8bit

I'm restoring my environment now. I'll make sure all is updated and see how it goes.

I just ran into this exact problem not an hour ago! I was using the ESET console without issue this morning. Came back from lunch and received an email that file security had cleaned by deleting the JS/Agent.PKT trojan file on a Windows Server 2012R2 environment. I then tried accessing the ESET console and noticed the 'pulsing E' when trying to access via browser. I RDP'd into the server and restarted the services and rebooted to no avail. I also noticed that my environment was corrupted in some way. taskmanager wouldn't load, I couldn't pull up the ESET file security window while logged into the server to run a manual virus scan. There were strange permissions errors though I was logged in as a domain admin. I isolated the environment and I'm restoring a backup now (VM). My fear is that this will happening again. We have only three here in our IT dept and none of us use the server for anything but ESET and I access it via browser 100% of the time. Logged user: NT AUTHORITY\NETWORK SERVICE What can we do to prevent this? I assumed a virus was detected but possible wasn't completely cleaned which in turn corrupted system files. I couldn't even run a SFC.exe on in this environment due to an error. I'll keep an eye on this thread as I'm sure we are not the only ones running into this problem.

The ESET notification would pop up every time Google Chrome was opened. Google.com is the startup page and no websites needed to be visited in order to generate the notification. A CRX file was trying to connect to a domain called googleusercontent.com It wasn't due to a specific website being visited. If the Chrome browser was closed, no detections were logged. Deleted those folders did the trick. Thanks for sharing.

I had a PC that was constantly sending out notifications that JS/Mindspark.G had been found and connection terminated so I followed the instructions below but that did not resolve my issue completely. Every time I opened Chrome the notification would pop up on the desktop and via the SMC. https://support.eset.com/en/kb6551 I also had to completely uninstall Google Chrome following the instructions below: 1. Go to your software list, and uninstall Google Chrome from the list 2. Go to this location and delete: C:\Users\YOUNAME\AppData\Local\Google\ 3. Go to this location and delete: C:\Program Files (x86)\Google\ This finally resolved the issue completely. I wanted to share just in case others were fighting this. 8bit

I completely agree sreece! I see no reason as to why we just can't click on the outdated agents in the dashboard and have it update them. I have to export a list of outdated agents then go back and add them to a task to push out the updates. Seems like a bug to me. Again, I'm seeing the same things you are. I haven't tried pushing out a new agent to all of my devices regardless of version. I wasn't sure if it would cause a problem or not.

Within the Security Management Center, I have a widget on my dashboard that shows a graph with the number of up-to-date and outdated Agent, Endpoint and Server. If I select on the Endpoint and choose to Update installed ESET products, it works fine but if I select on the Agent graph and select Update Installed ESET products here it gives me a message stating: "No ESET products that can be updated automatically have been found." Why is this? I have to either go through all of my endpoints to figure out which ones need upgrading or simply set a server task to update them all, which I don't like doing. When setting up a new PC, I initially install the Agent & AV from a single file that I downloaded from my Security Management Center and push it out with PDQ Deploy. Could this be the reason? When creating the installable, I enter all of the correction information. Would it cause issues for us if when the time came to update ESET software, I simply updated the Security Management Center ESET server install then create, configure and download the single installable file and push it out to each PC/server myself (as in with PDQ Deploy or other means) or is this method not recommended. I'm just trying to get an idea as to how many here handle their ESET product updates. We are currently on the following versions: Security Management Center: 7.2.1266 Agent: 7.0577 --> 7.2.1266 File Security: 7.1.12006 Endpoint AV: 7.0.2073.1 --> 7.3.2039 Most endpoints are updated with the latest but I've run into issues updating some. Kindest Regards,

I may have spoke too soon. My peer certs along with installers that contain a wildcard of * work but the certs and installers that use an IP address do not and all of the PC's that I've tested have access to the ERA server via IP address.

Martin, It's now working! I went back and created a new CA then went to settings and changed the default certificate to the newly created cert. That allowed me to created the install .bat file and so far, agents are connecting to my ERA. Thank you for your help!

Id like to start from scratch in regards to my CA and Peer Certs. What's the best course of action to do this? I plan to push out a new Agent installer for all devices once I have this working. Thanks for any help you can provide.

Thank you again Martin for your help. I'm about to pull my hair out at this point trying to create a basic Peer Cert using server name or IP. I keep getting the following error message: "Failed to get installers: Specified certification authority certificate was not found" I've tried the CA that was setup during installation and a new CA I created to no avail. I have another installer using a Peer cert with * for hosts and it works - 7 clients using it right now. I'd like to use a more secure certificate than using a wildcard but for some reason I'm hitting a wall. I've searched this forum and the ESET knowleagebase and found some helpful info but nothing I do allows me to create an installer bat file successfully when I use anything but a wildcard of * Any ideas?

