How to temporarily stop the service "ESET Service" prior to software install?

I am trying to deploy some educational software at a school where ESET NOD32 BE 4.x is installed. The software installer displays a warning that the service named “ESET Service” needs to be stopped before installation can continue. I tried to manually stop the service from a command line using NET STOP “ESET Service”, but it reports the service cannot be stopped or paused. Likewise, if I go into Control Panel->Administrative Tools->Services, I cannot stop the service there either. I’m glad that it was designed so typical users (or malware) cannot stop the service, but we need a way to temporarily stop the service for some software installers. How can we do it?

Thanks,
-Mike

 

I don't see any reason why ESET's service would need to be stopped before installing software. What happens if you install the software in question with ESET fully running?

 

It fails to install. Since i did not write this other software, I have no idea why it thinks ESET Service might be a problem for it. BUT, I am sure you are well aware that almost all software vendors recommend shuting off antivirus programs before installing their software - that includes Microsoft. So WE NEED to be able to *temporarily* stop this service for situations like this. I am sure there will be other software packages in the future that will also run into this issue.

So, how do we admins do it?

 

Disable self-defense in all the machines, restart and try to stop the service again.

 

Thanks toninon, but I need a command line method (e.g. NET STOP "ESET Service") so that it can run inside a script we use to deploy software.

Maybe ESET has some special command line switches for NET STOP, or some other trick up their sleeves? Seems crazy to not provide a way for admins to be able to do this.

 

Self-defense is an important security feature. It is a goal of any antivirus vendor to protect security software from being tampered with or disabled completely by malware. That said, instead of disabling protection or shutting down all services, 3rd party vendors should work with antivirus vendors to make their software install and work fine without jeopardizing user's security.

In order to stop ESET's service, you'll need to disable Self-defense and restart the computer. On servers, disabling particular protections can be accomplished using Eshell in a secure way.

 

Hi Marcos - Can you tell me exactly how to do that? What is "self-defense". I am pretty new to ESET, so bear with me Once I disable whatever self-defense is and restart PC, can I then use a NET STOP "ESET Service" command to stop the service? I am assuming disabling self-defense does not stop the ESET Service?

 

Have you worked with Microsoft on this issue, as often one of the first recommendations they list is to disable AV software?

 

To disable Self-defense, open the main setup (F5), navigate to Computer -> HIPS and untick the "Enable HIPS" box. Then restart the computer.

Please provide the link to a page with this recommnedation.

 

Again, can you explain more as to what disabling self-defense actually does? Does is stop the service named "ESET Service", or would I still have to do that (e.g. NET STOP "ESET Service")?

 

Disabling Self-defense will enable you to stop the ESET service.

 

Off the top of my head I don't have specific Microsoft links. But in my 25 years of doing IT, I have definitely seen recommendations from Microsoft to disable AV before installing some patches or software.

If you've ever installed 3rd party programs, you'll see MANY of them suggesting to temporarily disable AV before installing their software, then reenable AV.

 

Since I have to install this 3rd party software on many PCs using scripts, can you tell me if there is a *programmatic* way to stop your ESET Service?

Or, can I make a policy change to disable Self Defense (SD) and let my ERAS handle disabling SD on the machines I need to install the 3rd party software on.

Having to restart the PCs after disabling SD is inconvenient, as it adds more time to the overall install process. It would be much better if I could just issue a simple command line in my script to disable the service, install the 3rd party software, then issue another command to restart the ESET Service.

By the way, the 3rd party software that want s ESET Service to be disabled is from SMART, a HUGE company that sells projectors, smartboards and software for schools and such. Their site is at http://smarttech.com.

 

Sorry to bother you Marcos, but this is a time critical project for me. If you have time, can you answer my last question about how to *programatically* stop the "ESET Service" service? Many thanks! - Mike

 

You can't without disabling self-defense. If you could, every virus/malware out there would render ESET useless. You can disable Self-Defense using a policy, but it will require a reboot of the computer to accompolish this.

 

That's too bad, as it really makes what should be a simple software deployment more of a hassle I think they shouldn't worry about malware shutting down the ESET Service, as I've seen plenty of malware get by ESET even with this security "feature". eg. Fake AV anybody?

