[Upgrading PROTECT v8.0 to v9.0 : ERA server communication processing error: Connection refused]

While watching the trace.log, something became very apparent.  It was repeating the process of deleting tables/creating tables..  as evident by the following log:

I've attached a log to this message.

It basically deletes all the existing tables...  then it recreates them...  does some stuff in the middle.  Loads modules.. then detects something  "Checking if ETL DB required" and then it finds that is required. "ETL upgrade required"...

I'm a little stumped as to why it's doing that.

Any help appreciated

 

Edmund

test.log

[Upgrading PROTECT v8.0 to v9.0 : ERA server communication processing error: Connection refused]

Hi,

With some time on my hand, I took the plunge and downloaded the necessary components to upgrade the PROTECT v8.0 (on a CentOS 7 system) to v9.0. 

I followed :https://support.eset.com/en/kb8150-manual-component-based-upgrade-from-eset-security-management-center-7x-for-linux-to-the-latest-version-of-eset-protect

After running the server install, the rdsensor install and the era.war deployment to tomcat, I started the services.

I tried logging on but get an error "Login failed: Connection has failed with state "Not connected"

Having experienced that before, it has something to do with Tomcat.

I did a "sudo systemctl start eraserver"  (just in case),  then "sudo systemctl start tomcat",  and then I tried logging on, it still reported Not connected.

sudo systemctl status tomcat -l

Quote

Feb 09 17:12:46 esmc.company.local server[4144]: Feb 09, 2022 5:12:46 PM sk.eset.era.g2webconsole.server.modules.logger.LogItem logInto
Feb 09 17:12:46 esmc.company.local server[4144]: SEVERE: [communication_error_run] Connection refused
Feb 09 17:12:46 esmc.company.local server[4144]: Feb 09, 2022 5:12:46 PM sk.eset.era.g2webconsole.server.modules.logger.LogItem logInto
Feb 09 17:12:46 esmc.company.local server[4144]: WARNING: [Administrator] Login (session creation) failed (code 3) from address remoteAddress: 192.168.0.27 [user-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0 SeaMonkey/2.53.10.1; accept-language: en-US,en;q=0.5].
Feb 09 17:12:46 esmc.company.local server[4144]: Feb 09, 2022 5:12:46 PM sk.eset.era.g2webconsole.server.modules.logger.LogItem logInto
Feb 09 17:12:46 esmc.company.local server[4144]: INFO: [] Closing connection
Feb 09 17:12:46 esmc.company.local server[4144]: Feb 09, 2022 5:12:46 PM sk.eset.era.g2webconsole.server.modules.logger.LogItem logInto
Feb 09 17:12:46 esmc.company.local server[4144]: SEVERE: [] Connection closing because of ERA server communication processing error: Connection refused
Feb 09 17:12:46 esmc.company.local server[4144]: Feb 09, 2022 5:12:46 PM sk.eset.era.g2webconsole.server.modules.logger.LogItem logInto
Feb 09 17:12:46 esmc.company.local server[4144]: SEVERE: [communication_error_run] Connection refused

 

Seeing the connection refused,  I'm guessing it's an Era Server issue. 

But when I do a "sudo systemctl status eraserver"  I get:

Quote

● eraserver.service - ESET PROTECT Server
   Loaded: loaded (/etc/systemd/system/eraserver.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-02-09 17:20:47 HKT; 1min 30s ago
  Process: 7014 ExecStart=/opt/eset/RemoteAdministrator/Server/ERAServer --daemon --pidfile /var/run/eraserver.pid (code=exited, status=0/SUCCESS)
 Main PID: 7015 (ERAServer)
   CGroup: /system.slice/eraserver.service
           └─7015 /opt/eset/RemoteAdministrator/Server/ERAServer --daemon --pidfile /var/run/eraserver.pid

Feb 09 17:20:47 esmc.company.local systemd[1]: eraserver.service holdoff time over, scheduling restart.
Feb 09 17:20:47 esmc.company.local systemd[1]: Stopped ESET PROTECT Server.
Feb 09 17:20:47 esmc.company.local systemd[1]: Starting ESET PROTECT Server...
Feb 09 17:20:47 esmc.company.local systemd[1]: Started ESET PROTECT Server.

