[ERA Server 6.5 connection is abnormal]

Okay, thanks for your reply. I've open a ticket.

[ERA Server 6.5 connection is abnormal]

In recent months after the update to ERA 6.5, sometimes Web Console cannot login (I can see the login screen, but hang after click login button). Then I checked the ERAServer.exe have a lot of connections. There are about five connections normally. In the trace.log file.. there are many log like this:

2018-02-22 00:41:03 Information: NetworkModule [Thread 370]: Forcibly closing sessionId:16355, isClosing:0
2018-02-22 00:41:03 Information: NetworkModule [Thread 370]: Removing session 16355
2018-02-22 00:41:03 Information: NetworkModule [Thread 370]: Closing connection , session id:16355
2018-02-22 00:41:03 Information: CReplicationModule [Thread 1958]: CReplicationManager: Connection was closed by remote peer.
2018-02-22 00:41:06 Warning: NetworkModule [Thread 718]: The connection will be closed due to timeout. SessionId:16357 Ip address: 192.168.25.234 Port: 58714 Resolved name: 192.168.25.234
2018-02-22 00:41:06 Information: NetworkModule [Thread 370]: Forcibly closing sessionId:16357, isClosing:0
2018-02-22 00:41:06 Information: NetworkModule [Thread 370]: Removing session 16357
2018-02-22 00:41:06 Information: NetworkModule [Thread 370]: Closing connection , session id:16357
2018-02-22 00:41:06 Information: CReplicationModule [Thread 1958]: CReplicationManager: Connection was closed by remote peer.
2018-02-22 00:41:07 Warning: NetworkModule [Thread 370]: The connection will be closed due to timeout. SessionId:16358 Ip address: 192.168.26.240 Port: 13889 Resolved name: 192.168.26.240

Usually, just force to kill the ERAServer.exe process (It can't be stop ERA Server from services in this moment) and then start the service will return to normal.

This ERA server is v6.5.522.0, Windows Server 2012 R2 x64. About 550 clients (Most are Agent 6.5.522, EES 6.6.2072, EFSW 6.5.12014). This server work well before upgraded 6.5. It's probably been in use for two years.

But not only this server happened, There are some ERA 6.5 servers have the same issue. (I helped over 100 customers install and maintain the ERA server.)

[Protocol filtering not functional]

4 minutes ago, Marcos said:

It would help if you could temporarily uninstall EEA and install ESET Endpoint Security to troubleshoot this issue. If you are willing to do that, I can provide you with a trial license for EES. It has an option to generate advanced firewall logs which is needed to determine the source of the issue.

Also it appears you have diagnostic logging enabled. It should only be enabled when instructed by customer care while tackling particular issues. Please change logging verbosity to informative.

Okay, I could try it. Please tell me what option to generate advanced fireall logs  and the trial license. Thank you.

[Protocol filtering not functional]

A few days ago, I upgraded the EEA to 6.6.2064. Most of computers are normal, but there are a few Windows XP SP3 computers that appear Protocol filtering not functional errors.I tried to remove it, go back to the status without the old version, and reinstall. But the problem persists. This problem is not always the same, sometimes normal, sometimes there are errors. Any solution to fix it?

[6.6 and Mirror Tool]

The update files of v6.6 could been cached by Apache HTTP Proxy now.

[ERA HTTP proxy caching install files but not modules]

You are right. I've the same issue. But I don't think it's the problem of Apache HTTP Proxy. On August 29, I post this issue  https://forum.eset.com/topic/12938-66-and-mirror-tool/ . But no anybody cares for me just like others. 

[6.6 and Mirror Tool]

11 hours ago, Marcos said:

Yes, we plan to have a new version of the mirror tool but it will take some time. Isn't an http proxy an option for you? With http proxy much less data should be downloaded with each update compared to using a mirror.

I've try to use http proxy since 6.2/6.3.. I am familiar the http proxy advantages. But in my experience, It is relatively slow, and more unstable. Some of my clients always complain it. So I prefer to use mirror tool.

