ESET issues identified

Updated 1 week ago by admin

We have identified an issue with certain versions of ESET software that causes incompatibility with software that also uses the Microsoft WFP (Windows Filtering Platform) layer for intercepting network traffic, such as the USS Agent for Windows. The issue causes WFP-redirected connections to fail and is not specific to the USS Agent for Windows software.

The following software version numbers are known to cause the issue:

  • ESET Endpoint Security 7.3.2039.0
  • ESET Endpoint 7.2.2055.0
  • ESET Endpoint 7.1.2053.0
  • ESET Endpoint 7.1.2045.5
  • ESET Internet Security 13.2.16.0
  • ESET Internet Security 13.0.22.0
  • ESET ESET NOD32 Antivirus 13.0.22.0

The following software versions do not exhibit the problem:

  • ESET Endpoint 7.0.2100.4
  • ESET Endpoint 6.6.2089.2

Workaround

Installing version 0.997 or later of the npcap library provides a workaround to the issue.

  1. Download the 0.997 version of npcap or later
  2. Install the new version of npcap on the machine running ESET and the USS Agent for Windows
  3. Reboot
  4. In some cases, if the problem persists you will need to re-install ESET and then reboot once more

Further Information / Diagnostics

To confirm the issue is not related to the USS Agent for Windows, it is possible to recreate the problem without the agent installed by following these steps:

  1. Install ESET version
  2. Build and deploy Microsoft WFP sample from here https://github.com/microsoft/Windows-driver-samples/tree/master/network/trans/WFPSampler
  3. Build server.cpp (requires Boost)
  4. Start server.exe as follows: server.exe 44444
  5. Start WFP redirection as follows: WFPSampler.exe -s PROXY -l FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 -pra 127.0.0.1 -prp 44444 -v -iprp 443 -plspid <server.exe process PID>
  6. Start Chrome browser and try to open multiple HTTPS websites, so that Chrome creates a few simultaneous connections.
  7. The server app fails to get redirect records and context for some accepted connections. Browsing is not possible.

There are other third party products reporting the same issue on public forums, such as https://github.com/nmap/nmap/issues/1529


How did we do?