Jump to content

ESET Personal Firewall driver (epfwwfp.sys) causes BSOD in my Win 8.1 laptop


Recommended Posts

Today, I got a BSOD related to epfwwfp.sys, which is an ESET Personal Firewall driver.

I have faced this problem a few weeks before also, but at the time, I had upgraded directly from ESS v6 to ESS v9, so I thought that might be the cause. I uninstalled ESS and used Windows Defender for a few weeks to make sure that ESS was actually the cause. I then did a fresh install of ESS v10 on Dec 5 and faced no issues since. But today I got a BSOD again, and it was again traced back to ESET driver.

Here is the troubleshooting done at Microsoft's website.

https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/wfplwfssys-related-bsod-need-help-updating-driver/95b928b1-2ffe-4050-b2d4-2e5ee06f2329?tm=1482582489401

I have a 3 year license key that expires in 2019, and I have used ESS for the past 6 years with no issues. This issue has started since v9. I am hoping someone here can resolve this issue for me so I can remain loyal to ESET. Thanks in advance.

Link to comment
Share on other sites

  • Administrators

I see "Probably caused by : wfplwfs.sys ( wfplwfs!L2802_3ParseMacHeader+87 )" in the dump. Wfplwf.sys is Microsoft's driver. After the New year, our devs will check it out to definitely confirm or deny that the crash is caused by ESET.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

I see "Probably caused by : wfplwfs.sys ( wfplwfs!L2802_3ParseMacHeader+87 )" in the dump. Wfplwf.sys is Microsoft's driver. After the New year, our devs will check it out to definitely confirm or deny that the crash is caused by ESET.

Thanks for the reply, Marcos. If you read the above thread, the Microsoft specialist replying to me in the topic is very certain it is the ESET driver after analysing the same dump.

I also did not face any BSODs when I had uninstalled ESET and was working with (the horrible) Windows Defender.

I shall await a reply from your devs in this regards, and shall help them with any additional info they desire.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Marcos, Just a friendly reminder that we are now in the New year, and to please remind your Devs to look into this. My laptop has crashed with the same BSOD 3 more times since the last post. If you want, I can post the dumps for the same.

Link to comment
Share on other sites

  • Administrators

As soon as I have some news from devs, I'll let you know. Could you try (at least temporarily) uninstalling PeerBlock which uses a driver from 2013 and see if the problem goes away?

Link to comment
Share on other sites

I have not started Peerblock since Sunday and have not got a BSOD yet. Will continue observing for the rest of the week and let you know on Monday whether or not the problem has returned.

Link to comment
Share on other sites

I have been running ESET without running Peerblock for the whole of last week and till the time of this writing, and have not got a BSOD. I suppose it is safe to assume that the 2 drivers are not getting along. However, ESET is in active development whereas Peerblock is not. Also, previous versions of ESET have worked without issues with Peerblock.

So I'd like to ask if there is a way to make the 2 drivers play along with one another, as in previous versions.

Peerblock has the ability to work with blocklists for malicious, malware and ads domains. This is a pretty cumbersome, complex and manual process in ESET. On the other hand, ESET has application specific firewall rules, which is very handy. So currently I need both.

Edited by lezboyd
Link to comment
Share on other sites

On 5/1/2017 at 7:35 PM, Marcos said:

As soon as I have some news from devs, I'll let you know. Could you try (at least temporarily) uninstalling PeerBlock which uses a driver from 2013 and see if the problem goes away?

I spoke too soon in my previous posts :(

Just received another BSOD today, this time with no PeerBlock running. Linking to dump files below:

https://1drv.ms/f/s!Avzd_Hgdj4WQe9ujeToGujFKRe4

Please help.

Edited by lezboyd
Link to comment
Share on other sites

  • Administrators

In a few weeks the firewall developers are going to pay visit to Microsoft and inquire them as to why they think the issue is caused by ESET. It's not obvious from the dumps that ESET is the culprit.

