NOD32 Antivirus suddenly started crashing Windows Small Biz Server 2008 R2

Discussion in 'ESET NOD32 Antivirus' started by darkmoebius, Apr 5, 2011.

Thread Status:
Not open for further replies.
  1. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Suddenly, on 3/31, our SBS Server 2008 R2 started to crash and reboot. Once on 3/30, 3/31. 4/1, 4/3, and 4/4. I have not been able to view the memory dumps on these yet. But, i disabled ESET and have not had another crash yet. My guess is that some update is causing conflicts.

    I have found a post on Microsoft's SBS Windows 2008 Server forum from someone else having the same problem

    I'd appreciate any advice or insight into this problem because this server runs the company's DHCP/IP routing, ERP/CRM, and shipping software. When it goes down, the company comes to a screeching halt.

    NOD32 info:
    NOD32 AV version 4.2.67.10
    Virus signature database: 6017 (20110405)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1296 (20110301)
    Advanced heuristics module: 1115 (20101116)
    Archive support module: 1127 (20110314)
    Cleaner module: 1050 (20101207)
    Anti-Stealth support module: 1024 (20101227)
    SysInspector module: 1217 (20100907)
    Self-defense support module : 1018 (20100812)
    Real-time file system protection module: 1004 (20100727)

    Here's the server specs:
    OS Name Microsoft® Windows Server® 2008 Standard FE
    Version 6.0.6002 Service Pack 2 Build 6002
    Other OS Description Not Available
    OS Manufacturer Microsoft Corporation
    System Name T610
    System Manufacturer Dell Inc.
    System Model PowerEdge T610
    System Type x64-based PC
    Processor Intel(R) Xeon(R) CPU E5506 @ 2.13GHz, 2128 Mhz, 4 Core(s), 4 Logical Processor(s)
    BIOS Version/Date Dell Inc. 2.1.15, 9/2/2010
    SMBIOS Version 2.6
    Windows Directory C:\Windows
    System Directory C:\Windows\system32
    Boot Device \Device\HarddiskVolume1
    Hardware Abstraction Layer Version = "6.0.6002.18005"
    Installed Physical Memory (RAM) 12.0 GB
    Total Physical Memory 12.0 GB
    Available Physical Memory 6.75 GB
    Total Virtual Memory 24.0 GB
    Available Virtual Memory 17.3 GB
    Page File Space 12.3 GB
    Page File C:\pagefile.sys
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    1. you're not using the latest version 4.2.71. Please install it to see if it makes a difference.
    2. you did not mention if you renamed the driver C:\Windows\System32\drivers\epfwwfpr.sys in safe mode to prevent a bug in Microsoft Windows Filtering platform from manifesting (it can cause crashes, lockups or other serious problems).
     
  3. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Thank you for the advice, Marcos. I had no idea a newer version was available for NOD32, I did an update and it said it had all the latest versions. I am downloading it now and will install right away.

    As for renaming epfwwfpr.sys, does it matter what it is renamed to? I will have to wait until after the company is closed to restart the server in Safe Mode. My only question about this is why didn't that file cause problems before? Everything was fine until mid last week.
     
  4. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Definitions and product version are complete different. You need to keep an eye on this forum for details of releases.

    No, you can rename that file to whatever you want. Windows will be unable to load it and will therefore not use filtering, so just rename it to something memorable.


    Jim
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd merely add that this won't be necessary with v5 : ) You'll see shortly.
     
  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Oooooohhhhhhhhhhh now that's a teaser :)
     
  7. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Ok, 24 hrs after upgrade to version 4.2.71, we've had no crashes or reboots. And, that is without renaming epfwwfpr.sys! I will hold off on that unless another crash happens.

    But, for right now, everything is back to hunky-dory.
     
  8. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Well, came back this morning to find out the server had crashed and rebooted again sometime this weekend. Madei t through Thursday and Friday without any problem, though. Looks like I'll need to rename epfwwfpr.sys and see if that works.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest configuring the system to generate complete memory dumps. When BSOD occurs, convey the dump to ESET or just let me know and I'll pm you further instructions. The dump should definitely reveal the source of the crash.
     
  10. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Thank you Marcos, I have been unable to read memory dumps for some reason, even though I have installed the Windows Server 2008 debugging package and symbol libraries. It is obviously an error on my part.