 

So I try a "sudo systemctl restart tomcat"

But when I try to log on, I still get the "Not connected" error. 

I do see a /var/run/eraserver.pid, so I'm guessing that it is running as well as seeing it in the process list.

I took a look at the /var/log/eset/RemoteAdministrator/Server/trace.log and noticed that the last line was:

 

Quote

2022-02-09 09:35:14 Information: CDatabaseModule [Thread 7f30ac206740]: CDBSetupperBase::PerformUpgradeIfNecessary: Old routines and views are deleted.
2022-02-09 09:35:14 Information: CDatabaseModule [Thread 7f30ac206740]: CDBSetupperBase::PerformUpgradeIfNecessary: Going to create tables: fact_fe_threat_event tbl_computers_aggr tbld_activethreats_status_engineversion tbld_application_identifier tbld_application_parameters tbld_apps_installed_status_name tbld_apps_installed_status_vendor tbld_cause tbld_computers_comment tbld_computers_name tbld_devicecontrol_device_event_device tbld_deviceinformation_device_status_manufacturer tbld_deviceinformation_device_status_model tbld_devicelocation_gps_status_provider tbld_diagnostics_diagnosticzip_event_data tbld_eesvirusdb_status_versiondate tbld_enterpriseinspectoralert_event_rulename tbld_exportedconfiguration_event_configuration tbld_firewallagregated_event_protocol tbld_hwinventory_chassis_status_description tbld_hwinventory_chassis_status_manufacturer tbld_hwinventory_display_status_description tbld_hwinventory_display_status_manufacturer tbld_hwinventory_displayadapter_status_description tbld_hwinventory_displayadapter_status_manufacturer tbld_hwinventory_inputdevice_status_description tbld_hwinventory_inputdevice_status_manufacturer tbld_hwinventory_massstorage_status_description tbld_hwinventory_massstorage_status_manufacturer tbld_hwinventory_networkadapter_status_description tbld_hwinventory_networkadapter_status_manufacturer tbld_hwinventory_printer_status_description tbld_hwinventory_processor_status_description tbld_hwinventory_processor_status_manufacturer tbld_hwinventory_ram_status_description tbld_hwinventory_ram_status_manufacturer tbld_hwinventory_sounddevice_status_description tbld_hwinventory_sounddevice_status_manufacturer tbld_identifiers_list_status_value tbld_ip_mask tbld_loggedusers_list_status_domain tbld_loggedusers_list_status_fullname tbld_loggedusers_list_status_name tbld_osinformation_edition_status_os_info_edition tbld_osinformation_locale_status_os_locale_language tbld_osinformation_timezone_status_time_zone_name_offset tbld_processname tbld_quarantine_uploadedfile_event_password tbld_quarantine_uploadedfile_event_path tbld_rdsensor_newcomputers_status_computer_identifier tbld_rdsensor_newcomputers_status_ipv4ipv6 tbld_rdsensor_newcomputers_status_mergedidentifier tbld_rdsensor_newcomputers_status_netcardvendor tbld_rdsensor_newcomputers_status_osname tbld_remote_host tbld_rulename tbld_scantargetsid tbld_security_product_status_nameversion tbld_srvsecproduct_scantargets_status_data tbld_static_groups_comment tbld_static_groups_name tbld_submittedfiles_event_username tbld_sysinspector_sysinspector_event_logdata tbld_threat_event_engineversion tbld_threatname tbld_used_license_status_licenseid_licenseproductname tbld_usergroup tbld_username tblf_activethreats_status tblf_applicationactivationmatrix_status tblf_appliedpoliciescount_status tblf_appliedpolicieslist_status tblf_appliedpolicyproducts_status tblf_apps_currentversion_status tblf_apps_installed_status tblf_apps_securitystatus_status tblf_apps_versioncheck_status tblf_audit_event tblf_blockedfiles_event tblf_certificates_peercertificate_status tblf_cloudalerts_event tblf_computer_connected_event tblf_computer_lost_event tblf_computercloningtickets_status tblf_computeridentityrecovered_event tblf_computerlocationmembership_status tblf_devicecontrol_device_event tblf_deviceinformation_device_status tblf_devicelocation_gps_status tblf_diagnostics_devicecontrol_device_event tblf_diagnostics_diagnosticzip_event tblf_diagnostics_firewall_event tblf_diagnostics_hips_event tblf_diagnostics_spam_event tblf_diagnostics_webcontrol_link_event tblf_dynamicgroups_content_status tblf_dynamicgroupsmembership_status tblf_dynamicthreatdetectionanalyses_status tblf_dynamicthreatdetectionglobalcustomersstatistics_status tblf_dynamicthreatdetectionglobaldetectionstatistics_status tblf_eesevent__event tblf_eesvirusdb_status tblf_encryption_storage_status tblf_enterpriseinspectoralert_event tblf_enterpriseinspectoroverview_status tblf_enterpriseinspectoroverviewtotals_status tblf_epns_status tblf_exclusionhitsagregated__event tblf_exclusionhitssummary_status[root@esmc Server]#

