NOD32 v5 is horribly broken (at least for me)

Discussion in 'ESET NOD32 Antivirus' started by orclev, Sep 18, 2011.

Thread Status:
Not open for further replies.
  1. orclev

    orclev Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    4
    I've been using v4 for a while now and generally have been fairly happy with it. I ran into a problem however when using it in conjunction with a newer release of truecrypt that leads to a BSOD when mounting an encrypted volume. After a bit of googling I saw that the BSOD problem had been fixed in v5 so I decided to upgrade. Initially I just installed v5 over the top of v4, but I kept getting lockups on boot. After a bit more googling I found a thread that recommended that you do a fresh install as installing over the top of v4 can cause some problems. So, after I did a fresh install, no change, still getting random lock ups. Another thing I noticed around this time was that if I did successfully manage to get booted in, after a few hours my networking stack would crash. I'd lose all network connection (even though the network status always showed connected), and if I attempted to check the details about a particular interface the panel was always blank. Something was horribly horribly broken inside the Windows network stack.

    So, I did a bit more digging and found a thread saying that another known problem was installing NOD32 onto a different partition than the one Windows is installed on (which I was), so I removed v5 yet again, and reinstalled it on my C: drive. That eliminated the crash on boot, but my network stack still dies after a few hours. Another thing that may or may not be related is that I at the same time the network stack crashes I get 101 popups (and if I close them they immediately count right back up to 101 which seems like some sort of cap) saying "The user rules file contains invalid data.". I think this may be a red hearing though as I've never configured any user rules. Also at this point if I attempt to open nod32 the window comes up but is completely blank (well, the green icon in the top right shows up but doesn't do anything when clicked on, and there's a scroll window in the middle, but it contains nothing). It's like nod32 is deadlocking somewhere deep inside its guts.

    My personal guess is that v5 has some kind of either deadlock, or else maybe some sort of buffer overflow somewhere in it, maybe a dangling pointer in one of the data structures. It doesn't BSOD, and the process still seems to be running, although completely idle, and it's not consuming massive amounts of memory (so no space leak), it's just... dead.

    Unfortunately for the time being I've had to revert back to v4, and just disable nod32 anytime I need to use truecrypt (fortunately not my boot partition). I'd love to upgrade to v5 again, it seems like a lot of nice improvements have been made, but until the above issues are fixed it's completely unusable for me.
     
  2. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    wich version of windows do you have ?? I read you twice and didnt see this information. thanks

    if you remove or disable truecrypt, everything ok ??
     
  3. orclev

    orclev Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    4
    It's Windows 7 Ultimate 64 bit. Latest version of NOD32, can't tell you the exact version because it's uninstalled atm. When I uninstall everything works fine. Likewise running the latest version of v4 also runs fine except for the BSOD when using truecrypt. When using v5 there's no bluescreen with truecrypt, but it locks up at boot if installed on a drive other than C: and the network stack blows up after a few hours.
     
  4. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Don't worry. You're not on your own. My pc refused to shut down and after a couple of hours not using my pc, it freezes up needing a hard reboot. I've also reverted back to v4. Win XP SP3.

    Why can't we simply uninstall old, reboot, install new. Working!

    Nah. Where's the fun in that. It's obviously more fun to have to diagnose and tear your hair out trying to find a fix.
     
  5. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    did you contact tech support by phone or by email or web support form ?
     
  6. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I did and their response was "contact us by phone".

    I realise they need me to test things, but what also bothered me about v5 was the slowdown compared to v4. I honestly think this is still in beta and I'm going to wait fo the next release of v5 before I try again.

    Paul
     
  7. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    if you wont help them to..... help you, you wont resolve this issue soon
     
  8. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Hello, have you tried a reboot after disabling new features temporarily like the livegrid, parental control, hips.
    you can send a sysInspector log to customer care, as some application in your computer could be interfering.
     
    Last edited: Sep 20, 2011
  9. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Give me a break. Like these company's will jump right on it even when you do help them.


