, please configure Windows to create complete memory dumps as per the instructions at hxxp://support.eset.com/kb380/ and manually create one when the system freezes. When done, compress the dump, upload it to a safe location and pm me the download link.

Complete memory dumps should reveal the actual cause of freezes or BSOD crashes.

Edited November 13, 2015 by Marcos
URL edited

[rrichglow 0]

If installing the hotfix doesn't help, please configure Windows to create complete memory dumps as per the instructions at hxxp://support.eset.com/kb380/ and manually create one when the system freezes. When done, compress the dump, upload it to a safe location and pm me the download link.

Complete memory dumps should reveal the actual cause of freezes or BSOD crashes.

So my machine is Windows 10 and it locks up, the MS Hotfix isn't compatible with Windows 10.   The article you sent me wasn't in English, but i found the English one. Do i initiate the manual crash while the computer is locked up?  I don't know if my computer takes any input.

[Tad2020 0]

Just wanted to add that we are also having these problems. We installed KB2664888 on 60 endpoints yesterday and already 2 have frozen again.

 

I'm highly disappointed, we just bought this less than 2 weeks ago and its crippling our business worse than the Crypowall infection that prompted the budget approval. A proper fix better be coming soon, the CEO is likely to force me to do a return on the licenses or do a charge-back as the product is unsuitable for use.

[Marcos 4,718]

So my machine is Windows 10 and it locks up, the MS Hotfix isn't compatible with Windows 10.   The article you sent me wasn't in English, but i found the English one. Do i initiate the manual crash while the computer is locked up?  I don't know if my computer takes any input.

 

Sorry for that, I've amended the link so that it points to the English version of the KB. You should be able to initiate a manual crash even if the computer is unresponsive. As for Windows 10, the bug was already fixed in Windows 8.1 so the problem must be caused by something else. We'll see from the dump if there's another problematic driver loaded or whatever is causing the issue.

[Marcos 4,718]

I'm highly disappointed, we just bought this less than 2 weeks ago and its crippling our business worse than the Crypowall infection that prompted the budget approval. A proper fix better be coming soon, the CEO is likely to force me to do a return on the licenses or do a charge-back as the product is unsuitable for use.

 

Please supply us with a complete memory dump as asked in my previous posts. There's no known bug on ESET's part that would be causing it; it's a bug in Microsoft Windows Filtering Platform that manifests on unpatched systems if ESET's agent or another application performs full-duplex communication or if application protocols are filtered in a specific manner by a 3rd party driver.

[davidpitt 4]

 

I'm highly disappointed, we just bought this less than 2 weeks ago and its crippling our business worse than the Crypowall infection that prompted the budget approval. A proper fix better be coming soon, the CEO is likely to force me to do a return on the licenses or do a charge-back as the product is unsuitable for use.

 

Please supply us with a complete memory dump as asked in my previous posts. There's no known bug on ESET's part that would be causing it; it's a bug in Microsoft Windows Filtering Platform that manifests on unpatched systems if ESET's agent or another application performs full-duplex communication or if application protocols are filtered in a specific manner by a 3rd party driver.

 

 

You can't say it's because of unpatched systems as the update hasn't been released to windows update! It's not common after installing software to check through microsofts thousands of unreleased hotfixes to see if one may apply to the software you are installing.

 

I still can't comprehend the fact you are releasing software that you know will cause systems to freeze. When this software was in the alpha/beta stages in your lab and you discovered this bug did you not think this was going to be a big problem, having all your customers install a hotfix before installing your software? Why not include the hotfix in your software or if you can't do that modify the installer so that it checks for this hotfix and warns the uesr to go get it themselves before installing or update the documentation or have a warning on the download page.... something.... anything would've been better than how you've handled this mess so far!

 

It doesn't take a genius to work out that if a customer of yours installs your software and their system freezes, it's you that they are going to mad at, not Microsoft!

Edited November 16, 2015 by davidpitt

[Marcos 4,718]

No, we didn't know that using a full-duplex communication to improve performance will start the bug in Windows Filtering Platform to manifest. And as I have explained, going back to half-duplex communication will not prevent other software from triggering the bug. The only 100% solution to prevent issues caused by the bug is to install the hotfix.

[Tad2020 0]

 

I'm highly disappointed, we just bought this less than 2 weeks ago and its crippling our business worse than the Crypowall infection that prompted the budget approval. A proper fix better be coming soon, the CEO is likely to force me to do a return on the licenses or do a charge-back as the product is unsuitable for use.

