ashley 0 Posted August 29, 2016 Posted August 29, 2016 (edited) Hello All, I'm wondering if anyone has come across an issue with ESET Endpoint AV. Basically ever since migrating everyone over to Windows 10 Pro version 1511 from Windows 7 we found that upon occasion when a user logged out they received a black screen with a cursor. If you wait a number of minutes the login screen would return. This is a VERY intermittent issue but always seems to occur at the most inconvenient times of switching user. Obviously this is unusual and unwanted behavior. PCs have latest available Windows Updates from August. I uninstalled and updated to the latest available ESET Endpoint 6.4.2014.0. Still problem persisted. I started to question my image or 3rd party software contained within I even updated the display drivers to the latest available with no luck. So to rule that out I created a Virtual Machine (using VMware) from a fresh ISO install of Windows 10 Pro version 1511. Windows Update performed. No other 3rd party software installed apart from VMware Tools and latest version of ESET Endpoint installed and rebooted. Funnily enough the problem still persisted. After reading a post on the forums about a user having issues with HIPS I turned my attention to this. With self-defense disabled I could not replicate the issue. So turned it back on enabled logging of HIPS and checked the logs. I noticed that some aspect of winlogon was being blocked which raised my suspicion... And thus I created a rule for the following Rule Settings: Rule Name - Allow Winlogon Action - Allow Operations affecting: Applications - Ticked Enabled - Ticked Source Applications: C:\Windows\System32\csrss.exe C:\Windows\System32\svchost.exe Application Operations: Terminated/suspends another application - Ticked Modify state of another application - Ticked Specific Applications: C:\Windows\System32\winlogon.exe Since adding this rule I no longer have this issue anymore. Has anyone else experienced an issue like this? Is this a known bug in ESET Endpoint AV? I suspect that due to the intermittent nature of the problem and the fact that most people don't log out too frequently it is understandable it hasn't been picked up yet. I'm concerned that adding this rule may lower security in some way. Thanks. Edited August 29, 2016 by ashley
tomha 3 Posted August 29, 2016 Posted August 29, 2016 I would like to confirm this behaviour. We never put this in relation with Eset security solutions but we can confirm seeing the black screen with mouse cursor only for minutes after logging of from Win 10. The black screen after logoff appeared by random(approx 1 of 5 Loggoffs) on 20 PCs on 4 different Networks of our customers. We never thought it´s related to eset software installed, we thought it´s a win 10 bug. Because this problem was evident when setting up the PCs and was never seen in daily use(Power-On - Logon - Power off) we didn´t investigate further. After reading your post i tried the following: At one customer location i set the exclusion rule at one Computer and tried to log off on this PC and another without the exclusion set for 20 times. The PC with the Exclusion set never showed the black screen after logoff, on the PC without the exclusion the black screen happend 4 times). Congratulations for your findings.
kingoftheworld 10 Posted August 30, 2016 Posted August 30, 2016 I would like to confirm this behaviour. We never put this in relation with Eset security solutions but we can confirm seeing the black screen with mouse cursor only for minutes after logging of from Win 10. The black screen after logoff appeared by random(approx 1 of 5 Loggoffs) on 20 PCs on 4 different Networks of our customers. We never thought it´s related to eset software installed, we thought it´s a win 10 bug. Because this problem was evident when setting up the PCs and was never seen in daily use(Power-On - Logon - Power off) we didn´t investigate further. After reading your post i tried the following: At one customer location i set the exclusion rule at one Computer and tried to log off on this PC and another without the exclusion set for 20 times. The PC with the Exclusion set never showed the black screen after logoff, on the PC without the exclusion the black screen happend 4 times). Congratulations for your findings. I would also like to confirm the issue you have been experiencing. I have been working with ESET support since May on the issue. Please open tickets as the more information they can gather should hopefully lead to a fix.
jimwillsher 65 Posted August 31, 2016 Posted August 31, 2016 Interesting. We've never had this at log off but do frequently have it at log on. User enters username and password but then never sees the desktop. I, too, never made a link to ESET. I'd be very careful about allowing svchost.exe though, as many viruses inject themselves into svchost.exe processes. Jim
kingoftheworld 10 Posted September 8, 2016 Posted September 8, 2016 Has anyone gotten anywhere with support on this issue?
