Era agent 6.2.11.0 causing computers to freeze

[rekun 43]

Hi

 

After having upgraded two different and unrelated customers to ERA Agent 6.2 using the Remote Administrator Component Upgrade task, the clients and servers are taking turns freezing and forcing us to do a hard reboot.

 

The issue happens about once a day for each client, and is very annoying. The issue appeared the same day as doing the ERA Agent upgrade.

 

This morning I have uninstalled the ERA agent from all computers, and we have had no issues afterwards.

 

Does anyone else have this issue, or have the Eset support heard of this?

 

 

[Marcos 5,074]

Please make sure these clients have the following hotfix installed: hxxp://support.eset.com/kb2567/

[davidpitt 4]

I had this same problem a few days ago after just updating the ERA to 6.2.171, called support and they had no reported cases of it before. I've had to uninstall Eset AV and Agent on one of the really badly affected machines which has stopped the freezing and I'm currently re-installing the client agent on the machines which seems to be working but only been a day or two so need more testing

 

This patch looks like it was released/updated on the 12th August, well before my call to support so disappointing I wasn't told about it

 

So I'm going to have to install this patch on all clients then for each of our customers?

Which version of Eset are affected, just the latest 6.2.171?

Will it be fixed by Eset/MS in future versions or will this patch be a permanent solution?

Edited September 11, 2015 by davidpitt

[vadim 1]

Please make sure these clients have the following hotfix installed: hxxp://support.eset.com/kb2567/

Marcos, there is another kb with newer version of netio.sys: https://support.microsoft.com/en-us/kb/2957189/

Maybe we should install this one?

[Marcos 5,074]

Maybe we should install this one?

What version of Windows do you have installed?

[vadim 1]

What version of Windows do you have installed?

Win 7 SP1

[FailedExpermient 0]

My client computers are having this issue now as well. I upgraded the components on my server only, and soon after I started getting calls about workstations freezing (windows 7 sp1 x64). Aside from a client side patch, is there anything I can do server side to prevent the crashing? I disabled the "eraserversvc" service in hopes that the freezing is caused when the clients connect to the server.

 

It will take some time to create, test and roll out that hotfix to all of the clients (since wsus doesn't support msu) and in the mean time I cannot continue to have random freezing PC's.

Edited September 11, 2015 by FailedExpermient

[Marcos 5,074]

 

What version of Windows do you have installed?

Win 7 SP1

 

 

Hard to say. Theoretically KB2957189 should include the fix as well but to be sure, I'd install KB2664888 and leave it installed for a couple of days to see if the issue goes away. Then install the newer hotfix.

[Marcos 5,074]

My client computers are having this issue now as well. I upgraded the components on my server only, and soon after I started getting calls about workstations freezing (windows 7 sp1 x64). Aside from a client side patch, is there anything I can do server side to prevent the crashing? I disabled the "eraserversvc" service in hopes that the freezing is caused when the clients connect to the server.

 

It will take some time to create, test and roll out that hotfix to all of the clients (since wsus doesn't support msu) and in the mean time I cannot continue to have random freezing PC's.

 

If the issue is caused by a bug in Windows Filtering Platform, disabling protocol filtering would prevent it from occurring. However, since protocol filtering is an important protection layer, I wouldn't recommend disabling it on systems where users browse the web or download email.

 

However, the OP wrote that the issue started after upgrading agent while my suggestion was for cases when the freezing is caused by a bug in Windows Filtering Platform which is usually the cause when a system becomes unresponsive.

[FailedExpermient 0]

Thanks Marcos. For now I've disabled the server, and the freezing on the clients has stopped. I'm not sure how to safely test if the hotfix works without exposing all my clients to the problem again, so hopefully others can reply to see if it worked for them.

Edited September 12, 2015 by FailedExpermient

[jimwillsher 65]

I'm a bit confused (it happens easily). The MS hotfix relates to WFP, which is used by the antivirus. Yet the OP says their issue is triggered by the agent. Surely the agent isn't doing much work, just polling ERA periodically and gathering the status of the endpoint?

 

We've not seen this on any of our systems but the OP says it affects two separate clients. Perhaps there's a software conflict with something else they are running?

 

Just my thoughts.....

