Error - User rules file contains invalid data

[Palps 3]

Hi together,

 

we are currently updating all our clients and servers to the new ESET v6.

 

The client update went quite well, also the server update.

 

On some servers (e.g. Windows Server 2012 R2 Standard) we are getting the following error message after installing the new version (ESET File Security v6.3.12006.0).

According to the Logs the HIPS module is causing this issue. Regarding our Policy HIPS (v1222) should be disabled, but in the main screen it is shown as enabled and in the advanced settings shown as disabled (see attachments).

 

We did the following steps to update our servers (old version 4.5.12017):

1. Uninstall the old version

2. Restart server

3. Install Agent

4. Install ESET File Security v6.3.12006.0

 

Do you have any information about this error?

 

Thanks!

Edited April 28, 2016 by Palps

[Palps 3]

Any information on this topic?

I am still getting this warning.

[Gonzalo Alvarez 66]

Hi @Palps,

 

I found this topic from "Started by dab, May 27 2015 10:13 AM"

 

  https://forum.eset.com/topic/5019-hips-problem-on-windows-file-server/

 

Says is a bug, but is no news about it if was resolved or not.

Workaround seems to be goto 4.5 version.

[MichalJ 434]

HIPS will be disabled after a computer restart. Meaning, that if you set "disable HIPS" by policy, in the advanced settings, it won´t be applied, until the next restart of the computer. I would suggest to try to restart the computer, and re-check again, if the problem still persists.

[ztimity 0]

Sorry to resurrect an old post, but I am having the same exact issue described by OP and have been trying to resolve the issue unsuccessfully for over a month with ESET Business Phone Support Germany and have yet to get any response that would allow me to rectify this error with our client. We have sent the Log Collector over to support and each time I call I get the run around and am told that I will receive a call back, but have yet to in over a month and am unable to explain to our client why this error keeps popping up daily.

 

 

We have a client with around 15 Windows Server 2008R2 virtual machines, all with ESET File Security installed and configured through ERA and the shared local cache.

Initially we did a fresh install on all the servers using version 6.3.12004.0.

 

We received the HIPS error daily on three of the servers, the error pops up several seconds after the Volume Shadow Copy Service creates a snapshot on those local machines.

 

All the servers are production machines, but I can play around with one of the three and what I have done so far on that machine without any results:

 

1. Clean install of version 6.3.12006.0, and then again of version 6.3.12010.0. By clean install I mean rebooting the server into safe mode and then uninstalling ESET File Security, manually removing any left over folders created by ESET and doing a reboot in between the uninstall and install of a new version.

As soon as ESET is installed and up and running the error will pop up around 20-50 times right as ESET first starts.

 

2. HIPS is normally deactivated through the ERA policy, but we enabled HIPS as a test and set it to Training Mode, with a stop date in the future and left it like that for a week. Same error messages multiple times a day.

 

3. Deactivated HIPS once again. Same error message.

 

4. Various other HIPS settings, on/off, each with a reboot after the policy is applied.

 

 

 

 

 

[Marcos 5,071]

What value is set in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx ? With HIPS enabled in the setup, are they able to kill egui.exe in the task manager? Also have them briefly go through all custom HIPS rules and make sure they all look ok and that there are no "user rules contain invalid data" entries. 

If they edit HIPS rules and save them, is an error reported? If they are not logged with full administrator rights, does logging as a user with full admin rights make a difference? Also please drop me a pm with the ticket number that you were assigned so that I can inquire about your case and possibly ask for the logs you have submitted.

[Palps 3]

Hi,

 

just for information, we are still getting this messages, but as it seems there is no bad impact on any server functionality, so we forgot about it because there are more important topics.

 

So until now every member who is accessing the servers just ignores the messages.

I know that this is not the preferred solution but up to now the less time consuming.

[ztimity 0]

Registry key values for our three servers:

 

• BNR (my test system) - ESET Version 6.3.12010.0 - "7601.23455.amd64fre.win7sp1_ldr.160516-0600"
• FS1 - ESET Version 6.3.12004.0 - "6002.19573.amd64fre.vistasp2_gdr.151230-0604"
• DAVID - ESET Version 6.3.12004.0 - "9600.18194.amd64fre.winblue_ltsb.160112-0600"

 

All of the bellow info is from the BNR Server:

 

With HIPS Off, our default policy, I was able to kill egui.exe through the taskmanager. I then enabled HIPS and set it to Automatic through ERA and did a server restart, I am then unable to kill egui.exe through the taskmanager with the Access Denied error popup.

 

I went through the HIPS Settings and looked at the rules section, both in ERA and on the server itself and they are both empty with no custom rules.

 

I was able to add a test HIPS rule within ESET directly on the server and delete the rule afterwards with no popups or any errors anywhere that I can see.

 

As far as I know, all Admins with access to these servers always log in with a user account that has full Administrator rights.

 

I will send you a PM right now with access to the logs and the ticket number.

 

Thank you for your help so far.

 

 

 

 

 

Edited July 22, 2016 by ztimity

[ztimity 0]

Phone support finally pulled through and fixed the problem for us on three seperate servers:

 

We had to change the update type from Regular to Pre-Release, let it update the HIPS module and then the messages went away.

After that we set the update type back to Regular and have been problem free for a week now.

 

[Palps 3]

Thank you for your information.

I checked our servers to do the steps you have mentioned above, but I couldn't find any HIPS message anymore. As it seems the issue has been resolved by itself.

In the meantime I updated the agent and client versions via our ERA server, maybe this has solved the problem.

[Orascu Vlad 1]

Hi together,

 

we are currently updating all our clients and servers to the new ESET v6.

 

The client update went quite well, also the server update.

 

On some servers (e.g. Windows Server 2012 R2 Standard) we are getting the following error message after installing the new version (ESET File Security v6.3.12006.0).

Error message.jpg

According to the Logs the HIPS module is causing this issue. Regarding our Policy HIPS (v1222) should be disabled, but in the main screen it is shown as enabled and in the advanced settings shown as disabled (see attachments).

 

We did the following steps to update our servers (old version 4.5.12017):

1. Uninstall the old version

2. Restart server

3. Install Agent

4. Install ESET File Security v6.3.12006.0

 

Do you have any information about this error?

 

Thanks!

I had the same issue. Repairing the client installation of AV was enough.

[david.ekstrom 0]

Seems this is still broken.  I'm getting in on server 2018r2 and 2012.  I tried the pre-release setting, but didn't work

[Marcos 5,071]

On 22. 6. 2017 at 4:37 PM, david.ekstrom said:

Seems this is still broken.  I'm getting in on server 2018r2 and 2012.  I tried the pre-release setting, but didn't work

Check process exclusions. A full path to executables must be entered, otherwise HIPS will report that error.

[david.ekstrom 0]

No go. I actually removed all the Rules and Process exclusions and it still thru the error.