Hydro

Even when creating the rule within 1 of 2 seconds (selecting option “Create rule and remember permanently” and then pressing the Deny button), the initial connection is never blocked (TcpTestSucceeded result is always True). The issue occurs regardless of the user timing, regardless of the network adapter (ethernet or wifi, docked or not) and regardless of the application. It also occurs with a clean install of EIS, with default settings (except for the firewall filtering mode, which is set to Interactive mode).

My firewall driver appears to be identical, although my “Date modified” differs (see below). But the ESET digital signatures are OK (dated Friday, November 3, 2017). In essence, the firewall driver seems to be functioning correctly, apart from the occasional BSOD (doesn’t occur that often anymore) and a traffic leak issue when using interactive mode (see other thread). I’ve disabled all virtualization options in the BIOS and disabled all Hyper-V features with the following two actions from an elevated Powershell prompt: bcdedit /set hypervisorlaunchtype off Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

Currently at Firewall module 1373.1 (20180103), but the EIS firewall still leaks outbound traffic when a new deny rule is created in interactive mode, regardless of the application and regardless of the network adapter being used. In essence, the EIS firewall driver seems to be functioning correctly, because when I click “Deny” with the “Ask every time” or “Remember until applications quits” option, the outbound traffic is being blocked, as expected. Existing deny rules are also functioning as expected. However, the EIS firewall fails to block traffic when I click “Deny” with the “Create rule and remember permanently” option (regardless of whether the rule is edited before saving). The newly created rule will block traffic for all subsequent connections that match the rule, but the initial connection (that triggered the “Outbound network traffic” dialog in the first place), is always allowed! This is 100% reproducible on my notebook. I think this is a bug in the EIS interactive deny logic. Perhaps introduced when the “Edit rule before saving” functionality was added? Product: EIS 11.0.159.0 (with pre-release updates enabled) OS: Windows 10 Enterprise v1709 x64 (10.0.16299.125)

A few days ago I’ve disabled all Hyper-V features on my Windows 10 notebook, as suggested by itman, and it appears to have improved the stability. Unfortunately, today another computer freeze + BSOD (DPC_WATCHDOG_VIOLATION) occurred, while using Chrome: The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL or above. Probably caused by : epfwwfp.sys ( epfwwfp+39fc ) DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT FAILURE_BUCKET_ID: 0x133_ISR_epfwwfp!unknown_function Image path: \SystemRoot\system32\DRIVERS\epfwwfp.sys Timestamp: Fri Nov 3 15:53:40 2017 (59FC82F4) Product: EIS 11.0.159.0 (regular), with Firewall module 1372 (20171027), Network protection module 1583 (20180102) and HIPS module 1309 (20171229) OS: Windows 10 Enterprise v1709 x64 (10.0.16299.125) Now I’ve enabled EIS pre-release updates again, and will try it out for a couple of days. The firewall is still leaking traffic though when creating a Deny rule in interactive mode (regardless of the application and network adapter; also occurs after deleting epfwdata.bin and EpfwUser.dat). That issue is 100% reproducible, unlike the BSODs.

I just noticed that the DPC_WATCHDOG_VIOLATION (SINGLE_DPC_TIMEOUT_EXCEEDED) BSOD that I previously encountered, is almost identical to the issue that’s described in this article: https://kc.mcafee.com/corporate/index?page=content&id=KB90097 STACK_TEXT of my BSOD with the pre-release version of EIS 11.0.159: fffff800`7f19dbc8 fffff800`7f62a607 : nt!KeBugCheckEx fffff800`7f19dbd0 fffff800`7f4e8666 : nt!KeAccumulateTicks+0x140207 fffff800`7f19dc30 fffff800`7f41d3c5 : nt!KeClockInterruptNotify+0xc6 fffff800`7f19df40 fffff800`7f537da5 : hal!HalpTimerClockIpiRoutine+0x15 fffff800`7f19df70 fffff800`7f5fe7fa : nt!KiCallInterruptServiceRoutine+0xa5 fffff800`7f19dfb0 fffff800`7f5fec47 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea fffff800`7f18b7d0 fffff800`7f4dbcec : nt!KiInterruptDispatchNoLockNoEtw+0x37 fffff800`7f18b960 fffff800`7f4dbca4 : nt!KxWaitForLockOwnerShip+0x2c fffff800`7f18b990 fffff809`abad3b23 : nt!KeAcquireInStackQueuedSpinLock+0x44 fffff800`7f18b9c0 00000000`00000000 : epfwwfp+0x3b23 STACK_TEXT of McAfee article: ffffbe00`7ed5fd88 fffff800`56e2fc07 : nt!KeBugCheckEx ffffbe00`7ed5fd90 fffff800`56e2d868 : nt!KeAccumulateTicks+0x407 ffffbe00`7ed5fdf0 fffff800`576264e5 : nt!KeClockInterruptNotify+0xb8 ffffbe00`7ed5ff40 fffff800`56e20876 : hal!HalpTimerClockIpiRoutine+0x15 ffffbe00`7ed5ff70 fffff800`56f5de0a : nt!KiCallInterruptServiceRoutine+0x106 ffffbe00`7ed5ffb0 fffff800`56f5e257 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea ffffbe00`7ffb9da0 fffff800`56e86540 : nt!KiInterruptDispatchNoLockNoEtw+0x37 ffffbe00`7ffb9f30 fffff800`56e864f4 : nt!KxWaitForLockOwnerShip+0x30 ffffbe00`7ffb9f60 fffff807`418db3c9 : nt!KeAcquireInStackQueuedSpinLock+0x44 ffffbe00`7ffb9f90 fffff807`418c6249 : mfefirek+0x2b3c9 Perhaps Microsoft has changed something in the Fall Creators Update that can cause these firewall/hips issues??

