ESET with Agilent Software

Just wondering if anyone can help me as I tried contacting Eset Australia, however they keep passing the info to Europe or send me the same email repetitively which just does not help the situation.

ISSUE
The client uses the following equipment: http://www.home.agilent.com/agilent/product.jspx?nid=-33831.912674.00&lc=eng&cc=AU

It monitors RFID for a Biotech client we support and unfortunately this software is not readily available.

When the system boots up with the software simultaneously - the WHOLE SYSTEM LOCKS UP. What I mean by locks up is that it is completely DEAD. Nothing can be done, no memory dump, NOTHING. Have to hard reboot the system.

REPEATING the PROCESS
The process is as follows:

System bootse5601b.exe starts (along with a host of others related to this software) and ekrn.exe kicks in

Between the loading of E5601B and within 5 minutes of the software starts, it would just lock up the system and only a hard reboot could fix.

However if Eset is disabled/removed, the problem disappears. This occurs on another identical e5061 system.

RESOLUTION UNDERTAKEN
1. Tried attempting to get a Full Memory dump - FAILED and cannot proceed
2. Removed NOD32 - works perfectly
3. Added the folders and files into the "Do Not Scan" section - STILL Locks Up

Eset installed: v4.2 Business Edition crashes
- Tried to disable ALL scanning and failed
* Real-Time
* Web
* Email
* Threat.Sense
* Eset Services
* pretty much disabled everything
v5.2 Home Edition trial also did the same

An email that I had sent to Eset which was passed onto to EU

What I will term "crash" is the following scenario:
* XP 32-bit Boots and loads
* Eset NOD32 starts (ie. Logo shown)
* Agilent Software automatically launches with startup (ie. Start, All Programs, Startup)
* Time will vary from start of Agilent software to about 5 minutes with the following activity
** Doing nothing (ie. not launch or start any applications and letting the Agilent software and Eset load)
** Using the Agilent software
** Moving the mouse around
** Starting a Eset smart scan (this more than likely crashes the system immediately)
* Any of the below can't be done and when the whole system freezes
** CTRL+ALT+DEL does not work
** Forced Memory Dump crash
** Mouse & Keyboard does not respond

When a crash occurred, we are unable to do anything other than to press and hold the power button until the whole system shuts down. No BSOD, no blackscreen, no rebooting, nothing, just what is last shown on the screen at the time it locked up. There are no memory dump files on the C:\ root location either and XP boots as if it never crashed or was forced shutdown.

With regards to the following quote "The system loaded quickly before it crashed , I tried a smart scan which immediately crashed the system", this is when Agilent software launches, I can open the menu for Eset and start a scan, although by the time I start the scan, usually Agilent would have already started or processing last parts of itself before the application fully loads. This seemed to more than likely crash the whole system within seconds if not immediately.

Back to the different scenarios, I have attempted to disable as many services as possible within Eset including:
* Disabled Antivirus and antispyware protection
* Disabled Anti-stealth technology
* Disabled Self-defence
* Disabled Real-time file and system protection
* Disabled Email client protection
* Disabled Web access protection
* Disabled ThreatSense.net

I have installed the Trial Home Edition without enabling ThreatSense and the result were the same.

I cannot exactly determine if its the OS or EKRN that has crashed as nothing responds. Where possible, I tried getting Task Manager to show the applications running, however ekrn.exe is usually between 2-5 in position and never at top apart from the initial startup before Agilent starts. Once Agilent starts, Agilent is usually on top of the list with its sub processes.

I have added the following into the safe list:
* C:\Programs and Files\Agilent
* C:\Programs and Files\Agilent\E5061b.exe (this is the main exe)

The result were the same.

We had an Agilent engineer reinstall the core OS and image for the device that they ship out - I had reinstalled and the result were the same.

We uninstalled Eset NOD32 and then did the same process of using the Agilent software - did not crash. We installed Microsoft Security Essentials to test if it is somewhat related to the Agilent software, system did not crash at all. Consistently with the removal of Eset NOD32 the system would not crash.​

 

Does disabling HIPS or automatic real-time protection start, one at a time, followed by a computer restart make a difference? If not, what about renaming C:\Windows\System32\drivers\eamonm.sys or ehdrv.sys in safe mode? Does the issue occur with both v. 4.2 and Endpoint 5.0.2126 ?
In order to examine the issue, we'll either need to reproduce it in our lab or get a complete memory dump from a crash initiated manually when the system locks up. Did you try to generate a crash manually as per the instructrions here or here?

 

I have not tried disabling HIPS or the .SYS files - I must of missed HIPS and thank you will try when the system becomes free next. I have tried disabling realtime and everything else one-by-one and rebooted, every reboot ended up with the same failure.

I have not tried EndPoint v5, although did test it with the standard personal AV v5 as the OS is XP - it still failed.

With producing a memory dump - its just not possible. Even with the forced memory dump from MS. When it locks - literally nothing can be done. This was tested with PS2 and USB keyboards - both did not produce a memory dump and cannot do anything.

If there are any other ideas, or if a SysInfo is required, I can provide these from my last scan.