Jump to content

Archived

This topic is now archived and is closed to further replies.

tc330

Problems with exclusion of files / folder in ESET smart security v.4.2.71.2

Recommended Posts

Hello,

 

we are currently upgrading many clients in our company to ESET smart security. On many types of clients the software is working as expected without any problems, if we exclude the main used related application.

 

But on one client type (with a special application) we see a strange issue if the real time protection is activated and the application is running. In this special case (ESET real time protection is activated & application is running) we got from time to time an error message (Cannot open the temporary file c:\Database\tempres.bin with error 32: The process cannot access the file because it is being used by another process.) from the application that it seems that this file is already used by another application.

In my point of view it can only be the ESET real time scanner, because if we deactivate ESET real time protection nothing simular happen anymore.

 

I try to exclude the mentioned files and also the hole directory where this file is located, but without success..!

 

It seems for me that the exclusion of ESET in this case is not working well..?!

 

Can somebody professional give me technical information how I can avoid such a behaviour.

 

 

Thanks in advance...!

Regards

TC330

 

Share this post


Link to post
Share on other sites

I'd suggest installing the latest version of ESET Endpoint Security 5.0.2214 instead of an old version ESS BE 4.2 which also contains bugs fixed later in Endpoint v5.
If installing the latest version of EES doesn't help, try excluding the file c:\Database\tempres.bin or the whole folder c:\Database\*.* from scanning and let us know about the result.

 

If the clients you've mentioned don't have a business / Endpoint license purchased (typically for 5 and less computers), they could try installing the latest stable beta v7 downloadable from hxxp://www.eset.com/int/beta/v7 (at least just for a test) and see if it resolves the issue.

Share this post


Link to post
Share on other sites

Hello,

 

exactly.., we don't have a busines / endpoint license.

 

As additional info, in the past I also try a version 5 of Eset smartsecurtiy and also the mentioned exclusion on both older versions without success.

 

I will try your mentioned beta v7 version and also again with the exclusion, afterwards I will share the results in this thread!

 

Regards

Share this post


Link to post
Share on other sites

tc330,

hxxp://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

 

Try grabbing Process explorer so you can tell whats holding that file. Link above ^^

 

Sysiternals package was developed by Mark Russovich and it is a reknowned sweet of apps for Systems engineers.

 

That might help as well if the updated version gives you the same issue.

Share this post


Link to post
Share on other sites

Hello,

 

the v7 beta version in evaluation mode is crashing during the first usage.., afterwards no configuration menu appears after the input of the password which was imported with a earlier configuration file from previous version (v4 or v5).

 

So this test wasn't successful...!

 

Afterwards I install the latest official Eset smart security (v 6.0.316.0) and use it also in evaluation mode. This version is principle working, so it's possible to change the configuration.

 

1. Does ESET have the same functionality in evaluation mode as after the activation?

 

 

The problem is that I still have my same problem also with exclusion of the tempres.bin and the hole database directory in this newer version 6.

 

2. Any further ideas...?

 

@Arakasi

 

I have tried this way for getting further information concerning that problem directly after the issue appears some weeks ago. Except the client application I can't see anything else which have also this file in use during the exact point of time when the problem pops up.

 

Regards

Share this post


Link to post
Share on other sites

Hello,

 

There is no difference in functionality between the evaluation and licensed versions of the software.

 

You may wish to contact ESET Luxembourg and obtain a temporary license for ESET Endpoint Security to use for testing purposes.

 

Regards,

 

Aryeh Goretsky

 

 

 

Share this post


Link to post
Share on other sites

Hello,

 

I have tried in the meantime many ESET versions.

 

Is there a real chance to avoid the problem with the ESET Endpoint Security?

 

I'm currently more focussing to a solution with the existing version I have.

 

Regards

Thomas

Share this post


Link to post
Share on other sites

tc330

 

 

You stated that you tried using exclusions to add the file, or possibly add the directory !

 

 

I try to exclude the mentioned files and also the hole directory where this file is located, but without success..!