 

 

Jim

[erothenberg 0]

We seem to be experiencing the same issue.  On Friday, we upgraded our ERA Virtual Appliance from 6.1.222 to 6.2.  I then deployed the agent through "ERA Components Upgrade" task and pushed it out to several endpoints.  While we have not had any reported freezes on endpoints running Windows 7/8/10, we have had at least 3-4 server VMS running Server 2008 R2 that have experienced high enough CPU spikes to freeze up the box causing a reboot.  When i rebooted the boxes and took a look at all the processes ERAAgent was at 0% - hardly a blip - however, the commonality between all the servers crashing is that it all began after the upgrade from 6.1 to 6.2.  Also, we have NOT upgraded the File Security Agent on any of these boxes.  Like the OP, I have gone ahead and uninstalled just the ERA 6.2 agent from these boxes and so far the incident has not repeated.  I will continue to monitor the situation.  Does anybody know if the MS patch above fixed their issue?

[davidpitt 4]

The issue does seem to be with the ERA Server as just updating the Remote Administrator alone causes freezing on the clients, even if those clients agents haven't been updated yet to the same  6.2.171 as the server

But stopping the clients talking back to the server by removing the client agent somehow fixes the freezing. Freezing still occurs if the client agent is updated to 6.2.171 also.

 

I can confirm the patch does work, I've installed it for two separate clients now over about 20 machines where 5 of them had problems and the freezing has gone away but it is not a solution.

[rekun 43]

Hi Macros

 

The issue is not with the endpoint protection, but only with the agent/remote administrator.

 

It seems that you have a major issue here, even if Microsoft is to blame. Your software should be able to run a fully updated system, without the need to install special hotfixes of any kind.

 

I have not had any issues before making the ERA/Agent upgrades.

 

We are experiencing this issue on all of our 2008 R2, Windows 7 computers. 

 

We have alot of of angry users becaurse of this with computer and serveres crashing all the time.

 

It seems to me, that is a big issue with quality control. Right now out computers are running unmanaged as that is the only way we can make our computers running stable.

 

The KB you mentioned says that this is fixed in Eset File Security, which we are using at out servers, but they were still crashing.

 

What is the official statement at Eset? That their product do not work without the mentioned hotfix? then this should be bundled with the installer, instead of having all your users computers crash several times a day.

[triamed 1]

I'm also experiencing this issue on all clients. Most of them freezes 1-5 times per day while others can make it 2-3 days before freezing. Going to remove the client agent until this issue is fixed.

Unbelievable how this can go through quality control as mentioned above.

[mfichera 2]

We are having this issue as well. There are 15 windows 7 computers with the new agent, and all of them experience freezing while being used. They also fail to wake from sleep.

[Marcos 5,074]

First of all, please make sure that KB2664888 is already installed when the issue occurs as agent may catalyze the bug in Windows Filtering Platform to manifest.

 

Should that make no difference, try temporarily disabling HIPS in Endpoint (a computer restart will be needed for the change to take effect).

If that makes no difference either, manually generate a complete memory dump when the issue occurs (see hxxp://support.eset.com/kb380/ for instructions).

[mfichera 2]

First of all, please make sure that KB2664888 is already installed when the issue occurs as agent may catalyze the bug in Windows Filtering Platform to manifest.

 

Should that make no difference, try temporarily disabling HIPS in Endpoint (a computer restart will be needed for the change to take effect).

If that makes no difference either, manually generate a complete memory dump when the issue occurs (see hxxp://support.eset.com/kb380/ for instructions).

 

I spoke to support, and they also recommended installing the above mentioned KB on Windows 7 and Server 2008 R2

[Bak 0]

Rolled out the agent yesterday, about half of the 140 desktops here are now freezing, this is just great.....

[Bogdan Husdup 0]

I have the same issue. I modified an agent policy and the computers freezed, hope that if I don't modify anything on policies the computers will not freeze anymore.

 

I installed yesterday https://support.microsoft.com/en-us/kb/2664888and looks like the issue is resolved but I'm not 100% sure.

 

Don't like this bug at all. I started to put this version of eset in production and surprise the computer are freezing.

 

Hope the issue will be resolved ASAP.

 

Thanks

[rekun 43]

Hi Macros/Eset

According to this Thread it seems that the hot fix does fix the issue, I have not tested it myself, as I can't make my paid customers beta test the product further, as they are angry enough already. however it is also not a suitable solution for us. We have a lot of customers running Eset, and I can not recommend them to download and install a request only hot fix that Microsoft says needs more testing, on all their computers and servers. Also I won't even think about the time required to do this. It is a lot easier to switch to another AV product, that actually do work.

I think that this is a very big issue, that Eset do not really care about. I think we can safely assume that this currently affecting several thousands of computers every day, with a lot of frustration and angry users. At the moment I would rather recommend users to run without antivirus, as this has a much lower chance of making their computers unusable, than running the current version of Eset. This is very bad.

