NOD32 locking up developers computer

Discussion in 'ESET NOD32 Antivirus' started by DSIM, Sep 21, 2012.

Thread Status:
Not open for further replies.
  1. DSIM

    DSIM Registered Member

    Joined:
    Apr 30, 2012
    Posts:
    5
    Location:
    USA
    We are currently experiencing a couple systems locking up when our developers are testing the application. The only thing that I have been told is that "It's buggy and is locking up our development systems when they do rapid TCP socket connections."

    As of now they want to put a different A/V product on these machines but that doesnt solve any issues for me.... just a band aid. Any ideas on which direction I should start looking for troubleshooting?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    ESET NOD32 Antivirus cannot affect other than HTTP/POP3 communication. Does disabling HTTP filtering or renaming C:\Windows\System32\drivers\epfwwfpr.sys in safe mode make a difference?
     
  3. DSIM

    DSIM Registered Member

    Joined:
    Apr 30, 2012
    Posts:
    5
    Location:
    USA
    I added some exclusions for some specific applications and that seems to have helped a bit. I will test the methods you specified and get back to you.

    They think its NOD because #1 it doesnt lock up with Microsoft Security Essentials and #2 one of our guys was watching process manager and NOD spiked to 100% CPU right before the lock. With that being said, I have looked at a users machine logs and found nothing about system locks in them.... at all. Just that the last shutdown was unexpected.
     
  4. mikedoug

    mikedoug Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    7
    Location:
    United States
    I've seen the same thing. Marcos, you are very wrong when you say that NOD32 cannot affect anything except for HTTP/POP3 communications. You are wrong BECAUSE NOD32 is hooking into the kernel in order to scan HTTP/POP3 communications, and it is therefore involved in at least the setup and tear down of every connection. The script I include below proves NOD32 wreaks havoc by locking up systems with simple TCP work.

    The following problem has been experienced under Windows 7 and Windows Server 2008. It has been experienced on both NOD32 v4.x and ESET Endpoint Antivirus 5.0.2126.0.

    The ESET Protocol Filtering has a race condition which causes systems running NOD32 v4.x to COMPLETELY freeze (keyboard, mouse, video -- everything is froze) and ESET EA 5.x the specific processes hang in such a way that you cannot kill them or even properly shutdown the computer. The only way to keep my system from locking up is to uncheck "Integrate into system" on the "Protocol filtering" tab of the "Advanced setup" and then rebooting.

    The following Python script reproduces the problem within seconds of running it:

    Code:
    import socket
    import threading
    
    ip = '127.0.0.1'
    
    def server():
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((ip, 50020))
        s.listen(1)
    
        while True:
            conn, addr = s.accept()
            conn.send('1234')
            data = conn.recv(20)
            if data != '1234':
                print "Server: Received invalid data"
            conn.close()
    
    def client():
        i = 1
        name = threading.current_thread().name
        while True:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, 50020))
            s.send('1234')
            data = s.recv(20)
            if data != '1234':
                print "Client: Received invalid data"
            s.close()
    
    
    serverT = threading.Thread(target=server)
    serverT.start()
    
    clientT = threading.Thread(target=client)
    clientT.start()
    
    # This second thread may trigger the condition faster
    clientT = threading.Thread(target=client)
    clientT.start()
    
    Please debug and fix your kernel modules such that they do NOT cause the system to completely lock up.
     
    Last edited: Sep 24, 2012
  5. mikedoug

    mikedoug Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    7
    Location:
    United States
    Note that my listed work around is specific for 5.x -- not 4.x.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    mikedoug,

    One has to wonder whether posting code like you did originally here is such a wise idea... :doubt:
     
  7. mikedoug

    mikedoug Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    7
    Location:
    United States
    Why? It's nothing proprietary. It's code developed strictly to reproduce the problem with the minimum of code. This is using straight sockets to show ESET locking up systems. o_O
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Our developers will have a look at it and try to reproduce it to find out if it's an issue in our epfwwfp.sys driver or in MS Windows Filtering Platform itself. I wouldn't be surprised if the problem lied in WFP as MS recently fixed one issue via a hotfix but a more serious bug rendering downloaded files corrupted was introduced.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    I guess that I stand corrected. What happened: seconds after I did read your posting (in its original form) I lost all my internet connection, and I thought those things were related. I suppose it was mere coincidence. So, I apologize for my post. :oops:
     
  10. mikedoug

    mikedoug Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    7
    Location:
    United States
    FanJ: No worries. At the worst, you just confused the heck out of me with the posting. At best, you made me find a bug in my script. :D

    Marcos: Thank you! I look forward to their findings. This is wreaking havoc on us currently, and working around it is not always the best or safest.

    Thanks again!
    MikeDoug
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
  12. mikedoug

    mikedoug Registered Member

    Joined:
    Sep 24, 2012
    Posts:
    7
    Location:
    United States
    Has there been any forward momentum with this bug?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This issue is caused by a bug in Windows Filtering Platform and is addressed in this hotfix issued by Microsoft.
     
  14. acooldozen

    acooldozen Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    218
    Location:
    White Rock, BC, Canada
    This issue appears to be only happening to ESET Nod32....after having to re-install eset yesterday ......Started 1st thing this morning with no network connection. Had to hard boot twice to safemode with networking to resolve the issue. ...Thought I had some malware/virus/dns changer etc. Ran MBAM full scan and HitmanPro with no malicious items found.....I un-installed eset and installed a trial version of Kaspersky AV and the problem disappeared! (I like my eset lets get it fixed)
     
    Last edited: Nov 12, 2012
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It was solved by Microsoft as it was a bug in Windows Filtering Platform. Of course, some other security solutions may not exhibit this issue if they don't take advantage of WFP.
     
Thread Status:
Not open for further replies.