Our setup is ~200 devices that all exist on our LAN on multiple subnets. If I understand you correctly, if I'm only connecting agents to our ERA on our LAN, then using a certificate may be overkill? Servers should use them regardless. Am I understanding you correctly? Also, When creating a cert I've tried entering the ERA server's IP (static) and server name to no avail. How do I properly setup the cert? I found a guide in the ESET knowleadgebase but it was scarce on details. Thank you again for the excellent support!

We can mark this post as solved. I did as you suggested MartinK and checked the server logs and the problem appears to have been caused by the certificate I created for the Agent Installation. If I used the IP of the ERA server or FQDN the client's connect to ERA was closed but if I used an * it worked like a charm. I found a similar thread today where a few people had the exact same issue but no resolution was provided. As long as I can use the cert where I inserted the * and it works, I would say this thread should be marked Solved. Thank you for your help!

I've pushed out the new agent installation .bat file to several PC's in our organization and they are able to update their virus definitions but I'm unable to 'see' them from my ERA. DNS, firewall, etc does not appear to be the issue. Any help would be greatly appreciated. I've modified the server.city for security reasons. SchedulerModule 2018-Jul-06 19:09:28 Received message: RegisterSleepEvent AutomationModule 2018-Jul-06 19:10:03 Trigger: Tick ALLOWED [UUID=00000000-0000-0000-7006-000000000001, TYPE=REPLICATION]. AutomationModule 2018-Jul-06 19:10:03 Task: Executing task [UUID=00000000-0000-0000-7005-000000000001, TYPE=Replication, CONFIG=scenarioType: REGULAR linkData { dataLimit: 1024 isDisabled: false connections { host: "server.domain" port: 2222 } }]. CReplicationModule 2018-Jul-06 19:10:03 CReplicationManager: Processing client replication task message CReplicationModule 2018-Jul-06 19:10:03 CReplicationManager: Initiating replication connection to 'host: "server.domain" port: 2222' (scenario: Regular, data limit: 1024KB) SchedulerModule 2018-Jul-06 19:10:03 Received message: GetRemainingTimeByUserDataRequest NetworkModule 2018-Jul-06 19:10:03 Received message: CreateConnectionRequest NetworkModule 2018-Jul-06 19:10:03 Attempting to connect to endpoint: 192.168.1.22 NetworkModule 2018-Jul-06 19:10:03 Socket connected. NetworkModule 2018-Jul-06 19:10:03 Socket connection (isClientConnection:1) established for id 9971 NetworkModule 2018-Jul-06 19:10:03 Sending: VerifyUserRequest CAgentSecurityModule 2018-Jul-06 19:10:03 Verifying certificated user from host server.domain CAgentSecurityModule 2018-Jul-06 19:10:03 Creating replication server user NetworkModule 2018-Jul-06 19:10:03 Receiving: VerifyUserResponse NetworkModule 2018-Jul-06 19:10:03 Connection closed by remote peer for session id 9971 NetworkModule 2018-Jul-06 19:10:03 Forcibly closing sessionId:9971, isClosing:0 NetworkModule 2018-Jul-06 19:10:03 Removing session 9971 NetworkModule 2018-Jul-06 19:10:03 Closing connection , session id:9971 CReplicationModule 2018-Jul-06 19:10:03 CReplicationManager: Replication (network) connection to 'host: "server.domain" port: 2222' failed with: Connection closed by remote peer for session id 9971 CReplicationModule 2018-Jul-06 19:10:03 CReplicationManager: Skipping fail-over scenario (missing last success replication link data) CSystemConnectorModule 2018-Jul-06 19:10:28 StatusLog_PERFORMANCE_USER_STATUS: "Rows":[{"symbols":[{"symbol_type":453,"symbol_data":{"val_int":[1]}},{"symbol_type":447,"symbol_data":{"val_uuid":[{"uuid":"82970732-dd7e-4ea5-a99a-124016afdc88"}]}},{"symbol_type":454,"symbol_data":{"val_time_date":[{"year":2018,"month":7,"day":6,"hour":19,"minute":10,"second":28}]}},{"symbol_type":456,"symbol_data":{"val_res_id":[508906757892866568]}}]}] SchedulerModule 2018-Jul-06 19:10:28 Received message: RegisterSleepEvent AutomationModule 2018-Jul-06 19:11:03 Trigger: Tick ALLOWED [UUID=00000000-0000-0000-7006-000000000001, TYPE=REPLICATION]. AutomationModule 2018-Jul-06 19:11:03 Task: Executing task [UUID=00000000-0000-0000-7005-000000000001, TYPE=Replication, CONFIG=scenarioType: REGULAR linkData { dataLimit: 1024 isDisabled: false connections { host: "server.domain.com" port: 2222 } }]. CReplicationModule 2018-Jul-06 19:11:03 CReplicationManager: Processing client replication task message SchedulerModule 2018-Jul-06 19:11:03 Received message: GetRemainingTimeByUserDataRequest CReplicationModule 2018-Jul-06 19:11:03 CReplicationManager: Initiating replication connection to 'host: "server.domain.com" port: 2222' (scenario: Regular, data limit: 1024KB) NetworkModule 2018-Jul-06 19:11:03 Received message: CreateConnectionRequest NetworkModule 2018-Jul-06 19:11:03 Attempting to connect to endpoint: 192.168.1.22 NetworkModule 2018-Jul-06 19:11:03 Socket connected. NetworkModule 2018-Jul-06 19:11:03 Socket connection (isClientConnection:1) established for id 9972 NetworkModule 2018-Jul-06 19:11:03 Sending: VerifyUserRequest CAgentSecurityModule 2018-Jul-06 19:11:03 Verifying certificated user from host server.domain CAgentSecurityModule 2018-Jul-06 19:11:03 Creating replication server user NetworkModule 2018-Jul-06 19:11:03 Receiving: VerifyUserResponse NetworkModule 2018-Jul-06 19:11:03 Connection closed by remote peer for session id 9972 NetworkModule 2018-Jul-06 19:11:03 Forcibly closing sessionId:9972, isClosing:0 NetworkModule 2018-Jul-06 19:11:03 Removing session 9972 NetworkModule 2018-Jul-06 19:11:03 Closing connection , session id:9972 CReplicationModule 2018-Jul-06 19:11:03 CReplicationManager: Replication (network) connection to 'host: "server.domain" port: 2222' failed with: Connection closed by remote peer for session id 9972