Link to comment
Share on other sites

28 minutes ago, Marcos said:

In a few weeks the firewall developers are going to pay visit to Microsoft and inquire them as to why they think the issue is caused by ESET. It's not obvious from the dumps that ESET is the culprit.

From my side, it makes sense. The BSODs started after I installed ESS. They went away for a month when I uninstalled ESET and worked with Windows Defender (which has to be the worst app around) and resurfaced when I installed ESS.

At this point, I am updating all the device drivers from scratch, updating Windows components, and running DISM/SFC. I have also turned off the Windows Defender and Windows Firewall services, in case ESET clashes with those. If this does not solve it, I suppose its money wasted on a 3-year ESET license. I will be forced to uninstall it and go with something else.

I shall keep you informed.

Edited by lezboyd
Link to comment
Share on other sites

  • Administrators

We have come across numerous cases when issues began to manifest after installing ESET but the root of the problem was elsewhere. It used to be either a badly written 3rd party software, a bug in the software and at least 2-3 times it was a bug in Windows itself.

Link to comment
Share on other sites

10 minutes ago, Marcos said:

We have come across numerous cases when issues began to manifest after installing ESET but the root of the problem was elsewhere. It used to be either a badly written 3rd party software, a bug in the software and at least 2-3 times it was a bug in Windows itself.

I don't doubt that. But I would imagine that experience would have made this process easier and would not entail having to wait weeks for an uncertain outcome. I have also noticed that no one from ESET has asked me for a single thing to help identify the issue. Whatever I have provided, I have done so voluntarily. If the dumps are not enough, is there something else I can provide that would help?

I have been using ESET since v3 and have been using most other softwares on my laptop for years too, across multiple laptops, never running into a problem until I upgraded to ESS v9 and beyond. It's a fact.

Edited by lezboyd
Link to comment
Share on other sites

  • Administrators

The problem appears to be in the wfplwfs!L2802_3ParseMacHeader function as it reads more bytes from the output of NdisGetDataBuffer than requested. We will talk to Microsoft and open a support ticket with them.

We assume that the issue should not occur with v9 as it uses epfwlwf which does not register in Microsoft's wfplwfs driver. Could you confirm?

Link to comment
Share on other sites

2 hours ago, Marcos said:

We assume that the issue should not occur with v9 as it uses epfwlwf which does not register in Microsoft's wfplwfs driver. Could you confirm?

Thanks for opening the ticket with Microsoft. Hopefully that'll lead to a resolution.

Regarding the second half (quoted), not sure exactly what you need me to do. From my side, I've checked the Windows drivers folder; did not find epfwlwf.sys there. It has epfwwfp.sys and epfw.sys among other ESET drivers that do not start with "epfw".

Nothing with that name found under Local Services either. Please advice. 

Just to be clear, I'm currently on ESS v10.0.369.0. The BSOD problem has started since v9 and continues in the latest version.

Link to comment
Share on other sites

  • Administrators
35 minutes ago, lezboyd said:

Regarding the second half (quoted), not sure exactly what you need me to do. From my side, I've checked the Windows drivers folder; did not find epfwlwf.sys there. It has epfwwfp.sys and epfw.sys among other ESET drivers that do not start with "epfw".

Just to be clear, I'm currently on ESS v10.0.369.0. The BSOD problem has started since v9 and continues in the latest version.

Epfwlwf.sys is the firewall driver used by v9. V10 doesn't use it on newer Windows. We don't need you to do anything as it will be Microsoft's turn after we report the problem (probable Windows bug) to them.

Link to comment
Share on other sites

On 19/1/2017 at 2:35 AM, Marcos said:

Epfwlwf.sys is the firewall driver used by v9. V10 doesn't use it on newer Windows. We don't need you to do anything as it will be Microsoft's turn after we report the problem (probable Windows bug) to them.

Just adding one more thing I have noticed. So far, I have got BSODs whenever I have run apps for a prolonged period for whom I have set an application-based Firewall rule (allowed an app, for example) in ESS. If I am using apps for which I have not set a deliberate rule in the firewall, I get no BSODs. Just something I noticed. It might still be a Windows bug, as in how Windows drivers reacts to ESS drivers handling an app-based firewall rule.