 

 

Is this an indication that it is recreating all those tables and that this is normal?  It was sometime since I installed v8 so I don't recall having this issue.   

Any clarifications appreciated,

 

Thanks!

Edmund

PS: I just realized that I hadn't backed up the database... oh well.  I guess if this goes fubar, I'll need to recreate this whole set up again.  Lesson learnt.

 

 

[How to unstall agent and endpoint security from laptops with Intune]

While this isn't efficient, it is at least effective.   Download the EsetUninstaller.exe and run it on the laptops manually (in safe mode).

Just my $0.02.

 

[Please test mysql-connector-odbc 8.0.18 and later]

I just managed to setup ESET Protect on a CentOS 7 system and had a hiccup with the ODBC version.   I hadn't realized that "yum install mysql-connector-odbc" installed the latest version.   After downgrading to 8.0.17,  it worked. (Was 8.0.23).

Just a minor note for any future references.

[Server API - list items]

Coincidentally, I am also looking at the api and am wondering if the endpoint is just https://<server>:<port>/api.   While I've tried that, it doesn't seem to output anything.

Edit: I was using the same webui port when I came across the setting "webconsole port"  which also is the ServerAPI port (I think). 

Haven't quite guessed what the endpoint url looks like.  So hopefully someone in the know can chime in.

 

[Mirrortool updating both repository and updates fail]

4 hours ago, MartinK said:

We do currently track improvement for reporting version - which is currently not available especially on Linux. On Windows, there is at least possibility to check version as shown in executable file details.

If I recall correctly, creating update mirror does not uses any retry mechanisms, but downloading of repository packages should use some basic retry mechanisms and also "continuation" type of download, which should be able to continue failed download and re-use already downloaded data.
Regardless of that, MirrorTool was designed in a way that it should download only incremental changes, so it might be called repeatedly. Or problem is that even repeated calls which are supposed to not download much data are failing?
Also note there is possibility to use HTTP proxy in between MirrorTool and internet as an additional caching layer, which might helps in case of network instability and often failures.

Hi @MartinK, 

A workaround that I noticed was downloading whatever version that's online and find the hash of both.  Though this doesn't tell which is newest, at least I know it's different and probably get the latest off the site.

As for the http proxy,  I'll have a look at that option.  Thanks!