    Would it be ok if I just sent you the raw short dump file in a zip package? (I haven't checked to see how large it is, but will tomorrow)
     
  11. msav

    msav Registered Member

    Joined:
    Apr 15, 2011
    Posts:
    2
    I have had a similar issue.

    Brand new Hp dl380 G7 24gb ram 1 XEON E5620

    New install of Enterprise Server 2008 r2 sp1
    Exchange 2010 sp1 CAS, Hub Transport roles only.
    Symantec Netbackup
    Eset nod32 4.2.71.2
    Hp managment programs and drivers.


    I have had all the memory swapped, the Motherboard Swapped, the CPU swapped, power backplane swapped through HP

    I have a case opened with Microsoft.

    I have sent performance logs and counless number of proprietary HP reports in for review. Both Hp and Microsoft have said they can find no issues.

    Microsoft gave me instructions to obtain a kernel dump but they did not work since the server is completely non responsive If I have Hp Automatic server recovery turned off with ASR on it just reboots the server in 10 min.

    I have just this morning disabled the WFP driver (renamed epfwwfpr.sys)

    The server has never gone longer than 30 hours without a reboot. However it has been known to reboot as often as 3 times in an hour.

    any insight would be helpfull
     
  12. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    4.x is *still* not ready for servers...

    My recommendation - uninstall 4.x, install the latest version of 3.x and be done with it...
     
  13. msav

    msav Registered Member

    Joined:
    Apr 15, 2011
    Posts:
    2
    Server has went over 24 hours without an issue since renaming the WFP driver


    Strange thing is. I have a server 2008 R2 file server with Nod32 4.2.40.0 working great. However there is no http/pop3 traffic on that server.

    and it worked fine on my exchange 2010 server until iI flipped dns to start using it as a client access server in sense started to use https connection to the server.

    The kb states that Microsoft is aware of the problem. Although when I told the Microsoft guy that he has know knowledge of it. Could save them and their customers a lot of time diagnosing if they disclosed to their techs this info. He even asked me what Anti virus I was using.

    In the end it was me finding this forum that help me diagnose the problem after a week of going back and forth between Hp and Microsoft.

    Mark
     
  14. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Renamed epfwwfpr.sys in Safe Mode, restarted, normally but Blue Screen of Death crashes still persist. So, I am keeping ESET disabled until we can find some solution.
     
  15. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    I already told you the solution... uninstall 4.x, reboot TWICE, install latest 3.x, and get on with your life.

    :)
     
  16. darkmoebius

    darkmoebius Registered Member

    Joined:
    Apr 5, 2011
    Posts:
    8
    Yeah, thanks for the tip on that. But, we've only got 14 days left on our office-wide ESET subscription and have decided to simply shift to a new AV suite. 14 crashes in 6 weeks(would have been more, but disabled ESET for a period) of a mission critical server is just too disruptive to company wide performance. This server handles routing, ERP software, shipping, backups, etc. Reboots take 10-15 minutes, meanwhile nothing can be done around the warehouse.

    Disabling parts of the AV suite, or running outdated versions, to stop BSOD crashes runs counter to the purpose of having virus protection in the first place.
     
  17. RussBaker

    RussBaker Registered Member

    Joined:
    May 13, 2011
    Posts:
    1
    Same issue with SBS 2008 64 bit running Exchange. Other 2008 64 bit servers are happy with ESET. This one will run for hours or days between crashes. There's no pattern to it.

    I tried renaming epfwwfpr.sys no joy. Excluded Windows/system32 folder, no joy.

    So where does one get a copy of version 3x of ESET 64 bit? I'm ready to try anything. Running trial of BitDefender. When ESET subscription is up, we may migrate to that or another platform.

    One server out of 6 crashing but it's also the PDC and causing major grief as it takes 20 minutes to reboot.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you have Self-defense disabled? If not, try disabling it and restart the server.
     
  19. DanneFr

    DanneFr Registered Member

    Joined:
    May 26, 2011
    Posts:
    1
    Hi,

    we a have similiar problem.

    Four virtual servers, VMware ESXi 4.1, Exchange 2010 CAS/HUB.
    Randomly freeze, I can't login but the servers are still up. Reset is the only solution.
    The servers with the mailboxrole doesn't have this problem.

    After we removed NOD32 from the servers they are all working as expected..

    Solutions apart from removing NOD32 completely..?

    Regards,
    Dan
     
Thread Status:
Not open for further replies.