IMON 2.7 ISA Microsoft Firewall Client Problems

[ittech]

We have been having all sorts of issues with IMON just recently at clients with

Windows XP SP3 + recent updates
Microsoft Firewall Client 2004/2006 (ISA Server)
NOD32 2.7 with IMON loaded (even disabled still has problem)


There are two issues we have identified, both cause crashes in rpcrt4.dll in the same memory offset, 0007c471

One is that computers will spontaneously have RPC crash and restart themselves, at random moments. We haven't tracked down exactly what RPC calls were being made that cause this. This is the "Generic Host Process for Win32 Services" window crash of svchost.exe that is similar to the old blaster worm problem, but this is not worm related.

Uninstalling the Microsoft ISA Firewall Client resolves the issue, but that is not the cause after many hours with Microsoft PSS. Also, we need the firewall client installed to support FTP applications and other programs' internet access through the ISA server.

The other problem is a crash in fxsclient.exe when running the Fax Console when connected to a network shared fax server (SBS Fax Services) This also can be resolved by removing the ISA Firewall client.

However, the only fix that allows you to keep the ISA firewall client installed is to completely unload IMON from the system and reboot. Simply disabling it you will still get the crashes.

We have updated our cfg files to not install IMON, and disable it, and then re-pushed to all the affected client machines. That was the only easy way we could find to fix this on 50+ computers.

I am also sending this note to eset support for their comments, but I wanted to post here in hopes it may help someone else.

[xTiNcTion]

In fact.. it's recommended you turn-off IMON! also exclude ISA/or any Databases folders from being scanned.

Remember... there's NO need to have IMON activated on a ISA Server.

regards!

[ittech]

Quote:

Originally Posted by xTiNcTion

In fact.. it's recommended you turn-off IMON! also exclude ISA/or any Databases folders from being scanned.

Remember... there's NO need to have IMON activated on a ISA Server.

regards!

It is off on the ISA server, In fact, NOD32 is not even on that machine. We're talking about the clients (winxp) , which all need the ISA firewall client installed on them to support all of ISA's features for monitoring, etc.

This is making end user computers spontaneously reboot, and it's very hard to track down why from the built in logs, etc.

[xTiNcTion]

are you using ESET NOD32 Antivirus 2.x, right? (worstations)

[ittech]

Quote:

Originally Posted by xTiNcTion

are you using ESET NOD32 Antivirus 2.x?

Yes, this is with the latest build of 2.70.39 I beleive.

We are skipping 3.0 hoping that the consistent problems we have with it will not occur in 4.0. (much slower than 2.x, random IO hangups, problems with compressed files, certain video files, emon crashing outlook, higher resource usage, etc) We wanted to use it but we would "upgrade" clients to 3.x and have all sorts of complaints over a month or so that all pointed back at 3.x, rolling back to 2.x has resolved all those little issues.

Oh and we use sharepoint/webdav folders frequently and 3.x is a nightmare with those unless IMON is completely unloaded as well.

[xTiNcTion]

Hi,

I understand. have you tried to exclude ISA-Client install/files ? that should fix any issues...

[ittech]

Quote:

Originally Posted by xTiNcTion

Hi,

have you tried to exclude ISA-Client install/files ? that should fix any issues...

The issue is not with the AMON module at all, it's the IMON module, exclusions do not apply there.

it's a conflict in the Winsock Layered Service Provider (LSP) stack with the imon.dll and the msfwclnt.dll where imon doesn't play nice. This is a relatively new problem though, everything had been fine for almost a year on 2.x with nothing other than definition updates and windows updates.

The fix would have to be technical and from ESET and I have support open with them for the past week on this, I just wanted to put this here in case others are having the same problem, it may show up in google search and so on.

[xTiNcTion]

hmmm... deactivating IMON should give us a light...

i suggest to send a "log" (sysinspector) to support at eset.com with a subject/link-back to this post.

SysInspector (32bit)
http://download.eset.com/download/sy...sInspector.exe

if you wanna me to take a look to your sysinspector log... just send a PM

We have clients running ESET NOD32 v2.x + ISA without any issues.

regards

[Chrissy Babes]

Ittech, are you absolutely sure of your facts? I have several customers running a combination of v2, v3 and the v4 beta, all running on SBS systems without fault using the MS Firewall client 2004. I myself am running v3 & v4 on an SBS 2003 system without issue.

You mention the msfwclnt.dll - can you tell me where this file is on your system?

Chris

[ittech]

Yes, in fact we just had this happen again at another completely separate client with 2.7 and ISA 2004, again one of the workstations just rebooting every so often with the svchost.exe rpcrt4.dll crash until IMON was unloaded.

It seems to be triggered by something else scanning the network or maybe connecting to the shared printer on this system but it's definitely a fault trace in IMON.dll that causes the msfwc to crash and take down svchost.

Haven't put V4 at this client yet but will do so soon and see if we can enable IMON again. Up until now it's been working just fine though. I think it's rare but does happen occasionally.

[Biscuit]

I am running ISA Firewall client on several customer systems & also my own SBS2003 system. All have Nod32 v2.7 running alongside the ISA client on the workstations. I have not seen the issue you are having.

Which version of the ISA client software are you using? Mine is v4.0 (build 4.0.3442.654).