LocknetSSmith 6 Posted December 15, 2016 Posted December 15, 2016 We are having an issue wherein we have a computer that has been, say, reformatted. Upon reloading Windows, and so on, we install the most recent Eset RA Agent. From what we can tell, the computer checks in again, thinking it is the "old computer." Even when the hostname has changed, a "new" computer reflecting the new hostname never shows up in our console, yet the "old" computer continues to check in. The status.html log on the computer shows all Green, all OK. What is the proper procedure for this? Meaning, is there a task that should be ran from the ERA Console prior to reformatting the computer? What if a computer has already been reformatted, but the ERA Agent is still showing as checking in to our server? ESET Remote Administrator (Server), Version 6.4.295.0ESET Remote Administrator (Web Console), Version 6.4.266.0
ESET Staff MartinK 384 Posted December 15, 2016 ESET Staff Posted December 15, 2016 Could you be more specific of what you mean by reloading windows? You are cloning master image, or you are reverting specific machine to its former state without cloning of machine where AGENT was already installed?
LocknetSSmith 6 Posted December 15, 2016 Author Posted December 15, 2016 Neither - Meaning, full disk reformat. Wiping the hard drive, and reloading the operating system. No image involved in this particular case.
ESET Staff MartinK 384 Posted December 15, 2016 ESET Staff Posted December 15, 2016 2 minutes ago, LocknetSSmith said: Neither - Meaning, full disk reformat. Wiping the hard drive, and reloading the operating system. No image involved in this particular case. In case you are using clean installation of AGENT, new computer entry in Webconsole will be created regardless of machine hostname or any other identificator with small exception in case remote installation task is used to install AGENT (it this the case?). To be more precise, computer record in Webconsole is tied with computer using unique identifier that is generated during clean installation of AGENT therefore each re-installation of AGENT should create new entry in Webconsole. New computers should appear in Lost&Found group if not overridden during installer creation and computer name is either FQDN reported by client itself, or reverse-DNS record for IP which client connected to SERVER - it is also possible that computer is automatically moved to the same group as other computers with the same. In case client is connecting, could you check it's details, especially section "Device identifiers" whether correct data is displayed? Is it possible that reverse-DNS may result in the same name? In case name is not correct, but FQDN in client details is, you may use task for automatic renaming. What type of AGENT installer are you using? Are there any special parameters used?
LocknetSSmith 6 Posted December 15, 2016 Author Posted December 15, 2016 Here is exactly what happened: - A customer with hostname (just for example's sake) was computername.domain.local and was actively checking into our ERA Server, and visible within my ERA Web Console - no errors present from the Eset side. ESET Remote Administrator Agent 6.4.283.0 was installed, along with ESET Endpoint Antivirus version 6.4.2014.0 - The customer requested that we reformat the computer, as in, wipe the hard disk, and reload the OS. During this process, the computer was still showing in our ERA Web Console, but was obviously not actively connecting (we use a 30 min. check-in interval). I didn't know this was going on, so never deleted the computer from our console (another technician was working with this customer) - Upon reloading Windows, the hostname the customer previously had was used again (I realize that's not what I said above... I just got this new detail). The technician used an Agent Live Installer I had created for him previously to reinstall the ESET RA Agent. - The technician logged into our ERA Web Console with the intent to create a Software Installation task to remotely push ESET Endpoint Antivirus. When he logged in however, the computer, computername.domain.local was showing as actively checking in, and furthermore showed that ESET Endpoint Antivirus was already installed, although he knew it wasn't. - He reported this to me, unsure of what to do. SO, I'm reading your post and see how the server is supposed to be acting, but this is actually what is happening. My question is, should I have done something previous to him reformatting the computer (had I known about it), such as deleting the device from our Web Console, or running the Stop Managing task against it? To answer your questions: - It is an Agent Live Installer. The Agent Live Installer was configured with the customer's ERA Certificate, our ERAS server's public facing hostname (the address the agent should check in to) was configured, and a Parent Static Group was defined. - Reverse DNS: Results in the same name as the "old" computer - The FQDN in the client details is identical. The end result is that the ERA Server "thinks" this computer still has Endpoint AV on it. The status.html log on the endpoint is showing all green - all OK, but Endpoint AV is really not installed on it. It (ESET Endpoint AV) was never reinstalled after the reformat.
ESET Staff MartinK 384 Posted December 15, 2016 ESET Staff Posted December 15, 2016 You made everything right - there is no need to do anything else and new computer entry should have been created. Unfortunately I am running out of ideas, we have not been reported such behavior. I would recommend to check whether this "restored" computer is actually operational, for example try run export configuration task (client details -> configuration -> click on request configuration) and if there is actually AGENT and EAV installed, you will receive it's configuration. In case only AGENT is installed, only it's configuration should be received after few connections. Previously mentioned unique identifier is stored in windows registry ( HKEY_LOCAL_MACHINE\SOFTWARE\ESET\RemoteAdministrator\Agent\CurrentVersion\Info) - are you sure this keys were not restored during Windows installation? There should be no such keys before live installer was started. Maybe stupid question, but to be sure: expected behavior is that there will be two identically named computers in console, one with old data and not connecting, and one with current data and recent last connection time - are you sure you have searched all groups and there is only one? Could you also check audit log (Reports -> Audit log) for entries regarding computer with this name - especially what was reported from time of system re-installation until now. It is also possible to remove this computer from console - it will be re-created automatically upon next AGENT connection. At least we will be sure it is connecting. You may also try to use "Reset cloned agent" client task on this computer. As a result, AGENT should change it's identifier and new computer entry should appear in Lost&Found group upon next client's connection. This is normally used to fix problems with cloned computers, which behave exactly as you describe -> computer entry is missing from console and logs are randomly "merged" which may result in invalid data shown. In case more than 1 new computer will appear, it would mean that there were actually cloned AGENT installations ...
Recommended Posts