ekrn.exe memory issue - RPC crashes

Discussion in 'ESET NOD32 Antivirus' started by NodyNewbie, Jan 3, 2011.

Thread Status:
Not open for further replies.
  1. NodyNewbie

    NodyNewbie Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    10
    I am having an issue with my Terminal Servers (Win 2003 R2 ENT SP2) I will get event ID 1219 for Winlogon and no one can log on to the server.. Right before that happens I will get the follow error messages

    EKRN.EXE the instruction 0x77e61689 reference memory 0x003c2bb0. the memory cannot be written. I have to reboot the server to clear out everytthing but it will hang again.

    Anyone else having this issue

    NOD32 version 3.0.650.0
    Def version 5756
     
  2. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Please generate a procdump file of the EKRN process by disabling Anti Stealth and self defense in the ESET Software. Reboot and do the following:


    Creating Procdump:

    1. Deactivate self-defense and anti-stealth
    2. Create the dump by the Procdump utility: http://technet.microsoft.com/en-us/sysinternals/dd996900 , it the correct commad is as follows:

    procdump.exe -e -ma ekrn.exe

    Send this to ESET support.
     
  3. mahonri

    mahonri Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    4
    We are seeing similar behavior on our Win2k3 terminal servers.

    NOD32 v 4.2.64.12
    Definitions 5756

    I will create a procdump and send it to support as well.
     
  4. NodyNewbie

    NodyNewbie Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    10
    I uninstalled NOD on one of the servers and disabled it on the other 2 with issues and we are "fine" so far. This needs to be fixed ASAP.
     
  5. mahonri

    mahonri Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    4
    We have three terminal servers:
    On two we have disabled the email protection (because end users complained of dificulty there first) and they seem to be running fine right now.
    On the third we have followed dmaasland's suggestion and are adding users back onto it now. Unfortunately, we will have to reproduce the symptom to provide the dump. :doubt:

    I'll post any results.
     
  6. tommycat1313

    tommycat1313 Registered Member

    Joined:
    Sep 2, 2010
    Posts:
    8
    Same problem here. Two terminal servers down with the same problem. This is the second time in 6 months an update has caused this, and my boss is quite ready to fire ESET altogether.
     
  7. tommycat1313

    tommycat1313 Registered Member

    Joined:
    Sep 2, 2010
    Posts:
    8
    If it helps any, I have other servers (not terminal servers) that are stuck on update 5735 from 12/27
     
    Last edited: Jan 3, 2011
  8. Tahlequawesome

    Tahlequawesome Registered Member

    Joined:
    Jan 29, 2010
    Posts:
    4
    +5 downed TS2003 boxen here. 3 x 32bit, 2 x 64bit.
     
  9. tommycat1313

    tommycat1313 Registered Member

    Joined:
    Sep 2, 2010
    Posts:
    8
    Problem persists with update 5757...I'll try and get the dump info
     
  10. tommycat1313

    tommycat1313 Registered Member

    Joined:
    Sep 2, 2010
    Posts:
    8
    Can't get the report. It's locking up the machine similar to what was happening back in September....can't even get a command window open.

    2003 r2 with all win updates.
     
  11. tommycat1313

    tommycat1313 Registered Member

    Joined:
    Sep 2, 2010
    Posts:
    8
    Adieu ESET. I'm uninstalling and won't be re-installing or renewing. Can't let this tool kill any more productivity here.

    Good luck all, and good bye.
     
  12. metro_ty

    metro_ty Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    1
    Location:
    Seattle, WA
    I too have the same issue (or similar) on a windows server 2003 terminal server.

    ESET NOD32 antivirus v. 3.0.695.0
    Virus signature database: 5757 (20110103)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1293 (20101110)
    Advanced heuristics module: 1115 (20101116)
    Archive support module: 1123 (2010110:cool:
    Cleaner module: 1050 (20101207)
    Anti-Stealth support module: 1023 (20101125)

    Repeated errors in event viewer: Faulting Application ekrn.exe version 3.0.695.0, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0001bd02

    I assume the issue is with the latest updates, similar to the thread: https://www.wilderssecurity.com/showthread.php?t=290050

    As this is a terminal server I don't have the ability to restart the machine several times during the day to collect dump reports and such. I can do it over the evening once users log out.

    I currently have ESET disabled in order to have a working environment for my users, which is not an ideal situation.

    I look forward to hearing about possible fixes!
     
  13. mahonri

    mahonri Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    4
    Note that we were able to function consistently after disabling email protection. We were happy not to have to disable the file and web modules.
     
  14. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
Thread Status:
Not open for further replies.