Edmund

[Mirrortool updating both repository and updates fail]

@MartinK are there built in retries in the MirrorTool?  Like after going through the list of files required to be downloaded, MirrorTool would go over the failed downloads again.   I've tried running mirrortool on two different linux systems and both give me different file failures, so I'm guessing some transient network hiccups.

Btw, how do I find the version of MirrorTool?

Thanks

 

[Mirrortool updating both repository and updates fail]

@MartinK  Thanks for the suggestion.  I think you're right in that there is something not quite right with the network.  I can download that file manually so I'm sure why it's doing that it if can download the other updates/repository files.  

[Mirrortool updating both repository and updates fail]

Hi,

I don't know if these two issues are one in the same; but I'm having difficulties with both the updates and repository mirroring.

Firstly, the repository mirroring script fails with the following error:

Quote

Error: Downloading file : http://repository.eset.com/v1/com/eset/apps/business/es/ms_sharepoint/v6/6.5.15015.2/eshp_nt32_enu.msi failed with : GetFile: Host 'repository.eset.com' not found [error code: 20002]
Downloading file : http://repository.eset.com/v1/com/eset/apps/business/esm/linux/v1/1.6.10/esm_x86_64_enu.bin failed with : GetFile: Host 'repository.eset.com' not found [error code: 20002]

 

It's ok with the other files.  Just not this one.  

With the updates, I get:

Quote

Error: Perform full mirror failed with error: Undocumented serious error. Error code is: 4122
Error occured.

 

There's no apparent errors shown.

 

Any help appreciated.

Ed

[GPO agent deployment difficulties]

Fwiw, GPO is the best way to install the Agent in a Domain controlled network.

That said, if possible, go to one of those systems that agent can't seem to be installing on and take a gander at c:\programdata\eset.  Does it exist?

If it exists, locate the log and post snippets of it (obviously redacting information that is private).

If it doesn't exist, then take a look at the Event Viewer and locate any errors in the (I think) Application log.

 

[Unable to start security management console]

What you can do according to [1] is change Spiceworks to use a different port and then reinstall ESMC, and ensure that Tomcat (et. al) are actually installed properly.

PS: I don't use Spiceworks so if this isn't the same spiceworks, my apologies.

[1] - https://community.spiceworks.com/support/desktop/troubleshooting/changing-sw-port

[How to clean/delete "Rogue Computers" ?]

I've played around with the filter list and I'm still not getting it.

If someone with experience with this part of the console can clarify it.

I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list"   Since I don't want them to be detected, I select the blacklist radio button [since as the description says:  "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist."   I apply the policy to the server that has the RDS installed.

I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore.   Am I misunderstanding the function?

My confusion stems from the description and what I want to do.   I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are).  So with that in mind, I add all those ips to the IPv4 list.   Now since I don't want them detected, that list should be a blacklist.

Am I correct in my setup?

Thanks

 

Edmund

 

[resource not found in Report: Client tasks summary - completed in last 7 days]

Thanks @MartinK.  Looking forward to the fix.

 

[resource not found in Report: Client tasks summary - completed in last 7 days]

Actually, never mind.  I found it in EraServerApplicationData\Data\Localization.   I assumed Windows search went through all the subdirs.  I didn't realize it skipped Data\ as it required UAC prompting.   And yes, I believe that file is circa the previous version as the date on the file is two months ago.

 

[setting backup user]

18 hours ago, Marcos said:

It appears to be a known bug if it's this notice:

Yup. That's the notice I'm getting.   Thanks for the info.

 

[resource not found in Report: Client tasks summary - completed in last 7 days]

3 hours ago, MartinK said:

There should be file named LangData.dat stored in ESMC's ProgramData directory: could you please heck whether it was updated during ESMC 7.2 upgrade? It might have happened that file was not upgraded in case it was manipulated manually. If file is upgraded, it would be probably an issue in ESMC 7.2 or in incomplete migration from previous version.

