[Error uninstalling ESET 6.6 - 'ESET Service' (ekrn) could not be deleted]

Hi there,

We're busy with an upgraded from 6.6 to 7.  I am using GPOs to install the ver. 7 agent and EEA over the top of the existing 6.6 versions.  This has worked fine on about 3 pilot machines so far, but one of them failed with the upgrade, and logged this error in the application event log regarding 6.6 removal:

Product: ESET Endpoint Antivirus -- Error 1922. Service 'ESET Service' (ekrn) could not be deleted.  Verify that you have sufficient privileges to remove system services.

I've seen a few sites mentioning uninstalling in Safe Mode... but I want to automate the rollout - can anyone advise what causes this and how I can resolve in an automated fashion?  I have about 300 endpoints to do and I don't want to have to manually intervene if possible.

thanks

Ray

[<resource-not-found-0x120000ef> alerts after ERA RA to ESMC 7 migration]

Cool many thanks Marcos.

[<resource-not-found-0x120000ef> alerts after ERA RA to ESMC 7 migration]

Hi guys, yep I have that translation module.  Strangely after waiting a bit and looking at ESMC again, the error has now changed to:

Your device is outdated. It is not guaranteed that your device remains protected with your outdated version of ESET product. Update to newer version of Endpoint Security/Antivirus to ensure full protection, see your options: https://support.eset.com/kb3580/

We have been getting this on our PCs since we run 6.6 (spot on there MichalJ!).  So hopefully the errors will go away once we finish our upgrade to 7 which is in progress.

 

[<resource-not-found-0x120000ef> alerts after ERA RA to ESMC 7 migration]

After migrating from an ERA 6.6 VA to a new ESMC 7 VA, many of our computers are showing this alert:

<resource-not-found-0x120000ef>

These machines may have had uncleared alerts against them previously - I am bad at clearing them regularly  😉  

Any idea why we are getting this error and how to resolve it?

[Recent Updates Attempt Failed and Restart of ApacheHttpProxy Service]

Adding the following to my httpd.conf worked for me:

 

AcceptFilter http none

AcceptFilter https none

[ESET Mail Security and RBLs]

Any advice here please guys?

[ESET Mail Security and RBLs]

I've just installed ESMX 6.2 on our Edge server (Exchange 2010).  Previously we had the Spamhaus RBL configured as a Blocklist Provider which significantly decreased our spam.  This is still configured, but is now a lower priority Transport Agent as ESET is at the top of the list if I run a Get-TransportAgent.  Should I configure an RBL within ESET, or will my original RBL configured in Exchange still be getting used after ESET has done it's processing?

[Clearing "Unresolved Threats"]

Hi j-gray, no progress i'm afraid.  I've had my hands full and haven't had a chance to log a support call with ESET for this.

[Clearing "Unresolved Threats"]

No problem, will do, thanks.

[Clearing "Unresolved Threats"]

Bump...

[Clearing "Unresolved Threats"]

The in-depth scan with cleaning that i kicked off from ERA completed successfully.  However the unresolved threats have not cleared.  If I look at the threats and look at the Occurred column, none of them are from yesterday so it seems the old threats are not being removed.  How can i remove them?  I can't click through 4000+ of them to remove them.  Also is there any way to see the results of a full scan from the ERA console?  I can see that the scan was successful but I can't see where to check if any new threats were found.

[Clearing "Unresolved Threats"]

Thanks for the reply Marcos.  For the PC with thousands of threats, I kicked off the scan manually on the PC after removing some dodgy software and deleting some old user profiles.  Should i kick off another full scan (in depth, with cleaning) from the ERA console against that PC to get it to update its status in ERA to zero unresolved threats?

[Clearing "Unresolved Threats"]

Hi, we recently deployed ESET 6.  Our ERA server is running 6.2, but clients are still on 6.1.  One of the PCs we deployed to had a few thousand threats found (multiple files belonging to the same dodgy software).  We cleaned it up and ran another full scan which reported it as clean.  However, the PC is still showing as having thousands of unresolved threats in ERA.  I don't want to have to mark them as resolved one by one.  How can i force the client to tell ERA that it no longer has any threats?  We have a number of PCs in the same situation.

[EndPoint Antivirus activation task failing]

In the end i used hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN332to get a list of remote addresses for our deployment, and used <Proxy> rules instead of the above <ProxyMatch> rules.  My complete set of changes to httpd.conf (with proxy chaining to our existing corporate proxy and denial of non-ESET URLs) is now:

 

ProxyRequests On
ProxyVia On
ProxyRemote * hxxp://proxy.ourdomain.com:8080

<Proxy *>
Deny from all
</Proxy>
<Proxy "*.eset.com*>
Allow from all
</Proxy>
<Proxy "*.eset.eu*>
Allow from all
</Proxy>
<Proxy "*.trafficmanager.net*>
Allow from all
</Proxy>
<Proxy "*.cloudapp.net*>
Allow from all
</Proxy>

 

Hope this helps someone.