    I've been using Nod32 for over 3 years and this new version 5 sucks. It's taking me over a min or more to mount my TrueCrypt drives, and sometimes it freezes my system. I've ran their ESET SysInspector and sent them the log files, I'm still waiting for a response back a week later. As I explained in another post on these boards: (see below in red)

    I haven't had any BSOD's with Nod32 v5.0.93.0, and never had an issue with the previous Nod32 v.4.67.10 when I was running Truecrypt 7.0a. However, now I am experiencing very long mounting times with Nod32 V5. It takes about a min or more to mount an encrypted drive where as with previous versions of Nod32 it only took me about 2 seconds. Sometimes my system is freezing.


    Edit: I tried adding both the device drive letters shown in MyComputer as well as the mounted volume letter assignments to the "exclusions" list, ..ie D:\*.* , E:\*.* , F:\*.*...ect... but it's still taking a long time to mount and sometimes freezing which requires a hard boot. I've turned all the new junk off and it made no difference. This is unacceptable with encrypted drives as this can cause issues down the line.
    PLEASE FIX YOUR PROBLEM ESET, or get back to me so we can work together to fix it.

    --- this system ---
    Win XP 32bit / spk3


    The new version SUCKS. taking it off, and if they don't get back to me soon, all my customers are getting something else.
     
    Last edited: Sep 25, 2011
  10. syspsi

    syspsi Registered Member

    Joined:
    Sep 26, 2011
    Posts:
    1
    I have same behavior when i mounted crypted volumes, my system hangs.
    Truecrypt v7.0a & v7.1 + Nod32 v4.x = OK.
    Truecrypt v7.0a & v7.1 + Nod32 v5.x = Cann't mount any crypted volume, system hangs.

    I tried exclusions, real time disable, etc..

    I have about 60 Pc's at work, but for now i must wait while this problems happen.

    Thanks in advance.
     
  11. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    We're not the only one's having this issue syspsi. And I've disabled everything, HIPS, scan removable drives, and even disabled protection the from the systray, completely disabled it the program...you name it ...nothing works. When I uninstall it, TrueCrypt works like it did again. By the way, do you know their phone number for support? It's not so easy to find in the site.

    Please stay on them about this! I would first grab ESET SysInspector that you can run to produce a detailed set of log files. Then send them the attachment when you submit a support request. Please do it so they realize it's not just me with this issue. I sent them a second support request, still waiting for response.

    SysInspector Download Center:

    1. http://www.eset.com/download/sysinspector.php

    ------------------------------------------------------------------------------

    2. Click the ‘Download’ button to the right of your desired version. When prompted to Run or Save, click ‘Save’ and save the file to your Desktop.

    3. Double-click the SysInspector icon on your Desktop and click ‘Run’.

    4. Scroll through the End User License Agreement and click 'I Agree'. Once the analysis is finished, the SysInspector main program window will be displayed.

    5. In the top right corner click 'File' -> 'Save Log'. Click ‘Yes’ to confirm and then save the log file to your computer.

    NOTE: Before you save the log file to your computer, make sure that ‘ESET SysInspector Compressed Log (*.zip)’ is selected in the ‘Save as type’ drop-down menu.

    6. Please reply to this email and attach the saved log file. We will examine the log and respond as soon as possible with the recommended action based on our findings.

    Make sure you tell them this just like you have it above.
     
    Last edited: Sep 26, 2011
  12. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    What about disabling the protection completely?
    In the main window Go to:
    Setup>Computer


    In the realtime filesystem protection, click configure and in that screen untick the option "automatically start the realtime filesystem protection", click OK.
    In the HIPS, click configure and in that screen untick the "Enable HIPS" option, click OK.
    Now Restart and tell us if you can observe any slowdowns while the realtime protection is completely disabled.
     
    Last edited: Sep 26, 2011
  13. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Did it... done it, doesn't matter. As long as the Nod32 service is running, the problem is consistent.

    It's not just a slow down issue, the system is completely freezing up and I have to hard boot. Something you DON'T want to do with TC drives, since is takes about 8 hours to format and encrypt a drive. There is something wrong at the driver level. I just uninstalled v5 and put v.4.67.10 back on. No problems at all! I'll wait a few weeks and see if ESET finds anything. This seems to be an issue across the boards apparently. Some people are getting BSOD while others just freezing ...like in my case. Sounds like there is a memory address violation of some kind going on and the Nod32 driver service is not playing nice with the TrueCrypt driver that handles On-The-Fly-Encryption.