When you release new version of mirror tool, please support Windows Server 2003. Several months ago, I've ask this issue, but still no fix until now. 

 

By the way, could you ask your engineer to check why the 6.6 update files can't be cached in local disk by apache http proxy? Every time it download from ESET server, apache http proxy just forward the requests. I tried to analyze the problem, It should be missing 'Cache-Control' in the header of HTTP response.

For example, this file hxxp://update.eset.com/era6-sta/mod_000_loader_1112/em000_64_l0.nup, it have 'Cache-Control' and could be saved the cache file in "C:\ProgramData\Apache Http Proxy\Cache"

< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 29 Aug 2017 00:00:35 GMT
< Content-Type: application/octet-stream
< Content-Length: 70124
< Last-Modified: Tue, 22 Nov 2016 00:00:00 GMT
< Connection: keep-alive
< ETag: "58338a80-111ec"
< Expires: Tue, 05 Sep 2017 00:00:35 GMT
< Cache-Control: max-age=604800
< Cache-Control: s-maxage=0, must-revalidate
< Accept-Ranges: bytes
 

But this file hxxp://update.eset.com/ep6.6-rel-sta/mod_041_w10upgrade_1000/em041_32_l0.nup, it can't be saved by Apache HTTP Proxy. No matter how many times I download, it is always downloaded directly from the ESET server.

< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 29 Aug 2017 00:00:37 GMT
< Content-Type: application/octet-stream
< Content-Length: 118835
< Last-Modified: Thu, 23 Jul 2015 00:00:00 GMT
< Connection: keep-alive
< ETag: "55b02e80-1d033"
< Accept-Ranges: bytes
 

[6.6 and Mirror Tool]

Quote

It is not possible to update Endpoint 6.6 using Mirror tool from ESET Remote Administrator 6.5 and earlier or create an update mirror for Endpoint 6.6 using any product earlier than 6.6 (6.5 and older)  

Does ESET will update new Mirror Tool version to support 6.6 in the future?

[2003 SP2/XP SP3 can't activation again]

Error Code: ECP.20006. It similar this post. Windows 7/10 have no this issue. 

 

[Report template filter is incorrect]

23 minutes ago, MartinK said:

Thanks for reporting. There seems to be a problem with "paging" -> could you try to disable it temporarily whether it helps? Paging controls are available in bottom-right corner by default.

Thanks for your reply. I try to change it to 'Auto-loading', the problem been fixed.

[Report template filter is incorrect]

The ERA Server 6.5.522.0, Web Console 6.5.388.0, I get this error "FAILED TO LOAD DATA: REPORT TEMPLATE FILTER IS INCORRECT" when I enter Policies page. I've restart ESET Remote Administrator Server and Tomcat7, but it doesn't help. In the trace.log, there are some errors:

2017-04-19 13:42:26 Error: CReportsModule [Thread 25c]: 0 MessageProcessorThread: Failed to generate a report: VerifyReportTemplate: Filter not allowed by Filter Definitions: symbol:2547 Filter operation: OP_GREATER_OR_EQUAL: 751
2017-04-19 13:42:27 Error: CReportsModule [Thread 25c]: MsgGenerateReport: Query did not generate a report: MessageProcessorThread: Failed to generate a report: VerifyReportTemplate: Filter not allowed by Filter Definitions: symbol:2547 Filter operation: OP_GREATER_OR_EQUAL
2017-04-19 13:42:27 Error: ConsoleApiModule [Thread f68]: 2 Error while processing GenerateReport request: VerifyReportTemplate: Filter not allowed by Filter Definitions: symbol:2547 Filter operation: OP_GREATER_OR_EQUAL
 

How to fix it?

[Browsing Applications not open after install ERA 6.5 Latest Build]

I've the same issue. Use ESET Endpoint Security 6.5.2094 in Windows 7/10 (x86/x64).. If the filter mode of Personal Firewall be set 'Learning mode'. When the rules been created many rules, then all network connection will been blocked. Some application will hang even using Task Manager can't close it.

