Cousin Vinny

Got the notification today about Endpoint Security v9.1.2057. Attempted the upgrade on a test group and they exhibited the same behavior described in my first post. Windows Installer installed the product. Product Name: ESET Endpoint Security. Product Version: 8.1.2050.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Installation success or error status: 1603. Anyone else run into this yet?

Create a new Client Task. Task Category: Operating System Task: Software Uninstall Click Continue Select "Third-party antivirus software (Built with OPSWAT)" Click Continue Assign your target machines and execute the task.

Ok noticed that in Status Overview, Component version status for endpoint was blue and showing "Waiting" for the outdated hosts. Somehow auto updates enabled itself somewhere along the way. I remember being told that this would not be enabled by default back when it was first announced but I guess that is not the case any longer. Application version status donut chart is back to yellow/green after disabling auto updates via policy. Installation still failing attempting to install obsolete version.

Running into strange behavior I haven't encountered in the past. Curious if it's just me. My Protect console is showing outdated version for my hosts running Endpoint Security. Current version: 9.1.2051 Latest version: 9.1.2057 Weird thing I immediately noticed is that the donut chart is completely green and there was no outdated product alert for these machines. I created a task to install 9.1.2057 on a test group running Win10 21H2 and it failed on every machine. Checking event log on the test machines and I see these two events: "Product: ESET Endpoint Security -- A more recent version of the application is already installed on this computer." "Windows Installer installed the product. Product Name: ESET Endpoint Security. Product Version: 8.1.2050.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Installation success or error status: 1603." I triple-checked the task and the installed version on the test machines to be certain I wasn't overlooking something obvious and it all checks out. Anyone seen something like this?

Sorry I posted that without realizing it could be confusing. I was talking about my UTM's proxy, not the ESET firewall. If you have a firewall/UTM at the perimeter running an http/s proxy that is configured to strip unrecognized response headers, this is where you would make the configuration change.

I fixed this a while ago and forgot to update here. I'm also doing content inspection and if I remember correctly the https proxy was stripping unrecognized response headers and that resulted in the loss of connection to livegrid. I just had to allow those headers fields through the proxy and everything has been fine since. I am not using a Fortigate. I'm like, 90% sure this is what the problem was.

Ok great that's a relief. The support limitations are understandable but there may be unforeseen instances where you need to prevent a device from updating for whatever reason and as long as that is still possible without risk of an automated deployment being forced upon you this change isn't a big deal.

I'm just specifically pointing out what you address in the last sentence, that beyond Endpoint v9 or 1/29/22 we will lose the ability to disable auto updates. Will we be able to pause/delay updates via policy or do they have to be paused on a per-client basis? For how long will you be able to defer these automatic updates? This bugs me out Marcos, if there is even the slightest possibility that program updates can be forced onto my network without approval I do not see how I could possibly continue using this product.

Logging in this morning I see a message in the console stating that automatic updates will be enabled for the products on my network beginning January 29th, 2022. How do I prevent my products from auto-updating? The notification offers no options to disable, only configure an policy that I am unsure will prevent this from happening. Whoever thought automatically updating production machines without being able to test in a controlled environment is smoking crack. They must have forgotten about Webroot bricking thousands of customers machines via an auto update ~5 years ago, but I didn't.

Didn't have a chance to turn on logging yet but I have a machine unable to connect to LiveGrid today. This machine in particular has been powered on for the past four days. Event was triggered upon user logon this AM. Here's the Windows event log just prior to the warning being reported: 2021 Oct 22 07:15:10 The ESET LiveGrid® servers cannot be reached Information 10/22/2021 7:15:07 AM Kernel-General 16 None The access history in hive \??\C:\Users\-------\AppData\Local\Microsoft\Windows\UsrClass.dat was cleared updating 2998 keys and creating 455 modified pages. Information 10/22/2021 7:15:07 AM Kernel-General 16 None The access history in hive \??\C:\Users\-------\ntuser.dat was cleared updating 2588 keys and creating 342 modified pages. Information 10/22/2021 7:15:07 AM Winlogon 7001 (1101) User Logon Notification for Customer Experience Improvement Program

Sure no prob. Remote machines do connect over VPN and there are a number of local machines in the same building as me that exhibit the behavior as well (this is not a local vpn to the device, the offices are hub/spoke). These machines are all hardwired and currently running Win10 v10.0.19042.1288. I saw it happen to two machines earlier today so the environment is still susceptible to the issue.

