Jump to content

Gamtat

Members
  • Posts

    33
  • Joined

  • Last visited

Everything posted by Gamtat

  1. Perfect. I will start the installation/configuration of the 7.2 VA. The existing server is currently used for another purpose at least for a few more months so I can't get rid of that just yet or this would have been much easier. Thanks!
  2. Our ERA 6.5 is running on Server 2008R2 and I want to replace it with the ESMC Virtual Appliance as I can't upgrade that server to ESMC 7.2 (SQL Server 2017 doesn't appear to install on 2008R2). What would be the procedure to installing a fresh ESMC 7.2 Virtual Appliance and just forcing the existing clients to connect to it? There are less than 100 clients which are: ESET Remote Administrator Agent 6.5.522.0 ESET Endpoint Antivirus 6.6.2095.1 I can find KB articles about upgrading 6.x to 7.x on the same server or moving between servers with identical versions but nothing that details going from 6.x on ServerA to 7.x on ServerB. Will this procedure (that is written for 7.x to 7.x) work: https://support.eset.com/en/kb6729-certificate-migration-in-eset-security-management-center-7x ?
  3. We started getting this error on a regular basis on January 9th. Clients seem to be updating but instead of seeing this error maybe once every few months I'm seeing it multiple times a day now. ESET Remote Administrator (Server), Version 6.5 (6.5.522.0) ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) Update module1072 (20180813) Translation support module1721 (20181211) Configuration module1663.13 (20180709) SysInspector module1274 (20180918) Server 2008, Windows 7 clients. Using the Apache proxy.
  4. I just tried to make a manual installation package. It sits on the "Downloading installers from repository and preparing all-in-one installer" window for about a minute or so then fails with "Internal Server Error". Clients are updating definitions just fine, the machine I'm typing this on has definitions from about an hour ago. Nothing on the ERA server has changed in months. Any ideas? If I attempt to manually download hxxp://repository.eset.com:80/v1/com/eset/apps/business/eea/windows/v6/6.6.2078.5/eea_nt64_enu.msi it times out immediately or starts downloading at about 2 or 3 KB/s then fails after a few seconds. Maybe the problem isn't on my end after all? Is there an ESET status page anywhere?
  5. Trying to install ESET Endpoint Antivirus 6.6.2078.5 on a Windows 7 client. The agent installed ok (via GPO) and I've sent countless tasks through the ERA. Each one says Runnign for a while, then says Failed. I can send a wake up call and the "last connected" time updates. I cleared the cache on the server "C:\programdata\Apache HTTP Proxy\cache" in the hopes it would spark something to redownload but the actual installation files never actually get cached anyway so I'm not sure why I did that! Are there any logs? How do I go about troubleshooting this? I really dislike when I have to do ESET maintenance these days. The client is awesome but the management tools are some of the worst I've ever used. v5 was clunky as hell but at least it told you what was going on.
  6. Of the five or so activation issues I initially saw all were solved with a safe mode uninstall then manually running the install task from the RA console. I decided to just go ahead and push it out company-wide and deal with the consequences. A dozen further machines failed activation and I was able to fix them in a similar fashion. No further issues so far and no messing with the ELA license website (futzing with the ELA activation didn't fix anything for me). I'm lucky in that aside from the hassle it's no big deal for me to do this, I know not everyone has an environment as forgiving or is maybe dealing with remote users. If it's at all possible I would just bite the bullet and safe mode uninstall because it's the only thing I've seen that has worked.
  7. FYI, this is not just a problem that affects upgrades from earlier 6.6 versions. I had it happen to a bunch of computers that were upgraded from 6.5.
  8. Uninstalled it from safe mode and reinstalled from a manual install task. Looks fine now. Can you confirm that the problem is fixed now? I'm hesitant to upgrade the bulk of our clients if this is going to happen again.
  9. I see the former: "Module update failed. Your license file does not contain a username and password. You can update only from an update mirror" There are no Username or Password entries in that registry key, no.
  10. I tried a bunch this morning but to be certain I just rebooted it again and get the same "ESET Endpoint requires your attention" bubble after login. Protection Status: ESET Livegrid is not accessible. Modules Update failed: Your license file does not contain a username or password. I've tried to activate it manually a few times and have also deactivated the license from the ELA site but nothing has worked yet. Is there anything else I can try?