 

Which AV software supports turning it off programatically? Although this may not be a problem for non-security software, this is not the case of security software that is supposed to protect users' computers. If you don't like Self-defense, simply disable it during installation, however, bear in mind that doing so will expose the computer at risk.

 

I was easily able to stop GFI's VIPRE from a script.

SUGGESTION: provide a password-protected command that allows us to shut down the ESET Service (does that in turn kill ekrn.exe and egui.exe?). You could use the same password that we define in our policies (e.g. same password we use to uninstall the software). That would keep that bad guys from being able to shut it down but allow us good guys to do our work.

 

It's not the Fake AV's that tries to shutdown the AV services Afaik. It's other types of malware.

 

Hi Marcos - following your advice below, I revised my ESET policy and disabled Self-Defense. I then totally uninstalled NOD32 off this Win7 PC, rebooted, then reinstalled NOD32, then rebooted again. I then tried issuing a NET STOP "ESET Service" from Command Prompt window and it reported the following error:
========================================
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\>net stop "ESET Service"
The requested pause, continue, or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.
========================================

So, why can't I stop this service even with Self-Defense disabled? I verified Self-Defense is disabled in the NOD32 client GUI (it is disabled/unchecked).

HELP - as I really need to be able to deploy some software to many computers, but the MSI installer fails *if* ESET Service is running. Maybe we can escalate this to a developer or other guru?
Thanks!
-Mike

 

Well, it's only possible to change the startup option for the ekrn service to Manual or Disabled. I, for one, don't see any reason for stopping the whole service which is the most crucial part of any antivirus software. Instead, disable real-time protection which is probably the only one that could theoretically cause some issues when installing software.

 

Why did you guys say that disabling Self-Defense would allow me to stop the service? The lack of docs even leaves you in the dark at times

The reason I need to be able to stop the service is because the particular software being installed displays a message that the ESET Service needs to be closed/stopped.

I have confirmed that if I disable NOD32's real-time protection, the installation works without a problem. BUT, THIS LEADS TO PRETTY MUCH THE SAME QUESTION: HOW DOES ONE *PROGRAMATICALLY* STOP REAL-TIME PROTECTION? I CANNOT REMOTE INTO EACH MACHINE AND MANUALLY DISABLE REAL-TIME PROTECTION BEFORE PUSHING MY SOFTWARE INSTALLATION.

So we're back to one of my earlier suggestions: provide a command line tool that can disable (and also enable) real-time protection. And to make it secure against malware, require the same password defined in the policy.

 

Everything has been answered already - the ESET kernel service cannot be stopped programatically for security reasons. ESET will never support options that will jeopardize security of the customers. If necessary, you have the option to disable particular protection modules.

 

In your prior answers you suggested the service COULD BE STOPPED if I disabled Self-Defense. I am telling you I tested that and it did NOT work. You need to update your info about Self-Defense, as it does not work the way you think...

Again, if I can manually disable real-time protection (with password protection based on a policy setting), WHY NOT ALLOW US TO PROGRAMATICALLY DISABLE REAL-TIME PROTECTION (AGAIN USING PASSWORD)? That would help us IT admins as well as keep the system secure?

You need to be in my shoes for a day and see what it's like to not be able to install software to hundreds of machines because ESET gets in the way. If you walked in my shoes, you'll fully appreciate what I am asking for...

 

Like you, I have always seen recommendations to disable antivirus software before installing new software. Most vendors state it.

I've not being doing IT for 25 years myself, closer to 22 years.

And....I have never once disabled any AV software to install a new program. Never. And all my 120 ESET users, who are local admins on their PC but do not have the password to tweak ESET settings, have happily installed many programs on their various PCs, with no issue.

If you are hitting problems installing this SmartTech stuff, then I think ESET is a total red herring, I think there will be another cause. ESET's never stopped me installing anything, from apps (Office, Photoshop), drivers (for scanners, fingerprint readers, printers), service packs etc.


Sure, it's "best practice" to disable AV. But I'm pretty sure - from my own experience - that it's completely unnecessary.

Just my view.....


Jim