Link to comment
Share on other sites

4 hours ago, lezboyd said:

Just adding one more thing I have noticed. So far, I have got BSODs whenever I have run apps for a prolonged period for whom I have set an application-based Firewall rule (allowed an app, for example) in ESS. If I am using apps for which I have not set a deliberate rule in the firewall, I get no BSODs. Just something I noticed. It might still be a Windows bug, as in how Windows drivers reacts to ESS drivers handling an app-based firewall rule.

Are you running the Eset firewall in Interactive mode? If so, switch to Automatic mode w/Windows inbound firewall rules applied mode.  You will also have to temporarily disable any Eset user created inbound firewall rules. Test to determine is BSOD's disappear.

In other words, you have established the issue is with custom firewall rules you created. So you will have to experiment with those to find which one is causing the problem.

Link to comment
Share on other sites

@itman : ESET firewall is running in Automatic mode with 'Evaluate also rules from Windows Firewall' turned OFF (since I have the Windows Firewall service Disabled; relying solely on ESET's firewall).

Currently I am testing my theory by not using any of the apps I have set a firewall rule for and seeing if I get a BSOD. A couple weeks later (last time I tested for only a week, declared everything solved and fell flat on my face), I will test by deleting the custom firewall rule for one of the apps and then using that app for a prolonged period.

Link to comment
Share on other sites

21 minutes ago, lezboyd said:

since I have the Windows Firewall service Disabled

This just might be your problem. Disabling the Win firewall service also disables the Windows Filtering Platform i.e. WFP. The Eset firewall interfaces directly with WFP; all it disables is the inbound/outbound rule application portion depending on firewall mode selected.

As a rule, the Windows firewall service should never be disabled.

Link to comment
Share on other sites

@itman : I disabled it because of the BSODs, thinking maybe ESS Firewall is not playing nice with another firewall. I will turn it back on.

Edited by lezboyd
Link to comment
Share on other sites

  • Administrators

We have received an initial response to our open case at Microsoft and they confirmed that it looks like a bug in wfplwfs driver. Moreover, according to our developers this BSOD can occur when fragmented IP packets (usually UDP) are sent over a PPPoE connection. Windows uses some internal structures to represent network packet and in this case they are crafted in an unusual (but still valid) way. The problem is that L2802_3ParseMacHeader function in wfplwfs Microsoft’s driver does not handle this scenario well which may result in BSOD.

We know of 3 ways how to mitigate this BSOD so far:

  1. Do not use PPPoE connection (use Wifi, or change your cable/dsl modem for a cable/dsl router which will do PPPoE for you)
  2. Do not use programs that might create fragmented IP/UDP. Torrents are well known for creating such packets. Disable UDP in your torrent application if possible. Note that web browsing uses mainly TCP, which is safe.
  3. Use an older Eset product. ESSv9 should be safe since it has its own LWF driver called epfwlwf and does not depend on Microsoft’s wfplwfs.

This has nothing to do with enabled or disabled Windows firewall, nor with Automatic/Interactive mode of ESET firewall or application rules in ESET firewall.

Link to comment
Share on other sites

  • Administrators
On 21. 1. 2017 at 4:18 PM, itman said:

Disabling the Win firewall service also disables the Windows Filtering Platform i.e. WFP. The Eset firewall interfaces directly with WFP; all it disables is the inbound/outbound rule application portion depending on firewall mode selected.

As a rule, the Windows firewall service should never be disabled.

Disabling Windows Firewall does not affect ESET's filtering whatsoever and doing so merely removes Windows Firewall filters from WFP. The only effect it would have is that IPSec and maybe also some other Windows functionalities would not work.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Disabling Windows Firewall does not affect ESET's filtering whatsoever and doing so merely removes Windows Firewall filters from WFP. The only effect it would have is that IPSec and maybe also some other Windows functionalities would not work.

Yep. Got that one wrong. You have to disable the BFE service.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...