  11. I can check on https://ela.eset.com/ and it's listed with an activation date of today with a green checkmark "Everything is OK". However, the client has the same errors described earlier in the thread: Modules update failed, live grid not accessible etc..
  12. Nope, it had v5, then upgraded to 6.5 then yesterday upgraded to 6.6 all through the remote console in exactly the same way all the other machines were. Some worked fine and some had this error. Some were upgraded from 6.5.2094, some from 6.6.2046 but all with the same remote console task.
  13. This morning before reading this thread I deactivated another client on the ELA site then attempted to activate the license manually. ELA was immediately updated with the date of this new activation, the "activation from ERA" for that client was gone and the "status" was listed with a green tick "Everything is OK". The client shows a window with a progress bar saying "Verifying License Key, This may take a few moments" which doesn't go away. I can close it, reboot and the client is still not activated. Is there anything we should be doing to prepare for the fix that's coming?
  14. I just upgraded some computers to 6.6.2068 and have this same problem with a bunch of them. It has been less than 24 hours since upgrading but after a couple reboots they still have issues. This page: https://support.eset.com/kb6636/ mentions a server-side update but doesn't give a link to download the update - any idea how to get it? On one of the affected machines I deactivated the license via https://ela.eset.com, rebooted the machine, then sent an activation task. The task was listed as Planned:Yes, Status: Finished for about 30 minutes but now has changed to Planned:No, Status: Finished but with a Last Status time of last June when it was previously upgraded. The client still shows errors. The RA console shows the machine with a green status tick, modules updated etc. I went to the machine itself and manually tried activating but got the same "I want to purchase license" message. Then I tried doing a manual update. That was 20 minutes ago. It's still showing "Updating product..." Am I going to have to do a manual safe mode uninstall on these machines? This thread was started weeks ago, why hasn't this broken upgrade been pulled from production?
  15. Bingo! This server used to grab an IP via DHCP reservation but I changed all that a little while back. All the clients have their proxy configuration set as the DNS name but the server had the proxy host listed using the old IP address. Changed that to the DNS name and we're back in business. Currently testing an upgrade to Endpoint Antivirus 6.6.2068. Thanks for the speedy reply!
  16. I'm trying to create a task to update clients to Endpoint Antivirus 6.6.2064 but there is nothing in the repository. Admin > Client Tasks > Software Install > New Task In the settings section I agree with the T&Cs, select my license then click <Choose Package>. The package repository is empty, displaying only "No Data Available". My license is valid although it expires on Jan 28th and I haven't renewed it yet - am I being denied because I'm less than 30 days from expiry? I gave the box a quick reboot but still the repository is empty. This is the same server and configuration that was able to install/update clients to various 6.5.x versions and also 6.6.2046 so I don't think anything is misconfigured, although I can't rule it out. What is my next step in troubleshooting this? I went to an existing, known good, task and tried changing the package but the repository was now empty there too. ESET Remote Administrator (Server), Version 6.5 (6.5.522.0) ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) Windows Server® 2008 Standard (64-bit)
  17. I'm assuming update.ver isn't supposed to be cached. Here's a section of yesterday's cached-requests.log from Apache. Note that the only clients that are occasionally receiving a cached update.ver are the ones that have been updated to 6.6.2046. 