Ah! Per the logs the connection failed due to incorrect/unknown certificate or key format Remote machine is not trusted. I have a CA on my ERA. Clearly I've missed a step Many thanks again for your help!

My Agents still aren't reporting in or being seen by ERA. See the steps below that were taken: Generated a new Certificate for Agents with a new passphrase Setup a new Agent Installer selecting the new cert I just created Downloaded the BAT file Pushed out the BAT file successfully to two PC's and also ran it on a third manually to ensure installation (using PDQ deploy instead of GPO) BAT file uninstalls the previous agent install and installs the new one Network ports are not being blocked between PC's and ERA server and DNS is working properly It's been almost 24 hours and still no sign of my agent PC's and the only machine showing up is the ERA itself. In the past I had been able to push out the Agent installer I downloaded from the ERA console and push them out with PDQ without issue. Any help you can provide would be greatly appreciated!

Thank you for your quick response Michal. I'll have to generate a new cert and push out those agents. Regards,

We recently had a catastrophic failure of a server and couldn't restore it so we had to reinstall ESET Remote Admin. The agents are of course still installed on all of our PC's and servers and once the installation was complete I see all of them in the Rogue section. To keep things organized, I synced our AD to a group folder within Computers but those show no information. Unknown modules for all AD accounts. What is the best way to move forward to get my ESET agents pulled back in properly? Will I have to manually move all of my rogue devices? Thanks!

itman, Can you kindly point me to the HIPS rules that ESET recommends? I'll put them into place asap! Again, thank you for your help!

Thank you for your response and help itman. Per ESET support via phone, they added Spora to their database of definitions back in January of this year. We are currently restoring files from backups but are looking to prevent future infections. Another odd thing is that the online scanner from ESET has identified it while our local copy does not and that will updated virus definitions. We have yet to find an infection with our local copy of ESET. Also, we don't currently use a malware application on our desktops but Malwarebytes didn't find any infections either. Makes sense what you said in your second reply regarding the scanning for infections. We are just doing what we can to prevent future infections. Many thanks!

We are currently being infected with the Spora Ransomware. ESET NOD 32 does not pick up the infections after scanning. it has not been able to hold our PC's ransom but has corrupted MS office files. The file names were not changed nor encrypted. it has affected windows 8 and 10 machines without admin rights. decrypt.txt or similar files have not been found on any of these systems. the infection stored an exe file within the Startup folder and I will add to this thread as we learn more. We did find an HTML file that contained the spora Ransomware name, RSA info, and Russian characters. Has anyone else run into this or similar viruses as of late?