 

Please supply us with a complete memory dump as asked in my previous posts. There's no known bug on ESET's part that would be causing it; it's a bug in Microsoft Windows Filtering Platform that manifests on unpatched systems if ESET's agent or another application performs full-duplex communication or if application protocols are filtered in a specific manner by a 3rd party driver.

 

We are patched though. Memory dump has not be possible, either because it does not work or that the affected systems are rebooted by the user or their secretary before a dump can be attempted.

So far disabling protocol filtering via a policy has prevented any further incidents.

[Gonzalo Alvarez 66]

Hi @Tad2020,

 

"Confiscate" the computer by IT to fix the problem, and got the requested data.

[Tad2020 0]

Hi @Tad2020,

 

"Confiscate" the computer by IT to fix the problem, and got the requested data.

 

Well, its pretty much all 50+ of them doing it every 2 to 5 days till I disabled protocol filtering so even capturing one in the fault condition is difficult, and lol.

[Gonzalo Alvarez 66]

Hi,

 

I never thought was such number.

My guess was only a few from managers.

[Aguas de Córdoba 0]

Terrum: If you are running the hotfix from a network drive, try copying the hotfix to a local drive and run it from there. Only works to me in this way.

[HSW 9]

we solve this with a batch over gpo

 

@echo off
if exist \\SHARE\%computername%.txt GOTO EXIT

wmic qfe list | FIND /I "KB2664888" >> C:\eset\KB2664888.txt
>nul findstr /c:"KB2664888" C:\eset\KB2664888.txt && ( GOTO ENDE )
 
VER | find "Microsoft Windows [Version 6.0" > nul
IF %errorlevel% EQU 0 GOTO Vista
VER | find "Microsoft Windows [Version 6.1" > nul
IF %errorlevel% EQU 0 GOTO Win7
VER | find "Microsoft Windows [Version 6.2" > nul
IF %errorlevel% EQU 0 GOTO ENDE
VER | find "Microsoft Windows [Version 6.3" > nul
IF %errorlevel% EQU 0 GOTO ENDE
VER | find "Microsoft Windows [Version 10.0" > nul
IF %errorlevel% EQU 0 GOTO ENDE

:Vista
echo Vista
if exist %windir%\SysWOW64\cmd.exe goto update_64bit
echo Windows Hotfix KB2664888 32bit fuer ESET wird installiert
wusa.exe \\SHARE\Windows6.0-KB2664888-x86-(Vista).msu /quiet /norestart
goto ENDE

:update_64bit
echo Windows Hotfix KB2664888 64bit fuer ESET wird installiert
wusa.exe \\SHARE\Windows6.0-KB2664888-x64-(Vista).msu /quiet /norestart
goto ENDE

:Win7
echo Win7
if exist %windir%\SysWOW64\cmd.exe goto update_64bit
echo Windows Hotfix KB2664888 32bit fuer ESET wird installiert
wusa.exe \\SHARE\Windows6.1-KB2664888-v2-x86-(Win7+2008).msu /quiet /norestart
goto ENDE

:update_64bit
echo Windows Hotfix KB2664888 64bit fuer ESET wird installiert
wusa.exe \\SHARE\Windows6.1-KB2664888-v2-x64-(Win7+2008).msu /quiet /norestart
goto ENDE

:ENDE
wmic qfe list | FIND /I "KB2664888" >> \\SHARE\%computername%.txt

:EXIT

[shathippens 0]

Hi, 

 

we have the same issue in our company. We have round about 250 clients with the latest version of ESET/ERA/Agent. But we're not using Windows Server 2008 R2 or Windows 7 on client side. We're using Windows Server 2012 R2 and Windows 8.1/10. But it seems that the bug is also present on these systems. Systems freezing randomly. All posted possible solutions didn't fix the problem. But downgrade to version 5 (Endpoint Antivirus) helped (or just remove ESET  ). But that couldn't be the solution. 

 

Someone else who has this problems with Windows 8.1/10?

[mikeygee 0]

 

You can push it from ERAS like 

"C:\Windows\system32\wusa.exe" "\\your\samba\share\kb2664888.msu" /quiet /norestart

Could someone please spell this out for me on how to do this in ERA version 6.2.171?    My IT manager doesn't want me poking around ERA unless I know what I'm doing. I would like to push this hotfix to about 100 computers, I'd rather do it in a day rather than a week or two. Should we upgrade to 6.3.12.0 first ??

Thanks!

[Bogdan Husdup 0]

I recommend you to upgrade first. On my side worked well after upgrade and computers without microsoft kb installed didn't freeze.