Jump to content

Intermittent Black screen with Cursor upon log off with Windows 10 (1511)

ashley

By ashley
in ESET Endpoint Products

 Share

Recommended Posts

ashley

ashley 0

Posted
Posted (edited)

Hello All,


 


I'm wondering if anyone has come across an issue with ESET Endpoint AV. Basically ever since migrating everyone over to Windows 10 Pro version 1511 from Windows 7 we found that upon occasion when a user logged out they received a black screen with a cursor. If you wait a number of minutes the login screen would return. This is a VERY intermittent issue but always seems to occur at the most inconvenient times of switching user. Obviously this is unusual and unwanted behavior. 


 


post-13541-0-51292400-1472498621_thumb.png


 


PCs have latest available Windows Updates from August. I uninstalled and updated to the latest available ESET Endpoint 6.4.2014.0. Still problem persisted.


 


I started to question my image or 3rd party software contained within I even updated the display drivers to the latest available with no luck.


 


So to rule that out I created a Virtual Machine (using VMware) from a fresh ISO install of Windows 10 Pro version 1511. Windows Update performed. No other 3rd party software installed apart from VMware Tools and latest version of ESET Endpoint installed and rebooted. Funnily enough the problem still persisted.


 


After reading a post on the forums about a user having issues with HIPS I turned my attention to this. With self-defense disabled I could not replicate the issue. So turned it back on enabled logging of HIPS and checked the logs. I noticed that some aspect of winlogon was being blocked which raised my suspicion...


 


post-13541-0-50629700-1472496802_thumb.png


 


And thus I created a rule for the following


 


Rule Settings:


Rule Name - Allow Winlogon


Action - Allow


Operations affecting: Applications - Ticked


Enabled - Ticked


 


Source Applications:


C:\Windows\System32\csrss.exe


C:\Windows\System32\svchost.exe


 


Application Operations:


Terminated/suspends another application - Ticked


Modify state of another application - Ticked


 


Specific Applications:


C:\Windows\System32\winlogon.exe


 


Since adding this rule I no longer have this issue anymore. Has anyone else experienced an issue like this? Is this a known bug in ESET Endpoint AV? I suspect that due to the intermittent nature of the problem and the fact that most people don't log out too frequently it is understandable it hasn't been picked up yet. I'm concerned that adding this rule may lower security in some way.


 


Thanks.


Edited by ashley
Link to comment
Share on other sites
tomha

tomha 3

Posted
Posted

I would like to confirm this behaviour.

 

We never put this in relation with Eset security solutions but we can confirm seeing the black screen with mouse cursor only for minutes after logging of from Win 10. The black screen after logoff appeared by random(approx 1 of 5 Loggoffs) on 20 PCs on 4 different Networks of our customers.

We never thought it´s related to eset software installed, we thought it´s a win 10 bug.

Because this problem was evident when setting up the PCs and was never seen in daily use(Power-On - Logon - Power off) we didn´t investigate further.

 

After reading your post i tried the following: At one customer location i set the exclusion rule at one Computer and tried to log off on this PC and another without the exclusion set for 20 times.

The PC with the Exclusion set never showed the black screen after logoff, on the PC without the exclusion the black screen happend 4 times).

 

Congratulations for your findings.

Link to comment
Share on other sites
kingoftheworld

kingoftheworld 10

Posted
Posted

I would like to confirm this behaviour.

 

We never put this in relation with Eset security solutions but we can confirm seeing the black screen with mouse cursor only for minutes after logging of from Win 10. The black screen after logoff appeared by random(approx 1 of 5 Loggoffs) on 20 PCs on 4 different Networks of our customers.

We never thought it´s related to eset software installed, we thought it´s a win 10 bug.

Because this problem was evident when setting up the PCs and was never seen in daily use(Power-On - Logon - Power off) we didn´t investigate further.

 

After reading your post i tried the following: At one customer location i set the exclusion rule at one Computer and tried to log off on this PC and another without the exclusion set for 20 times.

