Jump to content

NOD 32 seems to be causing freeze during boot


Recommended Posts

  • ESET Insiders

I've had a lot of boot failures lately with my Sony Laptop. It freezes right after I enter my Windows Login Credentials, and does not proceed to the desktop. The little round mouse pointer just sits there, and turns for ever. Even when I do have a successful boot it almost always freezes for a while right before the desktop appears. It adds an additional 20-30 seconds to my boot time on average.  Sometimes I have to boot once in safe mode to get it to boot again in normal mode.I believe it's NOD 32 causing this because when I uninstall NOD 32 I don't have that long pause that occurs before the desktop loads. I just had another boot failure, and i'm going to open a support ticket. I already have a Sysinspector log to send them. What other information will Eset need to trouble shoot this?

 

Thank You for your help,

Mike

Link to comment
Share on other sites

  • Administrators

It's the HIPS and self-defense driver which may block certain operations. I'd expect some issues might occur during logon if you have LogMeIn installed for instance. You can rename the driver to ehdrv.sy_ or whatever you want.

Link to comment
Share on other sites

  • ESET Insiders

I don't have Logmein installed. If I disable HIPS do you think that may be enough? I don't want to disable the Self Defense mechanism though since it would make it easier for Malware to disable NOD 32. I will try disabling HIPS, and see if that helps. If not I will rename ehdrv.sys as you have suggested. Sometimes I forgot NOD 32 has HIPS since it never ask me to allow or deny anything.

 

Thank You for your help!

Mike

Edited by cutting_edgetech
Link to comment
Share on other sites

  • ESET Insiders

Btw.. In the past I have never been able to use Webroot Secure Anywhere with NOD 32 on this Laptop. It will not boot with both installed. I'm thinking now that maybe NOD 32's HIPS, or Self Defense was conflicting with WSA. Maybe even both. Do you have any recommended settings for NOD 32 to make it more compatible with security products like WSA?

Edited by cutting_edgetech
Link to comment
Share on other sites

  • Former ESET Employees

Btw.. In the past I have never been able to use Webroot Secure Anywhere with NOD 32 on this Laptop. It will not boot with both installed. I'm thinking now that maybe NOD 32's HIPS, or Self Defense was conflicting with WSA. Maybe even both. Do you have any recommended settings for NOD 32 to make it more compatible with security products like WSA?

 

The conflict comes with the real-time scanners on both products. If two or more programs are trying to scan the same files at the same time, it is going to cause serious system issues. Usually this manifests during startup where the system either won't boot OR after startup, the system will lock up. This is why it's recommended to only run one program (ie. Antivirus software) that has a real-time scanner at a time.

Link to comment
Share on other sites

  • Administrators

I don't have Logmein installed. If I disable HIPS do you think that may be enough? I don't want to disable the Self Defense mechanism though since it would make it easier for Malware to disable NOD 32. I will try disabling HIPS, and see if that helps. If not I will rename ehdrv.sys as you have suggested. Sometimes I forgot NOD 32 has HIPS since it never ask me to allow or deny anything.

 

Since we don't know whether it's HIPS or Self-defense causing the issue, try disabling each, one at a time. If that doesn't help, disable both. If that doesn't resolve the issue, try renaming the above mentioned driver in safe mode. Note that this needs to be done in order to narrow the issue down, I don't suggest it as a permanent "solution" for the issue.

Link to comment
Share on other sites

Guest Kingfisher

I've been having the same problem with a desktop PC for a few months now. The only real-time security software I run alongside Nod32 is Outpost Firewall Pro.

 

The freeze always occurs before the appearance of Nod32 Splash Screen. If the splash appears, the PC boots okay.

 

Earlier freezes also resulted in an item appearing in the Administrative Tools Event Viewer saying that the Eset service hung during startup. Recent freezes have not generated this event. I have contacted customer support about this and submitted a sysinspector log.