 

 

However,

 

may i make a suggestion that might not have been attempted ?

 

try adding exclusions for all .bin file types !! ?? !!

 

Here:

Setup > Advanced Setup > Computer > Antivirus&Antispyware > Real-time file system protection > Threatsense engine parameter setup > Setup button > Extensions

Add " BIN " files.

 

See attached.

 

Maybe THIS will help you going forward !! - Let us know if it works please !

post-1101-0-48154000-1378279007_thumb.jpg

Share this post


Link to post
Share on other sites

Hello,

 

Do you have a current, valid license for ESET Smart Security Business Edition?  If so, the upgrade to ESET Endpoint Security is free.

 

Regards,

 

Aryeh Goretsky

Share this post


Link to post
Share on other sites

Hi,

 

no we don't have a current license for ESET Smart Security Buisness Edition, only the the normal ESET Smart security version.

 

I have also tried the last proposal from Arakasi on the old versions (v4 & v5) in the past, because this seemed for me also a logical way - without success!

Never the less I will make this test also again with the newest Smart security v6 and provide feedback when I have results.

 

Again my question if there is a real chance to avoid the problem with the ESET Endpoint Security?

Is there a difference between handling exclusions between both versions?

 

Regards

Thomas

Share this post


Link to post
Share on other sites

A Process monitor log from a successful replication of the issue might shed more light. Once you have created the log, compress it, upload it to a safe location and pm me the download link.

Share this post


Link to post
Share on other sites

Hello,

 

Exclusion handling is the same in both programs; I was just trying to make sure that you were on the latest build, as a standard troubleshooting technique.  As my colleague Marcos suggested, please send him a Process Monitor log, and we'll go from there.

 

Regards,

 

Aryeh Goretsky

Share this post


Link to post
Share on other sites

Hello,

 

as I said I will 1.) test again Arakasi's proposal with the "bin" exclusion and I will use the lastest official ESET smart security version (v 6.0.316.0). If there isn't any difference between exclusion handling of the mentioned versions, the standard troubleshooting technique is fulfilled and we should not waste time with this version issue.

 

Additionally I will 2.) create during this test (exclusion file and folder + exclusion "bin" extension) a Process monitor log and provide you this generated log files.

 

Till now many thanks for the feedback / help!

 

Regards

TC330

Share this post


Link to post
Share on other sites

Hello,

 

the bin exclusion (point 1.) doesn't help also with the last ESET smart security version (v 6.0.316.0).

 

@Marcos

I have additional created a process monitor log file (point 2.) and send you the download link via private message.

The problem occurs at 15:20:25.059 and I'm wondering first why I don't see at this time anything from ESET (as process name) in the log file. The programmer of the mentioned client software told me, that I don't see something from ESET as process name because the ESET services are running and therefore the process name is "SYSTEM".

 

Are you a ESET programmer?

Is it the case that in such situations I only see in this "SYSTEM" properties from the process monitor log file some ESET services activations?

 

Regards

TC330

Share this post


Link to post
Share on other sites

I have replied to your pm. As for Procmon logs, you'd see ekrn opening a file for scanning (CreateFile operation) if one is actually scanned. I didn't find any such records about the time the issue manifested.

Share this post


Link to post
Share on other sites

Hello,

 

I have added a further detailed pdf in my download area..., please have a look.

 

Yes you are right, you don't see ekrn opening something at 15:20:25.059, but you see a "SYSTEM" event and when you open this system event you see some 4 ESET services running (epfw.sys, epfwtdi.sys, eamon.sys & epfwndis.sys). I don't know what they are doing and if they can be responsible for the problem.

 

The programmer of our client told us that there should be the problem and something is coming from the ESET services.

 

So that means in your point of view, that this opinion should be wrong?

 

If it is the case then I don't understand why we don't get this client software error message when ESET realtime protection is deactivated!

 

ESET must have something to do we this initial problem!