A simple solution.. Clear all firewall rules been created automatically or change filter mode to 'Automatic mode'.

This is not about ERA 6.5. Just only install EES 6.5.2094 (No install ERA Agent 6.5) still has this issue. 

Windows XP SP3 work well with EES 6.5.2094.

[MirrorTool doesn't support Windows Server 2003]

7 hours ago, Peter Randziak said:

Hello,

the Mirror tool requires Visual C++ Redistributable for Visual Studio 2015 (x86) to work properly, you can download them from the Microsoft site here: https://www.microsoft.com/en-us/download/details.aspx?id=48145 

 

Regards, P.R.

Thanks P.R. for your reply.

But it doesn't help. I've installed Visual C++ Redistributable for Visual Studio 2015 (x86).. But it still popup the same error message.

And I think the MirrorTool.exe requires Visual C++ 2010 Redistributable, not 2015. According my test.. it requires the file msvcr100.dll.

 

[MirrorTool doesn't support Windows Server 2003]

Why don't you ask ESET if Mirror Tool shouldn't be supported for Server 2003.. Why it provide such information?

[MirrorTool doesn't support Windows Server 2003]

The newest version of MirrorTool v1.0.513.0 can't be run in Windows Server 2003. It appear a message 'MirrorTool.exe is not a valid Win32 application.' Where can download the previous version of MirrorTool?

[Wrong number in UNRESOLVED THREATS filed]

Exclamation mark? Okay. I got it. In 6.5, the red number don't mean only red errors. It also include yellow warnings. 

Then I do a simple test from a Windows Server.. I save the eicar.com in the desktop, then do a scan by EFSW. The file be detected and deleted. Everything is okay. And no any threats exist now. But in web console.. this server show one unresolved threat. Why it is a unresolved threat?

[Wrong number in UNRESOLVED THREATS filed]

After upgraded ERA 6.5. I found some of computers have wrong number in 'UNRESOLVED THREATS' filed. I have check the 'THREATS AND QUARANTINE' page in these computers. I could make sure there are no any unresolved threats. Just like the screenshot in the below. How could I clear these wrong number?

[resource-not-found in Report template?]

You are right. The file LangData.dat didn't been updated. I replace it from another ERA server. It is okay now. Thank you for you help.

[resource-not-found in Report template?]

I want to create a new report template. After click 'Add column', I saw four '<resource-not-found-0x710.....>' in there. Is something wrong? This ERA server  just been upgraded from 6.4.295 yesterday.

[NodSslWriteEncryptedData error in ERA Agent 6.4]

I've a Windows 7 SP1 x64. Can't connect to ERA Server after been installed ERA Agent 6.4. In the trace.log, it has a lot of error message:

2017-01-26 02:51:30 Error: NetworkModule [Thread 608]: Protocol failure for session id 36, error:Receive: NodSslWriteEncryptedData: Handshake failed to complete.
2017-01-26 02:51:30 Error: CReplicationModule [Thread fd4]: CReplicationManager: Replication (network) connection to 'host: "172.26.69.6" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Handshake failed to complete.

It has been tried to remove and install several times. Even reboot it few times. But it just doesn't work. I've try to do the same thing in other computer. It work well. I used the same EraAgentInstaller.bat to install ERA Agent in all of computers. And this computer has no firewall. I also use Wireshark to capture the packet. Something send to ERA server from this computer and received something back. Please help me to resolve the problem, thank you.

[ESET Remote Administrator 6.5 private BETA signup]

Please sign me up for beta testing.

[Can't get client connection]

date

date -u

date +%z

 

# date

一 11月 28 09:33:55 CST 2016

# date -u

一 11月 28 01:33:58 UTC 2016

# date +%z

+0800

 

Each cleanup phase should have start and end entry in trace log.

 

I have not found same log. And I found a lot of below logs. It appear frequency every minue. No others 'CCleanupModule' log in trace.log file.

