Paolo Pichierri 1 Posted November 20, 2019 Share Posted November 20, 2019 Hello,I have done many tests to verify that it is not a coincidence. This is situation with ESET installed: This is situation without ESET installed (Windows Defender or Norton Antivirus): I can't solve the problem just disabling ESET protection & ESET Firewall, I am forced to uninstall ESET to solve it.NOTE 1: this problem occurs only with a VPN connection;NOTE 2: VPN connection speed is OK immediately after ESET installation, I have to reboot the system to encounter the problem.Please, do You have any advice?Here is some useful information: OS: Windows 10 PRO (1903), 64 bit; ESET: ESET Internet Security 13.0.22.0; VPN Providers I have tested: Mullvad, Surfshark; Web browsers where I have done speed test: Google Chrome, Mozilla Firefox; Speed Test website: https://www.speedtest.net/ Thank You Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 201 Posted November 20, 2019 Most Valued Members Share Posted November 20, 2019 Seen other people mention that they have issues when using a vpn but have never encountered any issues myself. I use "Windscribe". Very little difference for me between the connections. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 20, 2019 Administrators Share Posted November 20, 2019 Does temporarily disabling protocol filtering make a difference? Please reproduce the issue with advanced oper. system logging enabled under Tools -> Diagnostics. After reproducing the issue, disable logging and provide the etl log from the "C:\ProgramData\ESET\ESET Security\Diagnostics" folder as well as ELC logs for perusal. Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 20, 2019 Author Share Posted November 20, 2019 Disabling SSL/TLS protocol filtering makes no difference . The attached Logfile.zip is obtained with Procmon (ESET Log Collector doesn't work - Error 404 Page not found). Thank You Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 20, 2019 Administrators Share Posted November 20, 2019 No Procmon log is needed. Please enable advanced OS logging, reproduce the issue, then stop logging, compress the file "C:\ProgramData\ESET\ESET Security\Diagnostics\EsetPerf.etl" and provide it to us. For instructions how to collect logs with ELC, please read https://support.eset.com/en/how-do-i-use-eset-log-collector. Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 20, 2019 Author Share Posted November 20, 2019 Thanks for explanation EsetPerf.zip Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 20, 2019 Author Share Posted November 20, 2019 eis_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 20, 2019 Administrators Share Posted November 20, 2019 You wrote: Disabling SSL/TLS protocol filtering makes no difference Does it mean you also disabled protocol filtering as follows? Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 20, 2019 Author Share Posted November 20, 2019 Thanks for your help, You are right, I did not disable the correct parameter. I disabled it just now, so I performed the speed-test again. Unfortunately, as You can see, disabling it does not lead to a significant improvement: Link to comment Share on other sites More sharing options...
SRT 1 Posted November 20, 2019 Share Posted November 20, 2019 Does not slow my connection down at all. In fact it is faster with EIS than all the other firewall I have used. Using PrivateVPN , with AES-256-GCM encryption. Use to use Windscribe (life-time license), but do not trust or like it at all in my opinion. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 21, 2019 Administrators Share Posted November 21, 2019 Please try the following: - reboot Windows to safe mode - rename "C:\Program Files\ESET\ESET Security\Drivers" to drivers_bak for instance - rename C:\Windows\System32\drivers\epfwwfp.sys, e.g. to C:\Windows\System32\drivers\epfwwfp.bak - start Windows in normal mode. Does the issue still persist or it's gone? Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 21, 2019 Author Share Posted November 21, 2019 I followed your advice (now there are some red security warnings on ESET window), but unfortunately the connection speed is always about 7,5 Mbps. NOTE: I performed a lot of tests (with the same web-browser, the same server, the same speed-test) and I noticed that sometimes at the end of the test (the last 1-2 seconds) the connection speed increases rapidly towards the correct value (after a long period of constant 7,5 Mbps) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 21, 2019 Administrators Share Posted November 21, 2019 If renaming the driver didn't make any difference, then the issue seems to be in Windows Filtering Platform that is a part of Windows and simply registering a callout to WFP without doing anything with the traffic causes the issues. I'm gonna send you instructions how to unregister ESET from WFP soon which should confirm my assumption. Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 21, 2019 Author Share Posted November 21, 2019 OK, Thank You! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 26, 2019 Administrators Share Posted November 26, 2019 Please try unregistering ESET from Windows Filtering Platform (WFP) as follows: 1, Download EpfwWfpRegV10.10-64.exe from https://drive.google.com/file/d/12NA8G4j_YUUhTe5zvvWFTlrUuIoa3LR6/ 2, Run "EpfwWfpRegV10.10-64.exe /unreg" with elevated administrator rights. You should get something like this: Unregistering callouts and filters through BFE. Removed 56 (0) filters, 28 callouts, 2 sublayers, 1 providers. Exit status 0x0: OK 3, Check if the issue is gone. After a computer restart, ESET will re-register to WFP so do not restart the machine while testing. Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 27, 2019 Author Share Posted November 27, 2019 First of all, Thanks for your professional technical support.I took your advice & got your same result: Removed 56 (0) filters, 28 callouts, 2 sublayers, 1 providers. Exit status 0x0: OKUnfortunately this did not solve the problem (I ran cmd as administrator and I did not restart my PC).However I have an update, until now I performed speedtests through "Single Connection Mode", because I have read "Single Connection Mode is ideal for testing a vpn or downloading a file". But if I switch to "Multi Connection Mode" the indicated connection speed is approx 18 Mbps. I don't know technically the difference between one mode and another, anyway the correct speed is 18 Mbps because it is consistent with the effective download speed which I reach in some applications like utorrent. The strange thing is that only with ESET i get so different values from the two modes, this does not happen with all the others security suites I have tested. Thanks again Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 27, 2019 Administrators Share Posted November 27, 2019 Please try the following but now rename all ESET drivers: - in normal mode disable Webcam protection: - reboot Windows to safe mode - rename "C:\Program Files\ESET\ESET Security\Drivers" to drivers_bak for instance - rename the following drivers: C:\Windows\System32\drivers\epfwwfp.sys (e.g. to C:\Windows\System32\drivers\epfwwfp.bak) C:\Windows\System32\drivers\eamonm.sys C:\Windows\System32\drivers\ehdrv.sys - start Windows in normal mode - if that doesn't make any difference either, try renaming ekrn.exe in safe mode ("C:\Program Files\ESET\ESET Security\ekrn.exe" ) Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 28, 2019 Author Share Posted November 28, 2019 I renamed all of them, but unfortunately the "problem" is still there Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 28, 2019 Administrators Share Posted November 28, 2019 Please provide logs collected with ESET Log Collector when all drivers and ekrn are renamed and ESET is not registered in WFP. It's virtually impossible that after doing that ESET would have any effect on the OS and applications whatsoever. Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 28, 2019 Author Share Posted November 28, 2019 This is the situation with all drivers & ekrn renamed and ESET is not registered in WFP: eis_logs.zip Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 28, 2019 Author Share Posted November 28, 2019 This is the situation after uninstalling ESET and restarting my PC: ELC_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted November 28, 2019 Administrators Share Posted November 28, 2019 It seems that epfw.sys is running, please rename it as well. If that doesn't help, the only thing that we can think of to try is changing the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface GUID>\TcpAckFrequency from 1 to 2 (https://support.microsoft.com/en-us/help/328890/new-registry-entry-for-controlling-the-tcp-acknowledgment-ack-behavior). Link to comment Share on other sites More sharing options...
Paolo Pichierri 1 Posted November 28, 2019 Author Share Posted November 28, 2019 Renaming all the drivers & ekrn and unregistering ESET from WFP did not solve the problem. But changing the value TcpAckFrequency from 1 to 2 solved the problem! This is the situation now (all ESET drivers activated, ie not renamed) : NOTE: as You can see, following the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ I found a lot of sub-folders, so I changed the value TcpAckFrequency from 1 to 2 for for each of them. Can this affect my PC performance/security? What does it have to do with ESET?Thanks for your help. peteyt 1 Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted November 28, 2019 Most Valued Members Share Posted November 28, 2019 1 hour ago, Paolo Pichierri said: Renaming all the drivers & ekrn and unregistering ESET from WFP did not solve the problem. But changing the value TcpAckFrequency from 1 to 2 solved the problem! This is the situation now (all ESET drivers activated, ie not renamed) : NOTE: as You can see, following the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ I found a lot of sub-folders, so I changed the value TcpAckFrequency from 1 to 2 for for each of them. Can this affect my PC performance/security? What does it have to do with ESET?Thanks for your help. Good to see you found a fix - Wonder what this means though ha Link to comment Share on other sites More sharing options...
Recommended Posts