 

I've been a user of Nod32 - long the gold standard in AV software - as long as I can remember but this is the first time I feel the product is letting me down. Instead of securing my system, it's making it unstable.

Link to comment
Share on other sites

  • Administrators

I've been a user of Nod32 - long the gold standard in AV software - as long as I can remember but this is the first time I feel the product is letting me down. Instead of securing my system, it's making it unstable.

 

There's no evidence that ESET is causing the freeze. Even if renaming the drivers (ehdrv.sys, eamonm.sys) in safe mode made a difference, it wouldn't necessarily mean ESET is the culprit. If the system freezes, please generate a complete memory dump and convey it to ESET for perusal. Based on the dump, we'll be able to tell if there's a problem with ESET's driver or if it's another driver / sw that you have installed which causes the issue.

Link to comment
Share on other sites

  • 2 weeks later...

I've had a lot of boot failures lately with my Sony Laptop. It freezes right after I enter my Windows Login Credentials, and does not proceed to the desktop. The little round mouse pointer just sits there, and turns for ever. Even when I do have a successful boot it almost always freezes for a while right before the desktop appears. It adds an additional 20-30 seconds to my boot time on average.

I'm not the only one then! I've been having similar problems on a Lenovo 300N100 running W7 Pro 64-bit. Sits with the spinning circle on the desktop and goes no further. Obvioulsy I cannot be absolutely certain of its cause but I tried disabling the ESET startup scan and I haven't had the problem since. It's not an ideal solution though.

Link to comment
Share on other sites

  • Administrators

If you're able to reproduce the freeze, please configure Windows to generate complete memory dumps as per the instructions here and when a freeze occurs, use the appropriate key combination to create a memory dump. Of course, disabling startup scan tasks is not recommended as they serve as another protection layer and can detect potential new born malware in memory.

Link to comment
Share on other sites

  • 2 weeks later...

The only options I have here is Kernel memory dump or small memory dump - no "Full". What do I do?

 

However, anothert bit of evidence is that I have just upgraded NOD32 from v.5 to v.6 on another computer (Win 7 Ultimate 64-bit). With v.5, I had not experienced a single boot failure in the whole time of ownership (8 months).

 

In just three days with v.6 I have experienced four startup failures. What's going on?

Link to comment
Share on other sites

Since writing the above, I've found a solution to the memory dumps issue at OSR Online:

 

"You'll need to bypass the dialog and manually modify the registry yourself, setting the \HKLM\System\CCS\Control\ CrashControl\CrashDumpEnabled DWORD value to 1. By doing so you'll configure the O/S to generate a full memory dump on the next system crash and you'll even regain access to the complete memory dump option in the dialog."

 

However another possible aspect of my situation is that the three computers on which NOD32 is installed also run Malwarebytes at start. I have never had any conflict between the two over many years but I wonder if NOD32 v.6 has some sort of issue with it. To add to the information, the two computers with problems are 64-bit. My wife's 32-bit machine has had no similar issues with the same versions of NOD32 and Malwarebytes.

 

It also occurs to me that if Malwarebytes also does a startup scan, is there any need for NOD32 to do so as well, since disabling that temporarily in NOD32 did seem to cure the problem?

 

Regards

 

John

Link to comment
Share on other sites

Thinking about a possible conflict between Malwarebytes and NOD32, I started by disabling MWB startup scan and rebooting. Disaster - it took some four attempts to reboot successfully. This HAS to be a problem with NOD32 surely? So where do I find this crash dump to send you? (And where do I send it?)

 

(Just a reminder that I NEVER had this issue with NOD32 v.5).

Link to comment
Share on other sites

  • Administrators

Since you've mentioned having Malwarebytes installed, do you use the free or paid version? The driver used in the paid version is known to interfere with ESET under certain circumstances, I'd definitely try disabling MBAM's real-time protection to see if it makes a difference.

