[KB2567] System is unresponsive or crashes with ESET products installed (ERA 6.2)

Issue

  • System is unresponsive, freezes or hangs following the upgrade of the ERA Agent or other ESET business products
  • ESET Remote Administrator crashes after upgrading to the latest version
  • You need to install Microsoft Hotfix 2664888 to run ESET Remote Administrator 6.2.171.0
  • You need to apply the Network.dll fix to ESET Remote Administrator 6.2.171.0

Details

  • The issue involves a conflict between the ESET epfwwfpr.sys driver file and the Microsoft WFP API platform.

Solution

End of support for version 6.3, 6.2 and 6.1

These products no longer receive detection engine updates. No technical support or patches are available for this version. Basic support may continue but is not guaranteed. Documentation is not created or updated.

Important!

Be sure to complete Parts I-IV in order. In most cases, applying the Network.dll fix on the ESET Remote Administrator Server machine or installing the Microsoft patch on client workstations in Part II will resolve this issue. Only continue to Parts II-IV if Part I fails to resolve the issue.

  1. Apply the Network.dll fix on the ESET Remote Administrator Server machine

    ERA Server 6.2.171.0 (Windows) or version 6.2.200.0 (Linux) only

    This first step of the solution only applies if your client workstations are connecting to ERA Server version 6.2.171.0 (Windows) or version 6.2.200.0 (Linux) and experiencing system freezing issues. If you have other versions of ERA Server, please proceed with step 2. The commands listed below will not work for ERA version 6.3 and later. Using this procedure with different versions of ERA Server can harm your installation.

    Follow the steps below according to your ERA Server system architecture:

    64-bit Windows

    1. Download Network.dll file (64-bit Windows).
    2. Stop the ERA Server service.
    3. Replace the existing file located in
      C:Program Files\ESET\RemoteAdministrator\Server
    4. Start the ERA Server service.

    32-bit Windows

    1. Download Network.dll file (32-bit Windows).
    2. Stop the ERA Server service.
    3. Replace the existing file located in
      C:\Program Files\ESET\RemoteAdministrator\Server
    4. Start the ERA Server service.

    64-bit Linux

    1. Download Network.so file (64-bit Linux). You can also use wget command to download the file directly (useful if you are running ERA VA), execute: wget https://help.eset.com/era_admin/62/Fix/Linux/x86_64/Network.so
    2. Stop the ERA Server service - execute: sudo service eraserver stop
    3. Replace the existing file located in /opt/eset/RemoteAdministrator/Server/
    4. Start the ERA Server service - execute: sudo service eraserver start

    32-bit Linux

    1. Download Network.so file (32-bit Linux). You can also use wget command to download the file directly (useful if you are running ERA VA), execute: wget https://help.eset.com/era_admin/62/Fix/Linux/i386/Network.so
    2. Stop the ERA Server service - execute: sudo service eraserver stop
    3. Replace the existing file located in /opt/eset/RemoteAdministrator/Server/
    4. Start the ERA Server service - execute: sudo service eraserver start

    If this fix does not resolve your issue, continue to Part II.

  2. Download and run the Hotfix from Microsoft

    Microsoft has released a patch that should resolve this issue on your client workstation. You must install the Hotfix on every system with an ERA Agent running, both endpoints and servers.

    To run this patch, follow the link below and complete the step-by-step instructions listed there:

    Important! Windows Server 2008 (not R2) users

    You must choose the "Windows Vista" hotfix version for your system type (Fix393635).

    If this patch does not resolve your issue, continue to Part III.

  3. Rename the driver

    If the Hotfix provided by Microsoft did not resolve this issue, follow the steps below to deactivate the epfwwfpr.sys driver responsible for HTTP and POP3 checking:
    1. Restart the server in Safe Mode.
    2. Click Start Run, type drivers and click OK.
    3. Rename the epfwwfpr.sys driver file located in the %WinDir%system32drivers folder (example: C:\WINDOWS\SYSTEM32\DRIVERS\epfwwfpr.sys.bak).
    4. Restart the server in normal mode.

    After making the change, the ESET icon next to the system clock will turn red, alerting you that maximum protection is not ensured. You will also see ”Analysis of application protocols will not function" in the Protection status area located on the left of the main program window. If the issue persists after completing the steps above, please continue to Part IV below.

  4. Contact ESET Technical Support
    Need further assistance? Contact ESET Technical Support.