    Please see...
    On-The-Fly-Encryption - to see how the TC driver works: ...(something ESET should be addressing).
    See here: http://www.truecrypt.org/docs/
     
    Last edited: Sep 26, 2011
  14. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Update


    These people at ESET are unreal. They send me an email to a link with a new eamonm.sys file ...saying that I should boot in safe mode, rename the original driver in the Windows/system32 folder and copy the new version instead.

    Firstly, you can't boot into safe mode when you're running system encryption, because the TC driver is needed to write to the drive. Secondly, there is no eamonm.sys in my windows system32 folder. What are they taking about? Are they even reading my tickets?

    So if there was a eamonm.sys file to replace, the only way to do this would be to decrypt the entire drive, replace the file and then encrypt it again. We're talking about 10 hours of work just to replace a file they should have included into a separate downloadable installer. I'm just about done with this software.
     
    Last edited: Oct 2, 2011
  15. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    I have posted in a separate thread about having an issue with getting a USB external hard drive to work properly if attached with Eset enabled. The system would become unresponsive and a hard boot required to get the drive recognized. The suggestion about unticking the "automatically start the realtime filesystem protection" option worked to fix this. I tested attaching the drive, then "safely removing" it and then reattaching. Works fine that way. This suggested that the problem is with the basic Eset driver and the system. Running XP SP3 Home Edition on a Dell 4500S with 2GB DDR memory.

    Of course, it's not ideal to have protection disabled at startup.
     
  16. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
  17. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    can you reproduce this issue in the final version or in the Release Candidate?
     
  18. x942

    x942 Guest

    Running ESET Nod32 V5 with TrueCrypt and PGP. No issues here. Everything runs smoothly.

    Windows 7 Ultimate x64
    TrueCrypt 7.0a
    PGP Desktop 10.2
    ESET Nod32 5


    Maybe it's fixed now.
     
  19. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    As posted elsewhere this is with version 5.0.93.0, which is the final version. I have heard that there is a version 5.0.94.0 somewhere, but suspect that is a beta if it exists. The problem is consistent. If a USB hard drive is connected with NOD32 running and enabled, then the drive will not be recognized and the system will become unresponsive. If the system is turned off, the drive is connected, and then the system is turned on to boot with the drive connected, the drive will be recognized. However, if the drive is removed during the session, it will not be recognized if it is reconnected unless the system is restarted. Disabling NOD32 allows the drive to be connected, removed, reconnected at will without any problems. Of course, disabling NOD32 sort of defeated the purpose of having it, no?

    I never had the release candidate. I waited until the "final' version was made available before installing it.

    These and other issues are affecting many users. Some will go back to version 4.71.2 or even install a different AV. I have not yet decided. I would prefer to keep version 5.
     
  20. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Yep, I keep "show hidden files" off all the time, and "show system files" is always my default setting. I searched my entire windows directory after searching the System32 folder, there was no eamonm.sys found ...this was while Nod32 v5.0.93.0 was installed. Then I tried searching for this sys file even after I uninstalled Nod32 v5 and put v4.2.67.10 back on, ...still no eamonm.sys to be found. I don't get it.

    That was one of the first things I did. That might work, but this eamonm.sys file is not on my system. The only thing I can think of is, either this eamonm.sys file is in some kind of proprietary cab file? Or it's because I'm running XP and not win7 as most support assume everyone is running win7. Maybe this file is not on XP. I sent ESET detailed log files after running their ESET SysInspector.

    I would try it. I'm once again running v4.2.67.10, no problems at all.

    The Nod32 v5 client runs fine with Truecrypt, it's just when you go to mount a drive, if I'm lucky, it will freeze for about a min and then mount. other times the system freezes up and I'm forced to hard boot. But as long as I don't mount my drives (Internal SATA) there is no issue. I've been running Nod32 for over five years on all my systems and even on family and friend's computers, never had a problem. Never had an issue with Truecrypt either, until now.

    By the way, on an unrelated side note:
    I stopped using USB hard drives, they're too unpredictable with delay-write-errors when copying really large files. I've had a few problems with USB hard drive inclosures over the years freezing the system, or just delay writes. The WD Mybooks have been pretty good I have to say, but I find that USB controllers are too flaky, most likily because manufactures use cheap no name controllers in their enclosures, I can't tell you for sure. All I know is, I've been using internal SATA drives for backups for a few years now with hot swap bays on the front of the tower. Never had a problem with SATA as I did with USB drives. However, This Nod32 v5 issue is freezing even my SATA drives when mounting.
     