If you have a dump ready, compress it, upload it to a safe location and pm me the download link. If necessary, I can provide you with access to our ftp server.

Link to comment
Share on other sites

@johngie

 

If you want to make sure that it is an ESET issue, or isn't an ESET issue, then you should uninstall Malwarebytes (not only disable)  and then run ESET alone to see if you experience the same issue over and over. If the issues are gone, then ESET together with MBAM is the cause for your issues. As disable one thing in either ESET or MBAM is not enough as the drivers is still loaded.

 

So uninstall MBAM check the issue and report back. 

Link to comment
Share on other sites

Thanks Marcos. However although I have set Windows to write dump files - they are not appearing (I expect to see them in the C:\Windows folder). I've even done a whole disk search for dmp files - nothing relevant to this anywhere. Can't think what I'm doing wrong - can you help? (I've set it not to delete previous files).

 

My Malwarebytes is indeed the paid version. It has co-existed happily with NOD32 for years in XP and, latterly in Windows 7 with NOD32 versions before v.6. The problem has only arisen since version 6 was installed (as an update over 5).

 

For the present I have disabled the startup scan in NOD32 and, so far, no more boot failures.

Link to comment
Share on other sites

  • Administrators

Startup scans are essential as they can detect and clean new malware otherwise undetected by other protection modules. The question is whether disabling MBAM's real-time protection actually makes a difference or not.

Link to comment
Share on other sites

Real time protection on 2 programs always has the chance of conflict.

Running 2 Anti-Virus programs is never recommended and the 2 will almost always conflict or crash or cause system errors.

Bear in mind Nod32 and SS are Anti-virus products (Eset staff, correct me if im wrong on this single statement)

However, Mbam considers itself an Anti-malware solution vs Anti-virus.

The databases of infected files and threats are of a high probability to be of different in natures, signatures, and file activity.

 

See link from Mbam dated August 13th of 2013 :

hxxp://blog.malwarebytes.org/news/2013/08/malwarebytes-av-compatibility-report/

 

It would still be wise to create the dump file and or export system event viewer(which may also give a clue to what service locked up), PM it to Marcos

disable Real-time on Malwarebytes, and see if any change,

because we havent a clue to what programs are lurking about that may create new compatibility issues.

Please report the issue when resolution is found. :)

Link to comment
Share on other sites

A bit more on this one! I've been in touch with ESET UK support and they too asked if I was running MBAM. That's now totally disabled, but I'm still getting boot failures. So I've spent some time booting, closing and re-booting Windows, running bootlog scans each time. When the boot-up fails, the last driver loaded is always epfwwfpr.sys which is an ESET driver file. (The next file that would be loaded normally would be peauth.sys). Significantly, it is a newer version in NOD32 V6 compared with V5. It's described as a personal firewall driver - since I'm not running ESET Smart Security I'm not sure what it actually does. It might also explain why I never had any issues when running V5 (or for that matter any earlier versions over many years), even with MBAM loaded. I'm hoping ESET will get back on this one, especially since I'm soon to renew my 4 PC licence and I now feel a bit uneasy about that.

 

Just to add to this, going back to the Wilders forum I see that this issue had been raised there too, with no obvious resolution by ESET. Come on guys, you are going to lose customers over this - me certainly. Version 6 has changed my Windows 7 computers from utterly reliable ones to being, at times, almost unusable.

 

Is there any possibility of making Version 5 availble again until this is sorted out?

 

John

Edited by johngie
Link to comment
Share on other sites

Guest Kingfisher

Since my previous post, I've been checking back here for progress and want to add a couple of points.

 

I thought about creating a memory dump but decided against because the problem has become less frequent (which is not to say it's gone). After originally being around 1 in every 10 boots, it's now around 1 in every 50 (yes, I have been keeping a log). So slowing down my boot for a memory dump feels like trying to catch lightning in a bottle.