Just popping in to say that this has been affecting my clients for a while as well. Seems completely random, i'll have a PC or two pop up in the Protect console showing that LiveGrid is not accessible. Always clears up with a reboot. No idea what's causing it and it hasn't really been a big enough issue for me to compose a new thread about it. But it's been going on for months. Outbound tcp/udp 53535 is open. Identical 8th gen Intel/Win10 PC's across the board. Users spread across 5 physical locations in three states. I'll try to grab some data next time it occurs.

De nada!

You're likely still blocking content on that page from another site. Use your browser's developer console to find out what needs whitelisting.

This is the hardware environment of the machine I was having trouble with (no USB 3.x devices): Audio inputs and outputs Remote Audio Microsoft 10.0.19041.1 12/6/2019 Audio inputs and outputs Speakers/Headphones (Realtek Audio) Microsoft 10.0.19041.1 12/6/2019 Batteries HID UPS Battery Microsoft 10.0.19041.1 6/21/2006 Computer ACPI x64-based PC (Standard computers) 10.0.19041.1 6/21/2006 Disk drives KXG60ZNV256G NVMe TOSHIBA 256GB (Standard disk drives) 10.0.19041.789 6/21/2006 Display adapters Intel UHD Graphics 630 Intel Corporation 27.20.100.8935 10/28/2020 DVD/CD-ROM drives HL-DT-ST DVD+-RW GU90N (Standard CD-ROM drives) 10.0.19041.1023 6/21/2006 Firmware System Firmware Microsoft 10.0.19041.1 6/21/2006 Human Interface Devices American Power Conversion USB UPS American Power Conversion 10.0.19041.868 6/21/2006 Human Interface Devices HID-compliant consumer control device Microsoft 10.0.19041.1 6/21/2006 Human Interface Devices HID-compliant system controller (Standard system devices) 10.0.19041.868 6/21/2006 Human Interface Devices USB Input Device (Standard system devices) 10.0.19041.868 6/21/2006 Human Interface Devices USB Input Device (Standard system devices) 10.0.19041.868 6/21/2006 Human Interface Devices USB Input Device (Standard system devices) 10.0.19041.868 6/21/2006 Imaging devices Brother DCP-7065DN Brother 1.1.19.19 4/4/2013 Imaging devices ScanSnap S1300i FUJITSU 2.0.3.1 1/31/2014 Keyboards HID Keyboard Device (Standard keyboards) 10.0.19041.1 6/21/2006 Mice and other pointing devices HID-compliant mouse Microsoft 10.0.19041.1 6/21/2006 Monitors Generic PnP Monitor (Standard monitor types) 10.0.19041.488 6/21/2006 Monitors Generic PnP Monitor (Standard monitor types) 10.0.19041.488 6/21/2006 Network adapters Intel Ethernet Connection (7) I219-LM Intel 12.18.8.9 1/24/2019 Network adapters WAN Miniport (IKEv2) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (IP) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (IPv6) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (L2TP) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (Network Monitor) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (PPPOE) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (PPTP) Microsoft 10.0.19041.1 6/21/2006 Network adapters WAN Miniport (SSTP) Microsoft 10.0.19041.1 6/21/2006 Ports (COM & LPT) Communications Port (COM1) (Standard port types) 10.0.19041.1 6/21/2006 Ports (COM & LPT) Intel Active Management Technology - SOL (COM3) Intel 2042.0.13.0 10/14/2020 Print queues ABS PDF Driver v400 AMYUNI Technologies 10.0.19041.1 6/21/2006 Print queues Adobe PDF Adobe 10.0.19041.1 6/21/2006 Print queues Brother DCP-7065DN Printer Brother 10.0.19041.1 6/21/2006 Print queues Fax Microsoft 10.0.19041.1 6/21/2006 Print queues Microsoft Print to PDF Microsoft 10.0.19041.1 6/21/2006 Print queues Microsoft XPS Document Writer Microsoft 10.0.19041.1 6/21/2006 Print queues OneNote Microsoft 10.0.19041.1 6/21/2006 Print queues OneNote Microsoft 10.0.19041.1 6/21/2006 Print queues Root Print Queue Microsoft 10.0.19041.1 6/21/2006 Print queues Send To OneNote 2016 Microsoft 10.0.19041.1 6/21/2006 Printers Brother DCP-7065DN Printer Brother 1.10.0.0 4/5/2013 Processors Intel Core i5-8600 CPU @ 3.10GHz Processors Intel Core i5-8600 CPU @ 3.10GHz Processors Intel Core i5-8600 CPU @ 3.10GHz Processors Intel Core i5-8600 CPU @ 3.10GHz Processors Intel Core i5-8600 CPU @ 3.10GHz Processors Intel Core i5-8600 CPU @ 3.10GHz Security devices Trusted Platform Module 2.0 (Standard) 10.0.19041.746 6/21/2006 Software components Intel Graphics Command Center Intel Corporation 27.20.100.8935 10/28/2020 Software components Intel Graphics Control Panel Intel Corporation 27.20.100.8935 10/28/2020 Software components Intel Optane Memory and Storage Management Component Intel Corporation 18.0.0.1 3/2/2020 Software components Intel Optane Pinning Shell Extensions Intel Corporation 18.0.1.1138 8/3/2020 Software components Intel Optane Pinning Shell Extensions Intel Corporation 18.0.1.1138 8/3/2020 Software components Realtek Asio Component Realtek 1.0.0.4 6/19/2017 Software components Realtek Audio Effects Component Realtek 11.0.6000.686 5/21/2019 Software components Realtek Audio Universal Service Realtek 1.0.0.172 5/20/2019 Software components Waves Audio Effects Component Waves 3.2.0.81 11/29/2018 Software devices Microsoft