2016-11-27 23:37:46 Information: CCleanupModule [Thread 7f19d27fc700]: Initiating calculation of status snapshots
2016-11-27 23:37:46 Information: CCleanupModule [Thread 7f19d27fc700]: Finished calculation of status snapshots

Just out of curiosity, how many endpoints is this installation managing? Does this problem happens for longer time? Has there been any outbreak in your environment that could flood ERA server with many logs? Could you also check database size in terms of size on disk?

 

This ERA server has 600 clients. The 'era_db' database size is about 650MB.

 

And I resolve this problem. It didn't happen again last three days.

[Can't Product Activation in XP SP3]

I create a line '137.117.215.70 edf.eset.com' in c:\windows\system32\drivers\etc\hosts. Then do product activation again. It has been activated! I wonder the IP address 137.135.12.16 had some trouble.

[Can't Product Activation in XP SP3]

I've some clients report XP SP3 can do product activation. Could someone check it? I try to activate, I got an error code: ECP.20006. Using IE to browse https://edf.eset.com/edfgot below error message:

 

 

This XP SP3 has been install all patch in Windows Update. I could corfirm that it support TLS1.0. I try to run this command: curl https://edf.eset.com/edfin this XP, I got this response message:

 

<?xml version="1.0" encoding="UTF-8"?><ecp:message xmlns:ecp="hxxp://www.eset.co

m/2012/02/ecp"><ecp:response><code>20101003</code><message>Unsupported Content-t

ype: unknown</message></ecp:response></ecp:message>

 

So it should not DNS issue.

 

I also test it in Windows 7. It could do product activation. So it seems only XP has this problem.

 

Wireshark capture packets:

 

[Can't get client connection]

 

2016-11-23 23:11:47 Error: CReplicationModule [Thread 7f1965ffb700]: CStepProcessor: Replication master rejected, slave is busy

 

This means SERVER is in state in which incoming connection are rejected. There are multiple possibilities what could be reason, for example:

• SERVER lost connection to database
• SERVER has connection to database, but it is accepting data faster than it is able to write into database (i.e. there are many pending logs). This
• SERVER is out of memory (RAM)

In case it happens once a day, it may be caused by so called DB cleanups, which are performed at 00:00:00 of local time on SERVER - does it correlate with your findings?. Also please check status.html on SERVER from time it is not working properly, there may be more relevant information of reason why SERVER is in overloaded or busy state. Could you also verify that your MySQL driver and unixODBC are configured so that multi-threading is enabled (parameter Threading=0 or new unixODBC)?

 

 

Remaining errors are unrelated to this issue: SERVER seems to be rejecting connections from client because it's certificate was revoked. And it seems is it actually AGENT installed on the same computer...

 

 

I found it happned about 08:00AM in local time. But my timezone is UTC+8. So is it possible that server run DB cleanups it that time? Any log could confirm when DB cleanups be performed?

 

According you mention.. 

 

Point 1. I don't think so. Because I could logon web console and there are datas in there. If ERA server has no connection to database. Why do I saw data in console?

Point 3. Server is out of memory. I check the memory, it seems okay.

 

# free

              total        used        free      shared  buff/cache   available

Mem:       16355332     2492188     1112308      169488    12750836    13388260

Swap:      16776188           0    16776188

 

Point 2.. how could I make sure if it is the reason? 

 

You also mention unixODBC. I wonder maybe it is the reason. Long time ago.. I've asked another issue https://forum.eset.com/topic/9520-no-progress-count/, but no one give me the answer.

Maybe it's relative. In fact, I don't use unixODBC. Because I use Ubuntu 16.04.1 LTS and MySQL 5.7. The unixODBC doesn't support MySQL 5.7. The unixODBC package has been removed from

Ubuntu 16.04. So I use MySQL connector/ODBC for Linux - https://dev.mysql.com/downloads/connector/odbc/ . Maybe ERA server 6.4 does not fully compatible MySQL connector/ODBC?