    Last edited: Oct 1, 2011
  21. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    According to SysInspector, The ESET Amon driver (eamon.sys) can be found at %windir%\system32\drivers
     
  22. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Have you submitted a support ticket, if so, what is the number so your case may be expedited by an ESET Moderator.

    Thank you.
     
  23. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Ok, hold on, look at how the driver name in the message above is spelled. (toxion's message) Now I found it the way he spelled it: eamon.sys
    However, the link everyone is posting above, as well as the one ESET sent me says eamonm.sys Notice the extra (m) in the name. This is what my email says to look for, I'm looking at the email as we speak. Did ESET send me a Windows7 driver? I'm using XP. I do not have a eamonm.sys, I do have a eamon.sys however. But they didn't send me an FTP link for that. What is going on, I'm confused.

    Look ---> ~Link removed~




    I've submitted 3, but I think they're all merrged into one. Here is one:

    ~Private message removed per the TOS~
     
    Last edited by a moderator: Oct 1, 2011
  24. x942

    x942 Guest

    Are you using encrypted drives/partitions or virtual volumes? I have mounted my encrypted 1 TB (external) and 500GB (internal) with no issues. I will try a virtual volume and see what happens.

    EDIT:
    No freeze on volumes either. Maybe it's conflicting with something else? I am running:

    MBAM
    Webroot SA
    ESET Nod32 v5
    Sandboxie
    PGP Desktop 10.2 (Whole disk encryption)
    Comodo
    Winpatrol

    Win 7 Ultimate x64

    Can you post a dump from msinfo32?

    Do this:

    Code:
    win+r
    msinfo32
    
    Just export it as a text file and look for where Windows Error reporting starts. it should look like this:

    Code:
    [Windows Error Reporting]
    
    Time	Type	Details	
    10/1/2011 5:15 PM	Application Error	Faulting application name: programname.exe, version: 1.4.3.10, time stamp: 0x4dc9a20a
    Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
    Exception code: 0xc00000fd
    Fault offset: 0x0002ded0
    Faulting process id: 0x740
    Faulting application start time: 0x01cc7e0b5fa96be3
    Faulting application path: C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe
    Faulting module path: C:\Windows\SysWOW64\ntdll.dll
    Report Id: ec6010db-ec50-11e0-a66c-d469b530cb82	
    
    That may show what the issue may be. You can post all of the Windows Error part or just look for TrueCrypt and Eset.

    Thanks.
     
    Last edited by a moderator: Oct 1, 2011
  25. locked_mountain

    locked_mountain Registered Member

    Joined:
    Sep 17, 2011
    Posts:
    18
    Ok, firstly, You're running windows7, I'm running XP. As I mentioned above, there is a different SYS driver that ESET keeps trying to send me as a replacement for what is suppose to be on my system, but is not.

    I'm using encrypted drives, but I'm also running system encryption, which means the drive with my OS is also encrypted. All data written to and from the drive is encrypted by the Truecrypt driver. I've never had an issue running Nod32 v4...xxx

    This is not an issue with something else, because I've never had a problem till I put Nod32 v5 on. When I remove v5, the problem goes away.


    The new question now is; Why is ESET sending me a link to an updated driver with the name "eamonm.sys" ...when the file that everyone else here is saying to replace is named "eamon.sys" ? There is no file called eamonm.sys on my system. I can't show the link because it was removed by one of the mods. In anycase, I think ESET sent me a driver that was intended for windows 7, I am not running windows 7, I'm running XP Pro. This is nuts, I'm sending emails back and forth to them and I get the feeling they're not reading what I'm explaining. Again, I still don't know what this driver named "eamonm.sys" that ESET sent to me is? I posted the link right out of my email for you all to see but it was removed. I don't understand why because it's a legit link that came from ESET themselves. So then we shouldn't post links to ESET also?

    I can understand why my case number was removed from here, but not the FTP link I posted.
     
    Last edited: Oct 2, 2011
Thread Status:
Not open for further replies.