I've searched in the ProgramData\ESET\RemoteAdministrator directory (sub-dirs incl) and can't find this langdata.dat file.  In fact, I even searched in ProgramData\ESET.   Is this fixable without having to reinstall ESMC?

Thanks!

Edmund

[resource not found in Report: Client tasks summary - completed in last 7 days]

Using ESMC v7.2.1266.0,  webconsole @ (7.2.221.0). 

 

I clicked on the Reports->Automation->Client tasks summary - completed in last 7 days, and after it generated a pie chart, hovering over the chart gave me the attached image.  What is this resource missing?  When I upgraded ESMC, did I miss something?  I admit, this is the first time I've checked on this report so I don't know if this is something that's supposed to happen.

Can someone clarify if this is indeed something that's bugged up on my setup?

Thanks

Edmund

 

 

[virusradar.com's map about Greenland.]

Hi,

This is rather a nit though.  I just went to www.virusradar.com and was looking at all the different percentages when I mouse overed Greenland.  I was somewhat surprised to see it being labeled as Denmark.  I've used SeaMonkey and Firefox and the mouse over still shows Denmark.

Is anyone seeing this?

Edmund

[ESMC not working after last module update]

A minor note, I also had something similar though it was because the Tomcat service wasn't set to run automatically[ though, tbh, don't remember the Tomcat service setting and I'm not sure if it was set to Automatic run in the first place].  Starting the service again allowed ESMC to run.  [this was after the upgrade to the latest ESMC v7.2]

 

[Future changes to ESET PROTECT (formerly ESET Security Management Center / ESET Remote Administrator)]

On 1/8/2018 at 9:03 AM, Tim Jones said:

Hi Team,

 

Description: Example REST API usage with Perl / Python

Detail: An example document on how to use the API with Perl would be helpful you have one using C however I would just like to create a few script based calls to it using Perl for use with Nagios and other systems I have to integrate further with our other tools.

 

I too wish to add my +1 to this suggestion. 

[Updating Management Agent, missing Windows version in repository]

if you're planning to upgrade the agents on the Windows clients, it isn't the ESMC Component task.  It's the normal "Module Update" task that you should select.

 

[setting backup user]

I'm using ESMC 7.2.1266.0 with web console @ 7.2.221.0.

In the status Overview, it says I need to set up a backup user.  IIRC, all I had to do in the past was create a new native user.  But even after creating two native users, I'm still seeing that orange warning.  I've looked in the main User screen and also in the individual user profiles; but, I can't see that option that sets that particular user as the backup user.

I've looked at the Administrator and noticed it was in the "Administrator Group"; but I've looked at the Users list and the Group list and I don't see the "Administrator Group".  I attempted to "Move' the backup user to the Administrator Group; but when I click on "Move", it shows only the list of Computer groups, which is making me confused.

Can someone clarify what I'm doing wrong?

Thanks

Edmund

[How to clean/delete "Rogue Computers" ?]

Funny thing.  I was just trying to figure this out.  I have put all the Rogue IPs into a static group.  The confusion that I'm  having is how to set the filter.  

If I have a static group which contains rogue ips ( that aren't really rogue), how do I set the filter such that the they are ignored and aren't displayed in the list of computers when I select "All Subgroups"?    Do I need to actually copy all those IPs to the filter list of the Policy?

Thanks

 

[Upgrading Agents 7.1 -> 7.2]

never mind..  Sorry for the noise.  [1] answered my question.

 

[1] -

 

[Upgrading Agents 7.1 -> 7.2]

If I had used GPO to deploy the Agents initially, would upgrading the Agents require the same way?  Or do I create a  'software installation' task?  Would that mess up the workstation's list of installed Agents?  Is there a more 7.2'ish way of doing things?

I'm hesitant in modifying the initial GPO to add (as an upgrade) the new Agent binaries; mainly because the last time I did it, something went sideways and I had to re-do the whole agent installation (used esetuninstaller on all workstations to start anew).

Any clarifications appreciated.

 

Thanks!

Edmund