No, I was running the pre-release version of EIS, with Firewall module 1373 (20171206), when the BSODs occurred. Now I’ve returned to the regular version, with Firewall module 1372 (20171027). Both versions leak traffic in interactive mode. I’ve also encountered some computer freezes/hangs with both EIS versions (after I’ve updated to the Fall Creators Update). Not anymore: 16299 has become the standard build, see https://techjourney.net/windows-10-fall-creators-update-rs3-v-1709-build-16299-15-rtm/ (latest standard build is now 16299.125, since KB4054517). I’ve never installed the Windows insider preview (but the OP, MilkyMeda, has).

Similar issue here: multiple ESET related BSODs occurred on my Windows 10 Dell notebook (Precision 3520). I think the problems started after updating to the Windows Fall Creators Update (version 1709, build 16299) and EIS 11.0.159. First received a DPC_WATCHDOG_VIOLATION on epfwwfp.sys, during the installation of an Intel Wifi driver update (latest Proset software for AC 8265 adapter). Could not start Windows in normal mode since that moment, due to BSODs occurring on em008k_64.dll (firewall module) each time during startup, with one the following errors: ATTEMPTED_WRITE_TO_READONLY_MEMORY ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS A rollback to a previous recovery point didn’t help. Had to boot into safe mode and remove EIS, using the ESET Uninstaller. That solved the problems. I’ve just updated all Windows drivers and reinstalled EIS 11.0.159 again (clean install, regular version, did not import old settings). No new BSODs have occurred so far, but the firewall still leaks traffic in interactive mode (see other thread for more info)… perhaps that’s a related problem. Hopefully ESET can soon solve these issues. (I can only provide minidumps, not complete memory dumps unfortunately)

The latest pre-release version of EIS 11.0.159, with Firewall module 1373 (20171206), is also affected. When a new Deny rule is being created from the "Outbound network traffic" popup, the firewall does not block the initial outbound connection! Steps to reproduce: 1. Set the EIS firewall to Interactive mode 2. Open Powershell from the Windows start menu and run the following command: Test-NetConnection -ComputerName bing.com -Port 80 3. Choose "Create rule and remember permanently" -> "Deny" from the EIS "Outbound network traffic" popup The Test-NetConnection cmdlet will now display "TcpTestSucceeded : True", which means the firewall leaks traffic! (Subsequent outbound connections from Powershell are being blocked however, so the newly created Deny rule is respected by the firewall -- just not for the initial outbound connection) Is anyone else, besides Stackz and me, experiencing this issue? In EIS or perhaps in ESSP?

For those who don't have telnet enabled on their machine, it's also possible to test with the following Powershell command: Test-NetConnection -ComputerName ad.doubleclick.net -Port 80

Tried different things, including Marcos' suggestions, but the issue persists. I think this is a bug in the firewall. Easiest way to reproduce: run "telnet ad.doubleclick.net 80" (or similar) from a cmd prompt, with the firewall in interactive mode, so that EIS will display an "Outbound network traffic" popup. If you click "Ask every time" -> "Deny", the connection is blocked, as expected. Normal behaviour. However, if you click "Create rule and remember permanently" -> "Deny", a connection is established! Very undesirable behaviour. (to terminate the telnet http connection, press Escape)

Product: ESET Internet Security 11.0.159.0, Firewall module 1372 (20171027) OS: Windows 10 Enterprise v1709 64-bit Firewall is set to "Interactive mode". No custom rules have been created yet. Windows application tries to access the internet. EIS displays "Outbound network traffic" popup. So far so good. However, when choosing "Create rule and remember permanently" -> "Deny", the application is still able to access the internet! A valid Deny rule will be created, but it is ignored the first time! Subsequent connections are refused, as expected. When choosing "Ask every time" -> "Deny" instead of creating a rule, the outbound connection is refused, as expected. Problem seems to occur with all Windows applications, including telnet (outbound TCP). Did not test with inbound traffic yet. Is anyone else experiencing this?

ESET, please fix this firewall bug! The firewall is virtually unusable in ESS v10.1.204 (on Windows 10 Enterprise v1607 x64). And a downgrade isn’t an option for me, because with the previous ESS version I experienced network protection problems (just like user Arash in the other thread).

Same problem here, running ESET Smart Security v10.1.204 on Windows 10 (v1607 x64), with the firewall in interactive mode. It’s driving me mad, the ESS firewall is ignoring all rules and just keeps asking if I want to deny or allow traffic, again and again. Rules are being saved properly, but the firewall just ignores them (causing confusion and resulting in many duplicate rules being created). Happens with all applications: Windows Store, Chrome, Outlook etc. The problem sometimes disappears for a while (maybe after restarting the computer or after opening all ESS firewall rules and pressing OK), but usually returns within a few hours.