 

However, in addition to the crash boots, I have seen a number of boots which look as if they are about to crash -- my windows display always appears solid rather than aero glass, the cursor is stuck in circle anim (wait) and the icons are blank; just the same appearance as when it crashes. And on every one of these delays, the boot is stuck until the Nod32 splash screen appears (later than normal).

 

Like another poster here, I too have been in touch with Eset UK support about the issue and they simply stopped replying to my emails.

 

I hope someone does provide a memory dump so that Eset can get to the bottom of the problem as I have little doubt that Nod32 is the culprit and would suggest the developers undertake some exploratory compatibility testing.

Link to comment
Share on other sites

Since my previous post, I've been checking back here for progress and want to add a couple of points.

 

However, in addition to the crash boots, I have seen a number of boots which look as if they are about to crash -- my windows display always appears solid rather than aero glass, the cursor is stuck in circle anim (wait) and the icons are blank; just the same appearance as when it crashes. And on every one of these delays, the boot is stuck until the Nod32 splash screen appears (later than normal).

 

My symptoms are identical to yours - with a small proportion (about 10%) of boot-ups failing. This happens on two very different computers (an HP desktop and Lenovo laptop) with the common factor that both have 64-bit Windows 7 and NOD32 version 6. There were no problems with earlier versions of NOD32 on the same machines.

 

Have you done a succession of windows starts with boot logging enabled (as I have done)? This revealed (for me anyway) that the ESET file  epfwwfpr.sys was the culprit - that's where the boot process "stuck" each time. That, to me, seems to prove fairly conclusively that Version 6 NOD32 is the culprit here. I accept that there could be other interactions but why only now after upgrading?

 

I have posed this to ESET UK but they haven't commented at all on the implication of epfwwfpr.sys - they just say to completely remove and then re-install version 6. If the issue is with this particular file how is that going to help?

 

I have a month left on my 4 computer license. Having used ESET products for over a decade with no previous problems then, with great regret,  I am going to change allegiance if they can't sort this issue out within that time. It's not the only product on the block - indeed some now seem to do rather better on protection performance.

Link to comment
Share on other sites

Have you completely uninstalled MBAM(not only disabled), just to see if the issue is gone when MBAM is uninstalled. So we can rule out that ESET alone is not causing the issue.

 

 

Is there any possibility of making Version 5 availble again until this is sorted out?

 

Earlier versions has always been available on the ESET website.

 

Should be on this link, but I can't check since no websites on eset.com is loading for me now for what ever reason  :unsure: hxxp://www.eset.com/us/download/home/detail/family/2/

 

Though instead of going backwards to V5, you could try the V7 BETA that is out to see if it works better together with MBAM or not.

 

Also, don't take this wrong since I also recommend I like MBAM very much, but I fail to see how it is ESET responsibility to make their software work correctly together with MBAM, when it is MBAM that states that they are compatible with other AVs, not ESET.

 

The most important thing is that ESET's software work great and not causing any problems when used alone, but if users wants to use ESET's product together with something else wich may cause problems for various reasons, then don't blame ESET for being incompatible as ESET isn't designed to work together with another AV/AM in the first place. But sometimes it works anyway, many uses ESET & MBAM Pro without issue, but it doesn't work for eveyone all the time. And IMO it is kind of up to MBAM to make sure that they are compatible with (ESET in this case) when a new version is released, as it is MBAM that is the one of the two that is supposed to be the compatible one, not ESET. 

 

In other words something like this....

ESET releases V5 MBAM is compatible

ESET releases V6 MBAM is incompatible, but it is up to MBAM to make sure they get compatible once again.

ESET releases V7 and the story goes on....

Or vice versa -> MBAM releases a new version (with some changes in the Real-time module) wich makes it incompatible with ESET and/or other AV's, it can be this way too.

 

Bottom line is ESET's software change, and so does MBAM so it's literally impossible to be compatible all the time.

 

Some will agree some will disagree fully understandable  :)

Edited by SweX
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...