The PC with the Exclusion set never showed the black screen after logoff, on the PC without the exclusion the black screen happend 4 times).

 

Congratulations for your findings.

I would also like to confirm the issue you have been experiencing.  I have been working with ESET support since May on the issue.  Please open tickets as the more information they can gather should hopefully lead to a fix. 

Link to comment
Share on other sites
jimwillsher

jimwillsher 65

Posted
Posted

Interesting. We've never had this at log off but do frequently have it at log on. User enters username and password but then never sees the desktop. I, too, never made a link to ESET.

 

I'd be very careful about allowing svchost.exe though, as many viruses inject themselves into svchost.exe processes.

 

 

Jim

Link to comment
Share on other sites
  • 2 weeks later...
ashley

ashley 0

Posted
  • Author
Posted

Hello kingoftheworld.

 

I have a ticket logged #182652. Actually they got back to me today and the developers have asked what the HIPS support module version is on affected PC's which I duly gave them (version 1244) so I'm now waiting on them. I have previously given them process monitor traces of when the problem actually occurs and asked them to replicate the issue. May I ask where you are with your case and your case number? so I get them to group it under the same issue. Thanks.

 

If anyone else has any case numbers feel free to post these too.

 

Ashley.

 

 

 

 

Link to comment
Share on other sites
The PIT

The PIT 1

Posted
Posted

More a microsoft bug than than eset. This fixes it for me. Sometimes simply waiting several minutes like boiling a kettle allows the login screen to be displayed.

 

his is a real shot in the dark, but try turning off Fast Startup...

 

This feature only works when you do a SHUTDOWN and then Boot.

It doesn't effect a RESTART.

To turn it off or on...

 

Go to Control panel...Power Options, and select Choose What the Power Buttons Do on the left.

Then select Change Settings That are Currently Unavailable near the top center of screen...

Lower down on the window, uncheck Fast Startup.

 

Of courser when the os updates this tends to get turned back on so the issue comes back.

 

Never seen it with logging off though.

Link to comment
Share on other sites
kingoftheworld

kingoftheworld 10

Posted
Posted

Hello kingoftheworld.

 

I have a ticket logged #182652. Actually they got back to me today and the developers have asked what the HIPS support module version is on affected PC's which I duly gave them (version 1244) so I'm now waiting on them. I have previously given them process monitor traces of when the problem actually occurs and asked them to replicate the issue. May I ask where you are with your case and your case number? so I get them to group it under the same issue. Thanks.

 

If anyone else has any case numbers feel free to post these too.

 

Ashley.

I have referenced your ticket number with my case, 1429979.  I am currently awaiting a reply and will let you know what I hear.

Link to comment
Share on other sites
  • 2 weeks later...
elseten

elseten 0

Posted
Posted

We have the same issue

Sometimes when logging off this happens.

When switching account rather than logging out it always gives a black screen with me.

 

Any updates?

Link to comment
Share on other sites
pic14

pic14 0

Posted
Posted (edited)

 

Hello All,

 

I'm wondering if anyone has come across an issue with ESET Endpoint AV. Basically ever since migrating everyone over to Windows 10 Pro version 1511 from Windows 7 we found that upon occasion when a user logged out they received a black screen with a cursor. If you wait a number of minutes the login screen would return. This is a VERY intermittent issue but always seems to occur at the most inconvenient times of switching user. Obviously this is unusual and unwanted behavior. 

 

attachicon.gifcap2.png

 

PCs have latest available Windows Updates from August. I uninstalled and updated to the latest available ESET Endpoint 6.4.2014.0. Still problem persisted.

 

I started to question my image or 3rd party software contained within I even updated the display drivers to the latest available with no luck.

 

So to rule that out I created a Virtual Machine (using VMware) from a fresh ISO install of Windows 10 Pro version 1511. Windows Update performed. No other 3rd party software installed apart from VMware Tools and latest version of ESET Endpoint installed and rebooted. Funnily enough the problem still persisted.