 

Nevertheless I will try your further proposal with the additional exclusion for C:\Documents and Settings\*.*, C:\WINDOWS\Temp\*.* and c:\*.*

 

:(  :(  :(

 

 

Regards

Share this post


Link to post
Share on other sites

If disabling real-time protection actually helps, the only operations performed by real-time protection are those with ekrn.exe process. Other modules do not perform file operations and even network operations are performed by ekrn.exe. I have a long-time experience analyzing Procmon logs and various issues related to ESET products so I'm sure I'm not mistaken ;)

Share this post


Link to post
Share on other sites

Hello,

 

ok.., I don't have so much experience with ESET and such failure analyze!

 

But please explain me why this client software error only appears when ESET smart security is installed and the real time scanner isn't deactivated?

 

Regards

Thomas

Share this post


Link to post
Share on other sites

I've noticed that sharing violations occur on C:\Database\tempres.bin. Was the Procmon log created with v4, v5  or v6 installed? I assume you're using Windows XP, could you confirm? As for the issue with v7, could you try installing it again, now without importing settings from a previous version? If the problem persists, please create one more Procmon log with v7 installed. In that case, it'd be most likely a known issue of legacy drivers that could only be fixed in the minifilter driver used on Windows Vista and newer.

Share this post


Link to post
Share on other sites

The current log files (download link send to you via pm) were created with a ESET smart security version (v 6.0.316.0) on Windows XP machine.

 

I will try your proposal with the v7 again.

 

To be sure you would like that I use again the beta v7 version, which you have posted in one of your answers?

 

Regards

Share this post


Link to post
Share on other sites

Hello,

 

@Marcos

 

some explanation and a question from our client software programmer:

 

"For sure, there are two threads opening and writing to tempres.bin (from tester client software) while tests are running. Those two threads certainly do attempt to open the file at the same time on many occasions. Normally, this is allowed as both threads open tempres.bin with full share access mode. The file can be opened for writing and for reading by another process unless the other process requires an exclusive access. As both threads give full share access everything goes well.

 

Is it possible that ESET is somehow hijacking the CreateFile call and alters the file share mode effectively preventing the two threads from sharing tempres.bin?

 

The Process Monitor log shows such a CreateFile call at 15:20:25.0675796. The ShareMode shown in the properties is set to Read only. I double checked the source code and I can say the tester software never exclusively opens a file during production. "

 

 

Maybe it will help you for further investigations..?

 

Do you have access to ESET programmer or are you a ESET programmer?

I don't know the escalation process in this ESET forum, maybe you can tell me how it will look like .

 

Regards

Share this post


Link to post
Share on other sites

It's been confirmed by engineers that this issue cannot be fixed in the legacy driver used in Windows XP and older due to technical limitations of the operating system. Issues like this may occur if an application opens files in 2 or more threads for writing and ShareMode read,write. That said, the only solution is to use a newer operating system as keeping real-time protection disabled is not an option. Another solution would be to make the application open files for writing only in one thread in which case the sharing violation wouldn't occur.

Share this post


Link to post
Share on other sites

So that means the ESET real time protection is blocking something, due to the fact that we use Windows XP (with technical limitations in this case) and our application handling files with 2 threads without having the mentioned ekrn access in the process monitoring log visible?

 

So also the proposal to try again with v7 doesn't make sense anymore?

 

Regards

Share this post


Link to post
Share on other sites

You can try v7 but since Windows XP uses legacy drivers and does not support minifilters, it won't make any difference and the issue will occur also with v7. There are basically 2 options:

1, upgrade the operating system to a newer one with support for minifilters

2, make the application open files for writing only in one thread.

 

Making a change preventing the issue from occurring on Windows XP would cause the real-time scanner not to detect malicious files.

Share this post


Link to post
Share on other sites

Hello,

 

I have to say thank you to all (ecspecially to Marcos) who gave feedback and answers to my questions....!

Many thanks for your support..!

 

The issue is now clear, but not really satisfying because both options (upgrade operating system & change the client app) aren't realizable without much changes, costs and work.

 

Regards

TC330

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...