CraigF
Members-
Posts
24 -
Joined
-
Last visited
About CraigF
-
Rank
Newbie
Profile Information
-
Location
Australia
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
Notifications - Message content - missing "Object URI" variable
CraigF replied to CraigF's topic in ESET PROTECT
Thanks for explaining that, igi008, I see the challenge now. Perhaps the URLs could be deconstructed in some fashion so they wouldn't be perceived as a web link. I look forward to seeing the solution you come up with. -
Notifications - Message content - missing "Object URI" variable
CraigF replied to CraigF's topic in ESET PROTECT
Thanks for the status update, Martin. I can understand the logic for not including this field in the default notification message, but it doesn't make sense to not make it an available field when it is available in the on-premise version. I also expect that these notifications would generally be configured to go to administrators, not end users. Receiving a notification that doesn't identify what triggered it is not particularly helpful to an administrator. I hope the dev team can make the availability of this field a priority. -
Hi, We're migrating our on-prem ESET Protect console functionality to the ESET PROTECT cloud console. In recreating our Malware alert notifications I've noticed that the "Object URI" variable (${object_uri}) is not available. It is in our on-prem version. Refer screen grabs of available fields below. This is an important piece of information to include in the notification so it seems strange that it wouldn't be included in the cloud version. Variables available on-prem: Variables available in cloud:
-
It appears this issue resolved following install of Detection Engine version 28382 (or one of the subsequent updates - there were 4 in a space of 10 hours), as we haven't seen the issue logged since. We have performed the uninstall/reinstall as suggested on one of our RDS farm servers, so we can see whether this makes any difference if we notice the errors return.
-
ESET update/download locations (URLs and/or IP addresses)
CraigF replied to CraigF's topic in General Discussion
Many thanks for the prompt response cyberhash - I need to work on my search skills. Damned if I could find that post! -
We've noticed this phenomenon occurring on multiple Windows Server 2016 remote desktop services session hosts. For one of our clients it appears to be causing resource exhaustion issues causing the servers to become unresponsive. It appears a new instance of ekrn.exe is attempting to be created whenever a new user session is created - is this normal? Serves are running ESET Server Security vers 10.0.12014.0 Here's what I've determined: Windows Application log records Application error ID 1000 logged everytime a new user session is created: Faulting application path: C:\Program Files\ESET\ESET Security\ekrn.exe Faulting module path: C:\Program Files\ESET\ESET File Security\em039_64\2102\em039_64.dll Similarly, Windows System log records Service Control Manager ID 7031 error at the same time as the Application error is logged: The ESET Service service terminated unexpectedly. ESET event log indicates “File 'Ekrn_*.mdmp' was sent to ESET Virus Lab for analysis." each time. These events appear to have commenced immediately after the Detection engine was updated to vers 28271 (on 21 Nov). They started being logged a few hours prior to the Application error ID 1000 errors first being recorded. The ESET Audit log is now recording "Feature changed" events multiple times a day (I assume whenever a new user session is created and the ekrn.exe is run). Prior to 21 Nov, these events were only logged whenever the server was restarted.
-
After chasing up support they responded advising as follows: Can you create a bat file using the below command and run? cd C:\Users\Administrator1\Desktop msiexec /q /x agent_x64.msi PASSWORD=Test123 where the first row determines the folder where the MSI file is and the second row is silent uninstallation with parameter PASSWORD= (if the EM Agent is password protected - if not don't use the parameter) Tried this but it made no difference. @Marcos, is this the batch file you expected them to provide? I was expecting something similar to the Uninstaller tool, but targeted just at the ESET Agent.
-
As per original post, uninstalling the ESET Management Agent was one of the first steps we tried. It is no longer listed in Programs and Features, so if you're seeing evidence of it still being there it must not have uninstalled properly. Are you proposing that I run the ESET uninstaller (https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool) and select removal of the agent? It's an Exchange email server so we'll need to organise a scheduled outage with the client, and I just want to check if this is the only course of action before proceeding.