ashley 0 Posted September 8, 2016 Author Posted September 8, 2016 Hello kingoftheworld. I have a ticket logged #182652. Actually they got back to me today and the developers have asked what the HIPS support module version is on affected PC's which I duly gave them (version 1244) so I'm now waiting on them. I have previously given them process monitor traces of when the problem actually occurs and asked them to replicate the issue. May I ask where you are with your case and your case number? so I get them to group it under the same issue. Thanks. If anyone else has any case numbers feel free to post these too. Ashley.
The PIT 1 Posted September 12, 2016 Posted September 12, 2016 More a microsoft bug than than eset. This fixes it for me. Sometimes simply waiting several minutes like boiling a kettle allows the login screen to be displayed. his is a real shot in the dark, but try turning off Fast Startup... This feature only works when you do a SHUTDOWN and then Boot. It doesn't effect a RESTART. To turn it off or on... Go to Control panel...Power Options, and select Choose What the Power Buttons Do on the left. Then select Change Settings That are Currently Unavailable near the top center of screen... Lower down on the window, uncheck Fast Startup. Of courser when the os updates this tends to get turned back on so the issue comes back. Never seen it with logging off though.
kingoftheworld 10 Posted September 19, 2016 Posted September 19, 2016 Hello kingoftheworld. I have a ticket logged #182652. Actually they got back to me today and the developers have asked what the HIPS support module version is on affected PC's which I duly gave them (version 1244) so I'm now waiting on them. I have previously given them process monitor traces of when the problem actually occurs and asked them to replicate the issue. May I ask where you are with your case and your case number? so I get them to group it under the same issue. Thanks. If anyone else has any case numbers feel free to post these too. Ashley. I have referenced your ticket number with my case, 1429979. I am currently awaiting a reply and will let you know what I hear.
kingoftheworld 10 Posted September 26, 2016 Posted September 26, 2016 Has anyone else gotten anywhere with support?
elseten 0 Posted October 5, 2016 Posted October 5, 2016 We have the same issue Sometimes when logging off this happens. When switching account rather than logging out it always gives a black screen with me. Any updates?
pic14 0 Posted October 10, 2016 Posted October 10, 2016 (edited) Hello All, I'm wondering if anyone has come across an issue with ESET Endpoint AV. Basically ever since migrating everyone over to Windows 10 Pro version 1511 from Windows 7 we found that upon occasion when a user logged out they received a black screen with a cursor. If you wait a number of minutes the login screen would return. This is a VERY intermittent issue but always seems to occur at the most inconvenient times of switching user. Obviously this is unusual and unwanted behavior. cap2.png PCs have latest available Windows Updates from August. I uninstalled and updated to the latest available ESET Endpoint 6.4.2014.0. Still problem persisted. I started to question my image or 3rd party software contained within I even updated the display drivers to the latest available with no luck. So to rule that out I created a Virtual Machine (using VMware) from a fresh ISO install of Windows 10 Pro version 1511. Windows Update performed. No other 3rd party software installed apart from VMware Tools and latest version of ESET Endpoint installed and rebooted. Funnily enough the problem still persisted. After reading a post on the forums about a user having issues with HIPS I turned my attention to this. With self-defense disabled I could not replicate the issue. So turned it back on enabled logging of HIPS and checked the logs. I noticed that some aspect of winlogon was being blocked which raised my suspicion... Capture.PNG And thus I created a rule for the following Rule Settings: Rule Name - Allow Winlogon Action - Allow Operations affecting: Applications - Ticked Enabled - Ticked Source Applications: C:\Windows\System32\csrss.exe C:\Windows\System32\svchost.exe Application Operations: Terminated/suspends another application - Ticked Modify state of another application - Ticked Specific Applications: C:\Windows\System32\winlogon.exe Since adding this rule I no longer have this issue anymore. Has anyone else experienced an issue like this? Is this a known bug in ESET Endpoint AV? I suspect that due to the intermittent nature of the problem and the fact that most people don't log out too frequently it is understandable it hasn't been picked up yet. I'm concerned that adding this rule may lower security in some way. Thanks. I have the same problem with ESET Smart securty 9 and 8 ver. 2 min. Black Screen at start up How I can created this rule in ESET Smart Security 9 ? Edited October 10, 2016 by pic14
ashley 0 Posted October 11, 2016 Author Posted October 11, 2016 H Guys, I can also confirm that I have seen it happen at start up too but not as often. Just an update for you. ESET requested a memory dump which I have provided. They say that while they have had a few reports they havn't got the required level of information to try to resolve this as they havn't been able to reproduce this. I though this was a bit strange as it was easily reprocducable on a vanilla install of Windows 10 within a virtual machine. Anyway the developers have acknowledged reciept and I have been told they have raised this as a prioity. I urge anyone else that has this issue to report it to the ESET help desk and ask to link it to my ticket - 182652. The more reports they have about this the better...
