ekrn.exe crashing during in-depth scan / WIN 7 64bit

so, is there a debug switch for NOD for creating a crash dump automatically or a debug version to achieve such?

 

anyway, the crash dump is done now, check your pm

 

so, I went through a bit of effort to get Eset the dump files, response = ZERO. Thank you very much!

 

The problem with egui crash should most likely be fixed in the next build. As for the problem with ekrn crashes, it couldn't be pinpointed. Since you suspected it might be connected to the recent builds of the antivirus and antispyware module, could you try installing v4.0 from the ESET's website without updating it to ensure that older modules are used and run a full scan to see if the scanner actually doesn't crash?

 

really, as much as I wish to get rid of this matter, which though is a bit of a security concern in a way that it opens a window for malware to get by NOD when ekrn.exe is crashed, I have spent too much time already investigating this, incl. the inconclusive dump. for now I have switched off daily in-depth-scans. will be waiting for the next version of NOD and see whether it somehow cures it, if not I will switch to another product. Although I am certain that if not fixed it will occur on other machines too, sooner than later.

 

The problem with ekrn crashes was that something rewrote the memory used by ekrn but the dumps didn't reveal what application/driver it was. As for protection after a crash, ekrn will restart automatically so you'll contine to be protected.

Maybe you could enable logging all files, run a full scan and, when the scan crashes, check the log for the last scanned file. At least this should help us figure out which folder contains problematic files. Also a log from SysInspector might reveal a problematic application/driver that is installed and might somehow affect the crash.

 

that is correct as far as restarting, still there is a gap between crashing and restarting where NOD is out for a moment. Probably highly unlikely that it can be used by an attacker, yet the window of opportunity is there.

below the log scanned iso when NOD choked and and crashed, though I am not certain whether it is related at all, showing again:

Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7600.16385

downloaded the iso on april 22 2010

btw - egui.exe crashed when I opened the 379,320,116 bytes log in NOD and tried to scroll whilst it was still loading the log. this time it did not restart automatically

 

Where did you get Microsoft Desktop Optimization Pack 2010 from? On MS webiste, they have only MDOP 2009 R2 for Windows 7 available.

Does excluding the ISO extension from scanning make a difference? (make sure to exclude it in the profile used for scanning)
Maybe you could try moving that ISO on a USB stick for a while and then run a scan to see if it still crashes.

 

moved it to usb, run the scan, which also crashed. check you pm, packed you the dumps created by windows (hdmp/mdmp)

looking into it reveals only as much as:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(7c8.17ec): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00c9e178 ecx=00560000 edx=097f40a0 esi=00000002 edi=00000000
eip=76f500fd esp=00c9e128 ebp=00c9e1c4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
ntdll!NtWaitForMultipleObjects+0x15:
76f500fd 83c404 add esp,4

 

not fixed yet

 

As I wrote, something rewrote the memory used by ekrn and hence the scanner crashed. Still waiting for a dump created as follows that should reveal the culprit:
1, with self-defense disabled, run ekrn_page_heap_on.reg
2, restart the computer
3, reproduce the crash
4, run ekrn_page_heap_off.reg

 

You also wrote

Fact is that I supplied a couple of dumps, which Eset claiming invaluable, despite the above statement (how was it then revealed from the dumps). There is no debug switch for ekrn.exe neither does the application records it's crashes. That all not being helpful. A full in depth scan takes slightly more than 3 hours, during which time self-defence needs to be disabled, not a good thing at all. Not withstanding the various reboots required pre and post and that the machine cannot be used much during the scan due to the system resources ekrn.exe is using.

 

The problem scanning the ISO has no connection to the crash, the error simply says that it couldn't be scanned internally. The problem scanning the ISO file could not be reproduced on ESET's end on various computers with the very same OS and installed version of EAV.

As for the other part of the post, no vendors create their own tools for dumping the memory content. Microsoft provides an option for creating memory dumps from within the task manager or using userdump or procdump acquired from Sysinternals.

 

quite interesting of why then it would attempt scanning ISO on my machine. maybe it is time for the lab computer to see the light of the real world environment.

would recommend you do a better research, unless you refer to AV vendors only, yet their are quite a few applications out there either having a debug switch or reporting into the windows logs with full details of the crash, memory exception or any other critical event. also you got such developer version of NOD too, you mentioned that in another thread.

task manager does not work for creating dumps exactly the moment the application is crashing and that the snapshot you want. the method we tried now several times, leaving my end frustrated every time you ask again for another dump. hence as mentioned earlier, either Eset gets it fixed latest with the next version (has to be soon though) or else the product gets dumped from all machines.

 

As I wrote before, something is rewriting the kernel memory. Most likely we're not trying to pinpoint a bug in ESET but narrow it down to the application/driver that keeps rewriting the memory. I've provided you with instructions how to create a dump that would most likely reveal the culprit. Troubleshooting issues like this is not a matter of exchanging a few logs, it often requires creating various logs, memory dumps, etc. As for the developer version, it surely does not do anything like memory dumps, it's merely ecls.exe that shows debug info for scanned files.

 

as this remains unsolved there is still the need for daily in-depth scan, thence wondering how the Eset online scanner compares to NOD in-depth scan, lacking capabilities, etc?

 

nobody on how Eset online scanner compares to NOD in-depth scan, considering capabilities?

 

i think this particular problem with egui crash should most likely be fixed in the forthcoming build. Since you have suspected that it might be connected to the recent builds of the antivirus and antispyware module, i think you should try installing v4.0 from the ESET's website.

 

it is not egui crash but ekrn...

wonder why Eset staff is not responding to the question how Eset online scanner compares to NOD in-depth scan

 

looks like Eset introduced a regression or a new bug within the past 48 hrs in the Virus signature database, causing again this sort of crash!

the last full scan ran

24/10/2010 02:15:11 Operating memory;C:\Boot sector;C:\:\Boot sector:\;E:\Boot sector;E:\;F:\Boot sector;F:\;G:\Boot sector;G:\ 2720305 0 0 Completed

4.2.64.12

Virus signature database: 5562 (20101025)
Update module: 1031 (20091029)
Antivirus and antispyware scanner module: 1290 (2010101
Advanced heuristics module: 1114 (20100827)
Archive support module: 1122 (20100826)
Cleaner module: 1048 (20091123)
Anti-Stealth support module: 1022 (20100812)
SysInspector module: 1217 (20100907)
Self-defense support module : 1018 (20100812)
Real-time file system protection module: 1004 (20100727)


Source
ESET Service

Summary
Stopped working

Date
‎26/‎10/‎2010 03:46

Status
Report sent

Description
Faulting Application Path: C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: ekrn.exe
Application Version: 4.0.65535.0
Application Timestamp: 4c89bf6e
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7600.16559
Fault Module Timestamp: 4ba9b29c
Exception Code: c0000005
Exception Offset: 0002e25b
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Extra information about the problem
Bucket ID: 2156286533