[EndPoint Antivirus activation task failing]

OK a bit of progress - i asked our network team to allow unauthenticated access from the ESET server's IP, so i'm using ProxyRemote to send requests to our internal proxy.  The activation/definition updates worked successfully for one of my test machines.  I then put the following into httpd.conf to try and restrict the Apache proxy to ESET destinations only and restarted Apache.  It breaks activation and I now see this in the Apache logs:

 

client denied by server configuration: proxy:edf.eset.com:443

 

Is one of the regular expressions in the list below wrong?  Or some other Apache syntax problem with the below?  I've been reading the Apache manual but haven't found the problem yet.  Guys it would be good to include this in a wizard somewhere... 

<Proxy *>
Deny from all
</Proxy>
<ProxyMatch ^[h,H][t,T][t,T][p,P][s,S]?://([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
<ProxyMatch ^[h,H][t,T][t,T][p,P][s,S]?://([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
<ProxyMatch ^[h,H][t,T][t,T][p,P][s,S]?://([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net|edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
<ProxyMatch ^[h,H][t,T][t,T][p,P][s,S]?://([^@/]*@)?(87.106.247.14|209.157.66.250|209.157.66.253|212.227.134.125|212.227.134.126|212.227.134.128|212.227.134.130|212.227.134.131|212.227.134.132|212.227.134.133|212.227.134.158)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

[EndPoint Antivirus activation task failing]

Hi Marcos, I've done some more reading and from what i understand we can get the Apache proxy to use our Fortigate proxy using these changes to the httpd.conf:

 

ProxyRemote * hxxp://internalproxy.domain.com:8080

 

However there doesn't seem to be the ability to specify credentials for our existing proxy, so we'd need to see if we can allow unauthenticated access from the Apache proxy's IP.  But If anyone managed to get the password for the Apache proxy, they could then access the internet with no authentication (!)  Is the rule mentioned in this article correct for restricting the Apache proxy to request ESET-related websites (for both definition and product updates, and product activations)?  If this is correct, I'd feel far happier and we could skip using authentication for the Apache proxy altogether:

 

hxxp://help.eset.com/era/6/en-US/index.html?http_proxy_installation_linux.htm

 

Lastly, If we alternatively tried to use our own Fortigate proxy.... we are using Windows auth with this proxy.  Can i get the ESET Antivirus client to pass Windows credentials to our proxy using the "CONNECT TO LAN AS" settings?

[EndPoint Antivirus activation task failing]

Thanks Marcos, I was confusing the two.  If i wanted to rather still use the bundled Apache proxy to minimize connections to our already over-burdened existing proxy, is there a way to tell the Apache proxy to use our existing proxy to reach the internet?

[Do I need a DNS SRV record for ERA?]

Hi Jimwillsher, thanks for the response.  I'm trying to get my workflow completely automated.  When we deploy a new PC, it must get the agent and antivirus installed via GPO, and it must activate automatically.  I've got a separate post running here for the activation issue - https://forum.eset.com/topic/5406-endpoint-antivirus-activation-task-failing/.  Would appreciate your input on that one if you have any ideas as well  :-)  The logs indicate that the client could not connect to the activation server.  I'm trying to understand if that is the ERA server, or an internet-based server etc.

[EndPoint Antivirus activation task failing]

Hi Marcos, thanks for the response.  Yes, i used the all-in-one and i included the Apache proxy.  To be clear, this is the ERA proxy role, right (i.e. nothing to do with Internet access - rather client<>ERA communication)?  If i look at the help text in the client it seems to imply that this is for internet connectivity.  

 

If we are already using a proxy server (for internet access) on our LAN, should i have excluded this option when i installed ERA?  I thought that this feature was a component of ERA, not a bundled proxy to provide internet access to clients?

 

I suspect i'm confused... please can you elaborate.  If you can also please confirm whether the clients need to be able to connect to ESET's public servers for activation or if the activation process is only between the Antivirus client/agent and the ERA server.  Thanks!

[EndPoint Antivirus activation task failing]

Hi there, I am busy with a trial deployment of ESET.  I have installed ERA, created a GPO-based silent install of the agent using the MSI+MST, and a silent install of the Antivirus product using the INSTALLED_BY_ERA=1 MSI parameter to avoid the activation prompt after installation.  The client shows up in the dynamic "not activated security product" group in ERA.  I've created an activation task which is executing on the client but failing with "Activation was not successful: Could not reach activation server.".  Does this indicate that the ESET client is unable to talk to an internet-based activation server?  We use a proxy server on our LAN for internet access.  If i look in the ESET client's proxy settings, it is set to use the ESET server on port 3128.  This isn't something I configured.  

 

• Should i be disabling the proxy on the client?  I don't want each PC updating through our proxy - they should get updates from the ERA server
• I have not done anything special to set up a mirror on the ERA server - is there anything I need to do or will the ERA server automatically download updates and will clients automatically try and get them from the ERA server?

The documentation is very vague on the activation process, and the updating process.

[Do I need a DNS SRV record for ERA?]

Thanks Jim.  I'll leave it off for now and see how we go.  I'm battling to get EndPoint Antivirus clients activated (hopefully it's not related), but I'll create another post for that.  My activation tasks are failing - would be nice if it gave an error to work with!

[Do I need a DNS SRV record for ERA?]

I'm busy reading the user guide for ERA, and there's an arbitrary section towards the end of the installation process about creating a DNS SRV record.  Is this necessary?  What is it used for?  Thanks!