This case is proof of bad quality control, and also shows that Eset does not really care about the users. If you did, you would have test the product better, maybe even with a beta version, and if the issue went unnoticed doing the beta, pulled the update and rereleased the old version until you fixed the issue.

A lot of things went wrong when you released version 6, buggy as it was, missing important features of the old version, and introducing much more complexity without any new important new features. And now it is just getting even worse.

Pointing fingers at Microsoft does not help at all. It may be their product having a bug, however every day you get more users running the new version, and all of them will experience this issue, and as reported by davidpitt even your own support is denying this issue. Also the old version 5/6 works without crashing the computers, and so does all other AV vendors, so it is clearly possible to work around the issue.

Can we atleast get Eset to admit that there is a bug, that are making their customers computers almost unusable?

[flycloud 3]

Hi Macros/Eset

According to this Thread it seems that the hot fix does fix the issue, I have not tested it myself, as I can't make my paid customers beta test the product further, as they are angry enough already. however it is also not a suitable solution for us. We have a lot of customers running Eset, and I can not recommend them to download and install a request only hot fix that Microsoft says needs more testing, on all their computers and servers. Also I won't even think about the time required to do this. It is a lot easier to switch to another AV product, that actually do work.

I think that this is a very big issue, that Eset do not really care about. I think we can safely assume that this currently affecting several thousands of computers every day, with a lot of frustration and angry users. At the moment I would rather recommend users to run without antivirus, as this has a much lower chance of making their computers unusable, than running the current version of Eset. This is very bad.

This case is proof of bad quality control, and also shows that Eset does not really care about the users. If you did, you would have test the product better, maybe even with a beta version, and if the issue went unnoticed doing the beta, pulled the update and rereleased the old version until you fixed the issue.

A lot of things went wrong when you released version 6, buggy as it was, missing important features of the old version, and introducing much more complexity without any new important new features. And now it is just getting even worse.

Pointing fingers at Microsoft does not help at all. It may be their product having a bug, however every day you get more users running the new version, and all of them will experience this issue, and as reported by davidpitt even your own support is denying this issue. Also the old version 5/6 works without crashing the computers, and so does all other AV vendors, so it is clearly possible to work around the issue.

Can we atleast get Eset to admit that there is a bug, that are making their customers computers almost unusable?

Hi Rekun:

 

I totally agree with you , as i do have same problems , but still can't find the solution,  customers complained everyday and blamed me to choose this unstable product version 6.

i did send email to ESET support , but have not get any feedback yet. 

[Marcos 5,074]

This hotfix is not related solely to Endpoint v6 or ERA v6. The bug in Windows Filtering Platform started to manifest with Endpoint v5 which was the first to take advantage of the modern Windows Filtering Platform. Personally I installed it more than a year ago when I first started experiencing freezes when connecting remotely to my computer. Any software utilizing Windows Filtering Platform for filtering application protocols would cause the bug in WFP to manifest without the hotfix installed.

[davidpitt 4]

So what you're saying is Eset causes this bug, (albeit a windows bug) but you knew about it a year ago with v5 and yet still haven't done anything about it or advised your customers to make sure the hot fix is installed before installing Eset or bundled the hot fix with your software.

 

So if this hot fix is essential why is there no notice on your website to install it alongside your software or no prerequisite check with the installer?

 

It's hardly a problem that's just affecting a few users either. Just on this forum alone the number of affected endpoints is in the hundreds already.

 

My personal experience is that this hot fix doesn't fix the problem in 100% of cases. I've had to disable HIPS too for some endpoints that were still freezing.

 

I did get a call back from Eset Support to say it is a global issue and it is being investigated so hopefully something will come from that.

[erothenberg 0]

Even after ripping out 6.2 Era Agent from all endpoints,  4-5 boxes are still freezing up randomly and we are STILL experiencing the issue even though 6.1.144 has been reinstalled.  We applied the MS Hotfix to  a Windows 2008 R2 box and a Windows 7 Pro x64 and have not seen an issue reoccur.  However, we have a number of Windows 2008 Server SP2 boxes, some of which experienced freezing/high CPU utilization, which aren't even running 6.2 anymore, they are running 6.1 and will still lock up randomly.  And NONE of these boxes had any sort of issues until 6.2 was installed.   Although, the hotfix mentions Windows 2008 Server, when running the hotfix it says "Not applicable to this Operating System".  The poster above me mentioned disabling HIPS helped.  Was this applicable to File Security or just Security Endpoint?

 

Anybody else still experiencing issues even after ripping 6.2 out?  For those running on Windows 2008 Server SP2, what did you do?

Edited September 29, 2015 by erothenberg