10.10.10.105 - - [21/Sep/2017:00:04:48 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:00:07:01 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:01:04:48 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:01:07:00 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:03:07:01 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:06:07:03 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9600 10.10.10.134 - - [21/Sep/2017:07:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9599 10.10.10.134 - - [21/Sep/2017:09:07:13 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9599 10.10.10.134 - - [21/Sep/2017:11:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.105 - - [21/Sep/2017:12:04:53 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.134 - - [21/Sep/2017:12:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.134 - - [21/Sep/2017:13:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.104 - - [21/Sep/2017:13:57:09 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:14:04:52 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:14:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.86 - - [21/Sep/2017:14:20:27 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:15:04:53 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.134 - - [21/Sep/2017:15:07:10 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.134 - - [21/Sep/2017:17:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.104 - - [21/Sep/2017:17:57:14 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.105 - - [21/Sep/2017:18:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.134 - - [21/Sep/2017:18:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.86 - - [21/Sep/2017:18:20:28 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.134 - - [21/Sep/2017:19:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:20:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:20:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:21:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:21:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:22:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:22:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:23:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9635 I also get requests for update.ver in revalidated-requests.log a couple times a day. Also only from the clients that have been updated to 6.6.2046. Here are those entries copied from that log: 10.10.10.104 - - [20/Sep/2017:14:57:02 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9633 10.10.10.134 - - [20/Sep/2017:16:06:59 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9633 10.10.10.105 - - [21/Sep/2017:19:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.104 - - [21/Sep/2017:21:57:15 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:23:04:57 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9635 10.10.10.134 - - [22/Sep/2017:07:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9606 Am I reading the logs incorrectly? If I grep update.ver from htcacheclean.exe -a -p "c:\ProgramData\Apache HTTP Proxy\cache" I get this: hxxp://um05.eset.com:80hxxp://um05.eset.com/eset_upd/v5/update.ver? hxxp://um02.eset.com:80hxxp://um02.eset.com/eset_upd/v5/update.ver? hxxp://38.90.226.40:80hxxp://38.90.226.40/eset_upd/v5/update.ver? hxxp://um21.eset.com:80hxxp://um21.eset.com/eset_upd/v5/update.ver? hxxp://update.eset.com:80hxxp://update.eset.com/eset_upd/v5/update.ver? hxxp://um07.eset.com:80hxxp://um07.eset.com/eset_upd/v5/update.ver? hxxp://91.228.166.13:80hxxp://91.228.166.13/eset_upd/v5/update.ver? hxxp://91.228.167.21:80hxxp://91.228.167.21/eset_upd/v5/update.ver? hxxp://um09.eset.com:80hxxp://um09.eset.com/eset_upd/v5/update.ver? hxxp://91.228.167.133:80hxxp://91.228.167.133/eset_upd/v5/update.ver? hxxp://38.90.226.39:80hxxp://38.90.226.39/eset_upd/v5/update.ver? hxxp://update.eset.com:80hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver? hxxp://91.228.166.16:80hxxp://91.228.166.16/eset_upd/v5/update.ver? hxxp://38.90.226.37:80hxxp://38.90.226.37/eset_upd/v5/update.ver? The clients I've updated to 6.6.2046 do seem to have the latest definition updates (currently 16123) despite occasionally being served cached update.ver files, so I'm not sure what's going on. A little help deciphering this would be great.
  18. Config was fine. Logs are working now. This is why I don't like messing with these things on Windows: CRLF is not the same as LF. Thanks, Notepad! Now I just have to figure out why some things aren't being cached but that's for another thread.
  19. That's exactly what I did. Still, the only log that gets written to is the error.log. I can increase the log level to debug and can see some cache-related entries in there but don't get any distinct cache logs created. I've added CustomLog "logs/access.log" common and see a bunch of.. 10.10.10.92 - - [20/Sep/2017:13:20:31 -0500] "POST hxxp://c.eset.com:80/ HTTP/1.1" 200 58 10.10.10.92 - - [20/Sep/2017:13:20:31 -0500] "POST hxxp://c.eset.com:80/ HTTP/1.1" 200 58 10.10.10.82 - - [20/Sep/2017:13:20:16 -0500] "HEAD hxxp://update.eset.com/eset_upd/era6/update.ver HTTP/1.1" 503 - 10.10.10.82 - - [20/Sep/2017:13:20:37 -0500] "HEAD hxxp://38.90.226.37/eset_upd/era6/update.ver HTTP/1.1" 200 - .. so with that and the error.log changes I know apache can write to the log directory.