 

After reading a post on the forums about a user having issues with HIPS I turned my attention to this. With self-defense disabled I could not replicate the issue. So turned it back on enabled logging of HIPS and checked the logs. I noticed that some aspect of winlogon was being blocked which raised my suspicion...

 

attachicon.gifCapture.PNG

 

And thus I created a rule for the following

 

Rule Settings:

Rule Name - Allow Winlogon

Action - Allow

Operations affecting: Applications - Ticked

Enabled - Ticked

 

Source Applications:

C:\Windows\System32\csrss.exe

C:\Windows\System32\svchost.exe

 

Application Operations:

Terminated/suspends another application - Ticked

Modify state of another application - Ticked

 

Specific Applications:

C:\Windows\System32\winlogon.exe

 

Since adding this rule I no longer have this issue anymore. Has anyone else experienced an issue like this? Is this a known bug in ESET Endpoint AV? I suspect that due to the intermittent nature of the problem and the fact that most people don't log out too frequently it is understandable it hasn't been picked up yet. I'm concerned that adding this rule may lower security in some way.

 

Thanks.

 

I have the same problem with ESET Smart securty 9 and 8 ver. 2 min. Black Screen at start up

How I can  created this rule in ESET Smart Security 9 ?

Edited by pic14
Link to comment
Share on other sites
ashley

ashley 0

Posted
  • Author
Posted

H Guys,

 

I can also confirm that I have seen it happen at start up too but not as often.

 

Just an update for you. ESET requested a memory dump which I have provided. They say that while they have had a few reports they havn't got the required level of information to try to resolve this as they havn't been able to reproduce this.

 

I though this was a bit strange as it was easily reprocducable on a vanilla install of Windows 10 within a virtual machine. Anyway the developers have acknowledged reciept and I have been told they have raised this as a prioity.

 

I urge anyone else that has this issue to report it to the ESET help desk and ask to link it to my ticket - 182652. The more reports they have about this the better...

Link to comment
Share on other sites
  • ESET Moderators
Peter Randziak

Peter Randziak 1,130

Posted
  • ESET Moderators
Posted

Hello guys,

 

the issue should be fixed in HIPS support module: 1250.

We will release the module gradually, please check if the issue persists after you receive this update. If yes, please let us know.

 

Regards, P.R.

Link to comment
Share on other sites
pic14

pic14 0

Posted
Posted

Hello guys,

 

the issue should be fixed in HIPS support module: 1250.

We will release the module gradually, please check if the issue persists after you receive this update. If yes, please let us know.

In addition to the two-minute black screen with the cursor Eset causing very long off the computer, that is, the screen turns off and the computer for a few minutes turns off.

The same problems apply to: ESET Smart Security version 9 and 8, as well as ESET Nod32 version 9

I hope these two problems will be resolved quickly.

Regards.

Link to comment
Share on other sites
  • 2 weeks later...
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

Why did you change "HIPS module 1250" to "HIPS module 1247", what was the reason?

 

Do you actually have Endpoint v6 installed? It should download HIPS module 1252 while HIPS 1247 is currently available for Endpoint v5.

Link to comment
Share on other sites
pic14

pic14 0

Posted
Posted (edited)

 

Why did you change "HIPS module 1250" to "HIPS module 1247", what was the reason?

 

Do you actually have Endpoint v6 installed? It should download HIPS module 1252 while HIPS 1247 is currently available for Endpoint v5.

 

I use ESET Smart Security 9 and the problem returned after returning to the module HIPS 1247. :(

  HIPS module 1250 did not cause any problems in ESET Smart Securty 9.

Edited by pic14
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

HIPS module in 1250 did not cause any problems. Please return module HIPS 1250 in ESET Smart securty 9

 

You have posted in the Endpoint forum which is not intended for home users. Home users will receive HIPS module 1253 next week which will address this issue.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

16 days later and still on HIPS 1249...when this is coming??

 

V1250 was withdrawn 9 days ago. In the mean time, the issue has been fixed and v1253 will be released for home users next week.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...