molojavy 0 Posted April 15 Share Posted April 15 (edited) I have a problem with ProtonVpn using the WireGuard protocol, I'm on ESS Premium v17.1.9, I can confirm that http/3 traffic scanning interfere with ProtonVPN WireGuard service, causing 0xC00000E5 error "Access is denied", so the service can't create/launch WireGuard tunnel. Device SWD\WireGuard{EAB2262D-9AB1-5975-7D92-334D06F4972B} failed to start. Driver name: oem32.inf Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Service: WireGuard Lower filters: Upper filters: Problem: 0x0 Problem status: 0xC00000E5 I don't want to put my system at risk by disabling http/3 traffic scanning, what are the options in this case? Edited April 15 by molojavy Misspellings Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 15 Administrators Share Posted April 15 1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics) 2, Start capturing the network communication with Wireshark 3, Reproduce the issue 4, Stop logging and save the Wireshark log. 5, Collect logs with ESET Log Collector 6, Supply us with both ELC and Wireshark logs for perusal. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 15 Author Share Posted April 15 13 minutes ago, Marcos said: 1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics) 2, Start capturing the network communication with Wireshark 3, Reproduce the issue 4, Stop logging and save the Wireshark log. 5, Collect logs with ESET Log Collector 6, Supply us with both ESET Log Collector and Wireshark logs for perusal. Sure, i can provide you with requested logs, tomorrow. I also provide you with the screen capture while reproducing the problem. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 16 Author Share Posted April 16 18 hours ago, Marcos said: 1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics) 2, Start capturing the network communication with Wireshark 3, Reproduce the issue 4, Stop logging and save the Wireshark log. 5, Collect logs with ESET Log Collector 6, Supply us with both ESET Log Collector and Wireshark logs for perusal. I'm a bit confused, which network should I capture with Wireshark if the WireGuard tunnel is failing to start? Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 16 Author Share Posted April 16 (edited) 18 hours ago, Marcos said: 1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics) 2, Start capturing the network communication with Wireshark 3, Reproduce the issue 4, Stop logging and save the Wireshark log. 5, Collect logs with ESET Log Collector 6, Supply us with both ESET Log Collector and Wireshark logs for perusal. The suggested sequence of actions cannot be executed because if the http/3 traffic scanning is enabled it's prevents WireGuard Tunnel from starting and, consequently, from being captured in Wireshark. Therefore, steps 2 and 4 are impossible to complete. Edited April 16 by molojavy Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 16 Author Share Posted April 16 19 hours ago, Marcos said: 1, Enable advanced network traffic scanner logging (advanced setup -> Tools -> Diagnostics) 2, Start capturing the network communication with Wireshark 3, Reproduce the issue 4, Stop logging and save the Wireshark log. 5, Collect logs with ESET Log Collector 6, Supply us with both ESET Log Collector and Wireshark logs for perusal. unknown_2024.04.16-16.30.mp4 As previously mentioned, I am unable to provide Wireshark data due to the failure of the WireGuard tunnel to start when http/3 traffic scanning is enabled. In lieu of Wireshark logs, I am presenting logs from Eset log collector and a video demonstrating the involvement of the http/3 traffic scanning feature in the malfunction of the WireGuard tunnel, specifically the inability to initiate the WireGuard tunnel: Device SWD\WireGuard{EAB2262D-9AB1-5975-7D92-334D06F4972B} failed to start. Driver name: oem32.inf Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Service: WireGuard Lower filters: Upper filters: Problem: 0x0 Problem status: 0xC00000E5 essp_logs.zip Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 Any updates on this matter? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 22 Administrators Share Posted April 22 Are you still having issues today? Have you recently rebooted or turned off/on the machine? Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 I'm still having the issue. Yes, recently I've rebooted my machine, and I've shut it down with cmd... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 22 Administrators Share Posted April 22 In that case I assume that the issue won't go away after turning off HTTP/3 network traffic filtering. Could you confirm? Did it use to work with v17.0.16? Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 The thing is, if i disable http/3 traffic scanning, the WireGuard tunnel is working just fine, as it should. But i don't want to lower my security standards to have it functioning. That's why I've asked if there any updates on this matter... p.s. I can confirm, that it's stopped working on 17.1.9.0 Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 Besides, I'm not the only person having this issue, so i was thinking that somebody is gonna give me some update after a week... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 22 Administrators Share Posted April 22 22 minutes ago, molojavy said: The thing is, if i disable http/3 traffic scanning, the WireGuard tunnel is working just fine, as it should. When did you test it? It should have no effect on the issue unless you made the test days ago. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 1 minute ago, Marcos said: When did you test it? It should have no effect on the issue unless you made the test days ago. I've tested it a couple of minutes ago! And the issue is still present. My English is not perfect, but if I say, that I'm still having the issue, is it so hard to understand? And besides, why is it no problem any more?! There was no version update, there is no statement about a fix from Eset. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 (edited) You've asked me to provide logs, I did it, in addition I've provided you a video. According to the Eset Forum, the logs are downloaded 0 times. And after i asked for a update on my matter, i get weird answers with no explanations and assumptions that I've tested this issue a long time ago. It's very bad practice to answer your costumers like that... Edited April 22 by molojavy Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 22 Administrators Share Posted April 22 The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days). Turning on or off HTTP/3 traffic filtering has no effect on network communication currently. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 11 minutes ago, Marcos said: The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days). Turning on or off HTTP/3 traffic filtering has no effect on network communication currently. I've posted the logs on the next day you asked for, it was last Tuesday, and they was useless? Weird thing... You've asked me about today, and I gave my answer, then you've wrote: "It should have no effect on the issue unless you made the test days ago." Still I'm not having the answer on my matter. Should I consult myself or what? Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 (edited) 18 minutes ago, Marcos said: The logs were most likely created at the time when the issue could occur so they are not useful at this point. Hence I asked if you had been experiencing the issue recently (ie. in the last 4-5 days). Turning on or off HTTP/3 traffic filtering has no effect on network communication currently. It's affecting the WireGuard Tunel!!!! Watch the video! And I've tested it today, which means CURRENTLY. Edited April 22 by molojavy Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 22 Share Posted April 22 (edited) It appears the HTTP/3 issue is with WireGuard per your prior posting: https://forum.eset.com/topic/40688-heavy-bug-in-version-17190-internet-security/?do=findComment&comment=182878 . Based on this; Quote TCP Mode WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw. https://www.wireguard.com/known-limitations/ It appears WireGuard is exclusively UDP based as is HTTP/3 QUIC. Edited April 22 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted April 22 Administrators Share Posted April 22 A developer would like to check a manually generated dump of ekrn.exe when HTTP/3 checking is enabled in gui. Please open the advanced setup, navigate to Tools -> Diagnostics. Make sure that "full dump" is selected in the drop-down menu and click "Create". Then provide the dump created in C:\ProgramData\ESET\ESET Security\Diagnostics zipped in an archive. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 11 minutes ago, Marcos said: A developer would like to check a manually generated dump of ekrn.exe when HTTP/3 checking is enabled in gui. Please open the advanced setup, navigate to Tools -> Diagnostics. Make sure that "full dump" is selected in the drop-down menu and click "Create". Then provide the dump created in C:\ProgramData\ESET\ESET Security\Diagnostics zipped in an archive. May I provide it from google drive? The Archive size exceeds the forum limitations. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,250 Posted April 22 Administrators Solution Share Posted April 22 The system has not been restarted in the last 7 days. Restarting it should fix the issue. Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 4 minutes ago, Marcos said: The system has not been restarted in the last 7 days. Restarting it should fix the issue. That's helped, thank you. I need to dig in my system, because I've restarted the system today, but the system dump showed that it was 7 days ago... So there is some bug on my side. Thanks for your time and assistance. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 22 Share Posted April 22 51 minutes ago, molojavy said: I need to dig in my system, because I've restarted the system today, but the system dump showed that it was 7 days ago... Do you have Win10/11 fast startup enabled? Link to comment Share on other sites More sharing options...
molojavy 0 Posted April 22 Author Share Posted April 22 (edited) 6 minutes ago, itman said: Do you have Win10/11 fast startup enabled? Yes win11 with fast startup, but I've restarted with cmd command... And now I'm curious, what could go wrong... But it's another problem for another day and another forum. I assume that the kind people from Eset are tired of my incompetence😂 Edited April 22 by molojavy Link to comment Share on other sites More sharing options...
Recommended Posts