Device Association Root Enumerator Microsoft 10.0.19041.1 6/21/2006 Software devices Microsoft GS Wavetable Synth Microsoft 10.0.19041.1 6/21/2006 Software devices Microsoft RRAS Root Enumerator Microsoft 10.0.19041.1 6/21/2006 Sound, video and game controllers Intel Display Audio Intel Corporation 10.27.0.9 2/25/2020 Sound, video and game controllers Realtek Audio Microsoft 6.0.8710.1 5/22/2019 Storage controllers Intel Chipset SATA/PCIe RST Premium Controller Intel Corporation 18.30.1.1138 8/3/2020 Storage controllers Microsoft Storage Spaces Controller Microsoft 10.0.19041.1081 6/21/2006 System devices ACPI Fan (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Fan (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Fan (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Fan (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Fan (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Fixed Feature Button (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Power Button (Standard system devices) 10.0.19041.1081 6/21/2006 System devices ACPI Processor Aggregator (Standard system devices) 10.0.19041.1 6/21/2006 System devices ACPI Thermal Zone (Standard system devices) 10.0.19041.1081 6/21/2006 System devices Charge Arbitration Driver (Standard system devices) 10.0.19041.1 6/21/2006 System devices Composite Bus Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices High Definition Audio Controller Microsoft 10.0.19041.1081 6/8/2021 System devices High precision event timer (Standard system devices) 10.0.19041.1081 6/21/2006 System devices Intel 300 Series Chipset Family LPC Controller (Q370) - A306 INTEL 10.1.16.3 7/18/1968 System devices Intel Gaussian Mixture Model - 1911 INTEL 10.1.7.2 7/18/1968 System devices Intel Host Bridge/DRAM Registers - 3EC2 INTEL 10.1.14.3 7/18/1968 System devices Intel Management Engine Interface Intel 2102.100.0.1044 1/3/2021 System devices Intel PCI Express Root Port #4 - A33B INTEL 10.1.16.3 7/18/1968 System devices Intel PCI Express Root Port #9 - A330 INTEL 10.1.16.3 7/18/1968 System devices Intel Power Engine Plug-in Intel Corporation 10.0.19041.662 6/21/2006 System devices Intel Serial IO GPIO Host Controller - INT3450 Intel Corporation 30.100.1816.3 4/17/2018 System devices Intel Serial IO I2C Host Controller - A368 Intel Corporation 30.100.1929.1 7/15/2019 System devices Intel SMBus - A323 INTEL 10.1.16.3 7/18/1968 System devices Intel SPI (flash) Controller - A324 INTEL 10.1.16.3 7/18/1968 System devices Intel Thermal Subsystem - A379 INTEL 10.1.16.3 7/18/1968 System devices Microsoft ACPI-Compliant System Microsoft 10.0.19041.964 6/21/2006 System devices Microsoft Hyper-V Virtualization Infrastructure Driver Microsoft 10.0.19041.1052 6/21/2006 System devices Microsoft System Management BIOS Driver (Standard system devices) 10.0.19041.1 6/21/2006 System devices Microsoft UEFI-Compliant System Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Virtual Drive Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices Microsoft Windows Management Interface for ACPI Microsoft 10.0.19041.1 6/21/2006 System devices NDIS Virtual Network Adapter Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices Numeric data processor (Standard system devices) 10.0.19041.1081 6/21/2006 System devices PCI Express Root Complex (Standard system devices) 10.0.19041.964 6/21/2006 System devices PCI standard RAM Controller (Standard system devices) 10.0.19041.1081 6/21/2006 System devices PCI-to-PCI Bridge (Standard system devices) 10.0.19041.964 6/21/2006 System devices Plug and Play Software Device Enumerator (Standard system devices) 10.0.19041.1 12/6/2019 System devices Programmable interrupt controller (Standard system devices) 10.0.19041.1081 6/21/2006 System devices Remote Desktop Camera Bus Microsoft 10.0.19041.1 6/21/2006 System devices Remote Desktop Device Redirector Bus Microsoft 10.0.19041.1 6/21/2006 System devices Remote Desktop USB Hub (Standard system devices) 10.0.19041.1023 6/21/2006 System devices System CMOS/real time clock (Standard system devices) 10.0.19041.1081 6/21/2006 System devices System timer (Standard system devices) 10.0.19041.1081 6/21/2006 System devices UMBus Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices UMBus Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices UMBus Enumerator Microsoft 10.0.19041.1 6/21/2006 System devices UMBus Root Bus Enumerator Microsoft 10.0.19041.1 6/21/2006 UCMCLIENT Cypress UCM Client Peripheral Driver Cypress Semiconductor Corporation 1.2.1.20 11/28/2017 Universal Serial Bus controllers Intel USB 3.1 eXtensible Host Controller - 1.10 (Microsoft) Generic USB xHCI Host Controller 10.0.19041.1081 6/7/2021 Universal Serial Bus controllers USB Composite Device (Standard USB Host Controller) 10.0.19041.488 6/21/2006 Universal Serial Bus controllers USB Composite Device (Standard USB Host Controller) 10.0.19041.488 6/21/2006 Universal Serial Bus controllers USB Printing Support Microsoft 10.0.19041.1081 6/21/2006 Universal Serial Bus controllers USB Root Hub (USB 3.0) (Standard USB HUBs) 10.0.19041.964 4/22/2021

