Monday, November 13, 2006

System Lockup: F-Secure AV 2007 and Kerio Firewall

Recently I received a notification about F-Secure Anti-Virus 2007 being available. As an F-Secure customer you are entitled to upgrade from the 2006 version if your subscription is valid. So I downloaded the installation package and performed the upgrade.

After the obligatory reboot things started to fall apart. My computer would not respond for more than about 30 seconds after I had logged in. Opening the Start menu would work, maybe even opening e. g. the Control Panel sub menu. However nothing else would work after this point. Using Ctrl-Alt-Del to get the Task Manager just allowed me to "wipe" the start menu from the screen, no more action would be possible.

What made me suspicious was a little dialog I had to dismiss right after logging in that informed me about my Kerio Personal Firewall not being found by the system-tray GUI. Because conflicting firewalls are known to cause lockup problems like this, I originally bought F-Secure Anti-Virus instead of the whole Internet Security package. Anti-Virus 2006 had been working fine in conjunction with the separate personal firewall.

I rebooted to see if this was some sort of transient problem with the first reboot after the install. This time I did not even get an Explorer to launch and show me my desktop. Apart from the wallpaper and a mouse pointer I could not see anything. Hitting Ctrl-Alt-Del again let me launch the Task Manager. I tried to start explorer.exe from there, to no avail.

I decided to uninstall the personal firewall. I tried to boot into Safe Mode, just to see that it would not come up and instead die with a blue screen. To be fair, I have to say that I had not tried Safe Mode for a loong time, so I do not know if it would have worked before my problems started.

My only way to resolve this was to boot into the Vista RC installation I luckily had not deleted yet and to disable the startup of the firewall service in the XP install. To do so I loaded the windows\system32\config\system registry hive into the Vista regedit and set the startup type (ControlSet00x\Services\servicename\Start to 0 - which means disabled - in the firewall service node of the active ControlSet001. You can see which control set is the one for "normal" Windows startup by looking at the SYSTEM\Select\Default value.

Upon restart the situation did not change, the same problem as before. Because I was not sure whether just disabling the Kerio service had been enough, I decided to uninstall it. To do so I had to disable F-Secure Anti-Virus, too. So I loaded Vista again and opened the XP registry. Luckily the F-Secure services all have human readable key names, all starting with "F-Secure", so it was very easy to disable them as well.

Back in XP I was for the first time able to do more than wait for the lock-up. I uninstalled Kerio using the Control Panel's "Add/Remove Programs" applet and rebooted, after I had set the F-Secure services back to their original startup settings.

Guess what... It still did not work... I came to the conclusion that there must be some sort of a bug in F-Secure Anti-Virus's 2007 version. In the meantime my father had called, complaining about the same problem, which at the time seemed to support my theory. At that point however I did not know yet, that he used the Sunbelt Personal Firewall, too.

After going through the whole boot Vista - load XP registry - disable services - reboot to XP hassle I finally uninstalled Anti-Virus 2007, rebooted and re-installed 2006. At this point I had restored the situation where I had originally left off - minus the Kerio Personal Firewall.

For some reason I did not want to believe that F-Secure would ship such a lousy product. I fired up regedit again and opened the services subtree. There I reviewed every one of them, not knowing what exactly to look for. Finally I found these two entries:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fwdrv]
"MaxBufferSize"=dword:00004000
"MaxBuffersAllocated"=dword:00000300
"WarnLog"=dword:00000000
"DebugLog"=dword:00000000
"DebugLogFlags"=dword:00000000
"DatagramRoutingExtent"=dword:4109891b
"StatInspEnabled"=dword:00000001
"AlwaysSecure"=dword:00000002
"FSSecEnabled"=dword:00000000
"RegSecEnabled"=dword:00000000
"AdapterNotificationDisabled"=dword:00000000
"BufCacheSize"=dword:00000060
"TCPConnectionTimeout"=dword:00000000
"BlockIPv6"=dword:00000000
"ErrLogFile"="\\SystemRoot\\System32\\drivers\\fwdrv.err"
"DebugLogFile"="\\SystemRoot\\System32\\drivers\\fwdrv.dbg"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fwdrv\Enum]
"0"="Root\\LEGACY_FWDRV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\khips]
"Type"=dword:00000001
"TraceLevel"=dword:00000000
"DisplayName"="Kerio HIPS Driver"
"TraceFile"="C:\\Programme\\Kerio\\Personal Firewall 4\\logs\\khips.log"
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,6b,00,68,00,69,00,70,00,73,00,2e,00,\
  73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\khips\Enum]
"0"="Root\\LEGACY_KHIPS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

The ImagePath in the second node reads "%systemroot%\system32\drivers\khips.sys" when viewed with regedit. Searching the net for that name reveals that it is the "Kerio Host Intrusion Prevention Service". Obviously this is a remainder of the Kerio Personal Firewall that I thought I had removed.

In the Device Manager one can also see this service when the "View/Show Hidden Devices" option is enabled. It will show up under "Non-PnP-Drivers" (sorry if the option names are a little off, I am trying to guess their names, because I use a German Windows).

As soon as I had removed both of the registry keys above (kerio.uk.com contains a reference to fwdrv) and rebooted, I could use F-Secure Anti-Virus 2007 without any problems. I will file this with F-Secure now...

4 comments:

Anonymous said...

Hi Daniel,
any news about this problem? Did you get a usefull solution from F-Secure to run F-Secure AV and Kerio Firewall ?
Thanks, Bernd

Daniel Schneller said...

I have posted a new article about their response.

Daniel

Pulkit Chawla said...

Hi Daniel

I am having a similar problem of system lockup

But not wid f secure
I have Mc Afee Enterprise version installed on my pc and previosuly i had pc cillin ......

i read ur article and seriously need help from as how to resolve this problem....please suggest

step by step

Daniel Schneller said...

Unfortunately I have never used any of these products myself. The only thing I can recommend is to first uninstall the old AV software completely (take the machine off the net!).
Then (after all the necessary reboots) install the new product and update it via the net.
This should usually be safe. If not, I am sorry, but this kind of problem is really hard to diagnose and fix from the outside.