ESET Moderators Peter Randziak 1,178 Posted October 11, 2016 ESET Moderators Posted October 11, 2016 Hello guys, the issue should be fixed in HIPS support module: 1250. We will release the module gradually, please check if the issue persists after you receive this update. If yes, please let us know. Regards, P.R.
pic14 0 Posted October 11, 2016 Posted October 11, 2016 Hello guys, the issue should be fixed in HIPS support module: 1250. We will release the module gradually, please check if the issue persists after you receive this update. If yes, please let us know. In addition to the two-minute black screen with the cursor Eset causing very long off the computer, that is, the screen turns off and the computer for a few minutes turns off. The same problems apply to: ESET Smart Security version 9 and 8, as well as ESET Nod32 version 9 I hope these two problems will be resolved quickly. Regards.
pic14 0 Posted October 13, 2016 Posted October 13, 2016 HIPS module 1250 installed, now it's time for tests.
pic14 0 Posted October 25, 2016 Posted October 25, 2016 Why did you change "HIPS module 1250" to "HIPS module 1247", what was the reason?
Administrators Marcos 5,408 Posted October 25, 2016 Administrators Posted October 25, 2016 Why did you change "HIPS module 1250" to "HIPS module 1247", what was the reason? Do you actually have Endpoint v6 installed? It should download HIPS module 1252 while HIPS 1247 is currently available for Endpoint v5.
jimwillsher 65 Posted October 26, 2016 Posted October 26, 2016 HIPS 1249 showing for me. Endpoint v6, and not using prerelease updates.
kingoftheworld 10 Posted October 26, 2016 Posted October 26, 2016 HIPS 1249 showing for me. Endpoint v6, and not using prerelease updates. Same here not using pre-release either.
pic14 0 Posted October 26, 2016 Posted October 26, 2016 (edited) Why did you change "HIPS module 1250" to "HIPS module 1247", what was the reason? Do you actually have Endpoint v6 installed? It should download HIPS module 1252 while HIPS 1247 is currently available for Endpoint v5. I use ESET Smart Security 9 and the problem returned after returning to the module HIPS 1247. HIPS module 1250 did not cause any problems in ESET Smart Securty 9. Edited October 26, 2016 by pic14
pic14 0 Posted October 26, 2016 Posted October 26, 2016 HIPS module in 1250 did not cause any problems. Please return module HIPS 1250 in ESET Smart securty 9
Administrators Marcos 5,408 Posted October 27, 2016 Administrators Posted October 27, 2016 HIPS module in 1250 did not cause any problems. Please return module HIPS 1250 in ESET Smart securty 9 You have posted in the Endpoint forum which is not intended for home users. Home users will receive HIPS module 1253 next week which will address this issue.
ashley 0 Posted October 27, 2016 Author Posted October 27, 2016 16 days later and still on HIPS 1249...when this is coming??
Administrators Marcos 5,408 Posted October 27, 2016 Administrators Posted October 27, 2016 16 days later and still on HIPS 1249...when this is coming?? V1250 was withdrawn 9 days ago. In the mean time, the issue has been fixed and v1253 will be released for home users next week.
ashley 0 Posted October 27, 2016 Author Posted October 27, 2016 I am not a home user, when it is going to be relased for ESET Endpoint?
Recommended Posts