  20. I'm having some issues with the ERA Apache http caching proxy. I've updated a few test machines to EEA 6.6.2046 and the 6.6.2046 installer looks like it was pulled from the cache properly but after the install and forced reboot there was another update (modules?) This wasn't pulled from the cache instead it was just proxied through Apache on the ERA server. [Wed Sep 20 09:53:59.467075 2017] [cache:debug] [pid 6468:tid 916] mod_cache.c(1214): [client 10.10.10.86:49213] AH00768: cache: hxxp://update.eset.com/ep6.6-dll-rel-sta/mod_002_engine_30152/em002_64_l0.dll.nup not cached. Reason: Authorization required After about 15 minutes downloading I noticed this in the ERA proxy's error.log: [Wed Sep 20 10:06:23.072275 2017] [cache:debug] [pid 6468:tid 900] mod_cache.c(1214): [client 10.10.10.86:49279] AH00768: cache: hxxp://update.eset.com/ep6.6-dll-rel-sta/mod_002_engine_34802/em002_64_l2.dll.nup not cached. Reason: Response status 404 And the client's EEA update tab now says "Modules update failed, file not found on server". However, the client in ERA is listed as "modules updated", with the correct EEA version number (ESET Endpoint Antivirus 6.6.2046.0) but an old definitions version - 15873. (current as of now is 16112). I guess this is because the hourly update task hasn't been run yet? I then manually click "check for updates" on the client and it's now downloading another file (em023_64_i0.dll.nup) through the proxy again instead of the cache. This file is 16MB, the previous one that failed (em002_64_i0.dll.nup ?) was 75MB. After a lengthy update the client then goes through the "updating modules x/6" process and now looks fine on both the client and the ERA. Tried it on another machine and exactly the same results. The installation file is cached but the modules aren't. When the machine gets logged in after the forced reboot the user is presented with a big warning popup telling them "modules update failed, file not found on server". If I manually run check updates or manually force the scheduled hourly scheduled task to run the modules are now updated but are still not being cached by the ERA proxy. if I run htcacheclean -a -p "c:\programdata\apache http proxy\cache" I get a little over 1100 entries so some things are being cached fine but not everything.
  21. Any idea how to configure this on Windows? I broke my golden rule to never run Apache on Windows after installing the ESET proxy. It seems no matter what I change in the httpd.conf the only log file that gets created/updated is C:/Program Files/Apache HTTP Proxy/logs/error.log. I run apache on debian a bunch and am stumped as to why I can't get this working.
  22. I haven't changed the defaults to enable WebControl so it wasn't that - just now exported the log to confirm that it was blocked by the internal lists. I look forward to this being logged in the console. I know the software has done its job by blocking the URL but it's a useful insight into user behavior for possible "reeducation". <?xml version="1.0" encoding="utf-8" ?> <ESET> <LOG> <RECORD> <COLUMN NAME="Time">6/6/2017 2:18:52 PM</COLUMN> <COLUMN NAME="URL">hxxp://newrequest-changeshippingcenter-ebayinc.com</COLUMN> <COLUMN NAME="Status">Blocked by internal IP blacklist</COLUMN> <COLUMN NAME="Application">C:\Windows\System32\CompatTelRunner.exe</COLUMN> <COLUMN NAME="User">DOMAIN\user</COLUMN> <COLUMN NAME="IP address">51.15.139.219</COLUMN> <COLUMN NAME="SHA1">7508DB266FDCDF93C951A022C5DA505A13EE6BE9</COLUMN> </RECORD> <RECORD> <COLUMN NAME="Time">6/6/2017 2:18:13 PM</COLUMN> <COLUMN NAME="URL">hxxp://newrequest-changeshippingcenter-ebayinc.com</COLUMN> <COLUMN NAME="Status">Blocked by internal IP blacklist</COLUMN> <COLUMN NAME="Application">C:\Windows\System32\CompatTelRunner.exe</COLUMN> <COLUMN NAME="User">DOMAIN\user</COLUMN> <COLUMN NAME="IP address">51.15.139.219</COLUMN> <COLUMN NAME="SHA1">7508DB266FDCDF93C951A022C5DA505A13EE6BE9</COLUMN> </RECORD> </LOG> </ESET>
  23. Had a user come to me to let me know they had accidentally clicked on something they shouldn't have and had received the Access Denied "Access to the web page was blocked" popup and browser warning. I can see it in their event log on the client but there's no sign of it in the Threats section of the web interface. I can go to the Computers section, select Show Details on their computer and can't see it there either in the Threats or Alerts pages. The computer is otherwise reporting just fine to the ERA server. Have I screwed up the one of my policies? How do I make sure this stuff is visible in the dashboard (or possibly via email alert)?
  24. 1. This solution is.... less than ideal. It shows me the computer name but now I can only perform one operation at a time. As a feature request, the quarantine page is right there already, just needs another column added to increase its usefulness. 3. I figured something like that might be happening when nothing changed in the client's local configuration. It would be great if you could mark a threat as "ignore for this location", "ignore for this computer", "ignore system-wide" or some combination.. I guess having a specific exclusions policy sounds good. We're using this version: ESET Remote Administrator (Server), Version 6.5 (6.5.522.0), ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) with Endpoint Antivirus 6.5.2094 on the clients. Great news! I tried this and it made no difference. I get slow, laggy scrolling with "loading..." popups no matter which option is selected.
×
×
  • Create New...