[KB7675] ESET firewall module causes Windows XP machines and ESET products to stop working

ESET business product no longer supported

This content applies to an ESET product version that is currently in End of Life status and is no longer supported. This content is no longer updated.

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

Last Updated: October 24, 2020, 12:00 CEST

Issue

High CPU usage
You receive the message "ESET Service encountered a problem and needed to close" on Windows XP or Windows Server 2003
Your ESET product has blank advanced settings, cannot update detection engine, etc.
Firewall module version 1411.1 is present in your ESET product
Remote Solution: Using ESET Security Management Center or ESET Remote Administrator
Manual Solution: On individual client workstations or Home products

Details

The issue occurs on ESET products with the Firewall module and the Network protection module on Windows XP machines. The issue is caused by the Firewall (EPFW) module version 1411.1, which was released within its build 1574 to regular update servers at 14:11 CEST on October 16, 2020. The version has been reverted to 1409.2 temporarily, which does not cause the issue.

Solution

I do not use ESMC or ERA to manage my network

Remote Solution: Using ESET Security Management Center or ESET Remote Administrator

A "fixing tool" is available to download from the following:

https://help.eset.com/eset_tools/xpfix/xpfix27.exe
https://help.eset.com/eset_tools/xpfix/xpfix27.zip (if .exe is forbidden to download in your browser)
http://help.eset.com/eset_tools/xpfix/xpfix27.exe (works with Windows XP, but use with caution due to security risks)

If the endpoint workstations do not have access to the internet, place the fixing tool to your local HTTP server to be accessible:

http://server_hostname/xpfix27.exe
http://10.1.2.3/xpfix27.exe

This fix is compatible with the following ESET products (if the product and version are not listed below, wait for an updated version of the fix, or apply the manual solution):

ESET Endpoint Antivirus; versions 6.4, 6.5, 6.6, 7.0 and 7.1
ESET Endpoint Security; versions 6.4, 6.5, 6.6, 7.0 and 7.1
ESET products for Windows Server; version 7.0

To resolve the issue:

Open the ESMC Web Console or ERA Web Console.
Click Tasks > New > Client Task.
From the Task drop-down menu, select Run Command.
Click Settings.
Copy the command below to a text editor (such as Notepad) and replace LINK_TO_THE_FILE with a desired URL.

Important!

In most cases, the command works only if the link starts with http://. Windows XP does not support current HTTPS encryption methods and the command will fail.

> "%temp%\uacinstall.vbs" ( echo.Set objFSO = CreateObject^("Scripting.FileSystemObject"^) & echo.strSaveTo = "%temp%\fixer.exe" & echo.Set objHTTP = CreateObject^("WinHttp.WinHttpRequest.5.1"^) & echo.objHTTP.Open "GET", "LINK_TO_THE_FILE", False & echo.objHTTP.Send & echo.If objFSO.FileExists^(strSaveTo^) Then & echo. objFSO.DeleteFile^(strSaveTo^) & echo.End If & echo.If objHTTP.Status = 200 Then & echo. Dim objStream & echo. Set objStream = CreateObject^("ADODB.Stream"^) & echo. With objStream & echo. .Type = 1 'adTypeBinary & echo. .Open & echo. .Write objHTTP.ResponseBody & echo. .SaveToFile strSaveTo & echo. .Close & echo. End With & echo. Set objStream = Nothing & echo.End If ) & call cscript.exe //B //nologo "%temp%\uacinstall.vbs" & del "%temp%\uacinstall.vbs" & call "%temp%\fixer.exe" & del "%temp%\fixer.exe"

Copy and paste the command into the Command line to run field.

Figure 1-1
Click Finish and then click Create trigger.
Click Target and add desired computers or groups.
Click Finish to run the fix and wait until the task execution is completed.
Reboot the affected computers.
After a successful update of ESET modules (protection status might be still "red"), reboot again.

Manual Solution: On individual client workstations or Home products

Option 1: Use fixing tool locally (recommended)

A "fixing tool" is available to download from the following:

https://help.eset.com/eset_tools/xpfix/xpfix27.exe
https://help.eset.com/eset_tools/xpfix/xpfix27.zip (if .exe is forbidden to download in your browser)
http://help.eset.com/eset_tools/xpfix/xpfix27.exe (works with Windows XP, but use with caution due to security risks)

If the endpoint workstations do not have access to the internet, place the fixing tool to your local HTTP server to be accessible:

http://server_hostname/xpfix27.exe
http://10.1.2.3/xpfix27.exe

This fix is compatible with the following ESET products (if the product and version are not listed below, wait for an updated version of the fix, or apply the manual solution):

ESET Endpoint Antivirus; versions 6.4, 6.5, 6.6, 7.0 and 7.1
ESET Endpoint Security; versions 6.4, 6.5, 6.6, 7.0 and 7.1
ESET products for Windows Server; version 7.0

Option 2: Manual steps (if option 1 does not work)

Start Windows in Safe Mode or Safe Mode with Networking.
Delete the file em008_32.dat from the product folder:

C:\Program Files\ESET\ESET Endpoint Security
or
C:\Program Files\ESET\ESET Endpoint Antivirus
or
C:\Program Files\ESET\ESET Security
Start Windows in Normal Mode.
Let the product update itself, which will download the fixed version of the Firewall module.

We strongly recommend that you upgrade

Each new version of ESET products features many bugfixes and improvements. Existing customers with a valid license for an ESET product may upgrade to the latest version of the same product for free.

Ensure full protection by a free upgrade of your ESET product

Last Updated: Mar 3, 2022