Of note; in my situation I had also identified KB5004945 as the culprit and attempted removal, however nearly every attempt was resulting in a BSOD as the uninstall neared completion until I finally managed to get it through somehow. I then reapplied the update via WSUS which resulted in the BSOD's recurring. This issue affected only one of ~50 identical machines.

Marcos check your DM's, I saved you a memory dump from my problem machine.

I just looked at the screenshot of my faulting PC's BSOD and noticed it is a different stop code than OP: PAGE_FAULT_IN_NONPAGED_AREA

I've been experiencing this issue as well and am about to rebuild the affected PC. Sorry Marcos but I don't have the time to get you guys any crash dumps, I have limited time to get this machine back up and running. BSOD in eamon.sys, seems to happen on file access. It persistently worsened throughout the day yesterday to the point that the machine was unuseable for the most part. This is a Win10 box on 20H2, 9th gen i7, 8gb RAM, nvme ssd, domain enviro running the most current version of Endpoint Security. It seems to have been caused by the emergency patch for the print spooler vulnerability. Any time I tried uninstalling the update it would result in a BSOD. Attempting to uninstall from ESMC/ERA/Protect/whatever its called today was resulting in a BSOD as well. I was able to manually uninstall ESET locally on the box; it reported back correctly and then I ran an install task. Everything completed without issue and I made it through the initial scan. Handed the machine back over to the user and blammo - BSOD. I did also before reinstalling ESET manage to get the update removed then reapplied through WSUS with all active components of ESET temporarily disabled and this did not remedy the problem either. I'm going to go reimage that box now, i'm out of solutions for the limited time I have to deal with this.

I suspect the site works fine from a private browser on the problem machine if it is working fine on every other machine. You probably just have to clear the browsers' cache on the admin laptop.

The issue is the Detections column in the Computers section reporting on blocked websites which began after the most recent upgrade. Not the Detections section as indicated in your original reply to me. The change caught me off guard because when I was interviewed, a portion had to do with what screen do administrators have open most often. For me, it's the Computers section which now constantly looks like an outbreak since there is no way to filter by detection category.

Now that it's been a few days I just wanted to reiterate - this is a major oversight and I do not like how i've lost such a great deal of insight into my network due to the constant reporting of blocked websites. This feels like i've essentially lost one of the tools I use to monitor for infections and outbreaks since it's constantly accumulating web blocker detection that are completely useless to me are reported at the same level as an actual detection that I would care about. This really sucks and I was one of the people that was interviewed by ESET last year.

How do I stop web protection from generating detections in ESMC? Every URL that gets blocked is now adding to the detections number and it's like the boy who cried wolf. Super annoying.

Is ESMC reporting that these outdated machines have the 6.5 Agent still installed? If that's the case, there are just two registry keys that need to be deleted that the v7 agent installation fails to remove. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\07F21F149AF55F34494F355BE44BEE4C" "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{41F12F70-5FA9-43F5-94F4-53B54EB4EEC4}"

There is a decryptor tool for Magniber available at https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711 You will have to know the AES Key in order to use this tool to decrypt your files. The full analysis of this threat can be found at https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/