-
We have client with an Exchange server running Windows Server 2016 and ESET Mail Security (v 10.0.10016.0). Server is fully patched. An automatic update of the ESET Management agent in early August resulted in it losing connection with our ESET PROTECT server (as described in this forum post https://forum.eset.com/topic/37686-eset-management-agent-not-connecting-following-automatic-upgrade-to-vers-10112880/) To resolve this issue we are attempting to install the ESET Management Agent locally/manually, but the install keeps failing with an MsiInstaller error status of 1603. Steps taken so far: 1. Created All-in-one (AiO) installer and attempted local install with that. 2. Uninstalled ESET Management Agent and reattempt install with AiO installer. 3. Restarted server and re-attempt install. 4. Create stand-alone Agent installer (PROTECTAgentInstaller.bat - saved to local folder on server) and attempt install with that. 5. Deleted these folders: C:\Program Files\ESET\EsetRemoteAdministrator; C:\ProgramData\ESET\EsetRemoteAdministrator; and cleared contents of C:\Users\admin.user\AppData\Local\Temp A review of the ra-agent-install.log (attached) suggests the problem lies with an attempt to access the missing DB file C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Data\data.db Please suggest how to proceed with this issue. ra-agent-install-redacted.log
-
We're an MSP running our own ESET PROTECT server to manage our clients' ESET endpoints. We have 3 server devices that had their ESET Management Agents automatically attempt an upgrade from vers 10.0.1126.0 to 10.1.1288.0 during August. From the update log (attached) it appears the update completed ok but required a restart to finalise the install. The agent ceased reporting to the server after the update. I have tried restarting one of the servers to complete the update however it still isn't connecting to the ESET PROTECT server. The servers are running Windows Server 2012 R2. We have a client server with similar symptoms - it's running Windows Server 2016. From C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html the issue appears to be with the Peer Certificate: Error: ParsePfxCertificate: PFXImportCertStore failed with An error occurred during encode or decode operation. Error code: 0x80092002 Check that correct peer certificate format (PFX/PKCS12) is used in the configuration Check that correct peer certificate password was set in the configuration Trace log has this infotmation reported each minute: 2023-09-05 01:29:26 Warning: AuthenticationModule [Thread 11f8]: EntityAuthenticationCommand execution failed with: [Failed to create credentials for communication], falling back to legacy implementation 2023-09-05 01:29:26 Error: AuthenticationModule [Thread 11f8]: EntityAuthenticationCommand execution failed with: Failed to create credentials for communication 2023-09-05 01:29:26 Error: CReplicationModule [Thread a38]: InitializeConnection: Replication connection problem: GetAuthenticationSessionToken: Received failure status response: AUTHENTICATION_FAILED (Error description: unable to authenticate entity) 2023-09-05 01:29:26 Warning: CReplicationModule [Thread a38]: InitializeConnection: Not possible to establish any connection (Attempts: 1) [RequestId: de96af0c-b777-4106-912a-0172678de3ed] 2023-09-05 01:29:26 Error: CReplicationModule [Thread a38]: InitializeFailOverScenario: Skipping fail-over scenario (stored replication link is the same as current) [RequestId: de96af0c-b777-4106-912a-0172678de3ed] 2023-09-05 01:29:26 Error: CReplicationModule [Thread a38]: CAgentReplicationManager: Replication finished unsuccessfully with message: Replication connection problem: GetAuthenticationSessionToken: Received failure status response: AUTHENTICATION_FAILED (Error description: unable to authenticate entity), Task: CStaticObjectMetadataTask, Scenario: Automatic replication (REGULAR), Connection: era.intense.com.au:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 24961e07-3654-49d5-a4d3-f90d4578cb38, Sent logs: 0, Cached static objects: 118, Cached static object groups: 11, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0 We encountered a similar issue with a client's Windows Server 2016 device and have attempted uninstalling and re-installing the ESET Management Agent, but that has proved problematic (has been escalated to apac.technical@eset.com) so thought it worth exploring problem further here, before attempting manual agent install. What steps do you recommend to resolve this issue? ra-upgrade-agent_2023-08-16T07-37-25.log