"Failed to rename file"...?

[thatguy 0]

Hello --

We've recently updated to Endpoint Antivirus 6.6.2046.  Since then, a workstation has been seeing notifications saying "Failed to rename file."  That's all the info it offers.  thanks..     The workstation event log (in Tools->Log files->Events) shows the same vague and unhelpful message.  I tried uninstalling, which was a chore in itself... I had to use the manual CLI uninstaller because the push uninstall failed with no explanation, and uninstalling from Control Panel halted because "no password was specified".  I finally got Antivirus gone, leaving the Agent installed, and reinstalled Antivirus from ERA. The silence lasted for about 2hrs, and then the notification popped up again.  I can't see any mention of the error in ERA. 

Has anyone seen this?  Any thoughts on a cause or next step to troubleshoot? 
Thanks

[thatguy 0]

So after I finally got a tech remoted into the original workstation experiencing the problem, I was told this is a new issue introduced with v6.6.2046.  It's seemingly caused by a permission issue when running a scheduled update under the system account.  The tech overrode the default policy and changed the Update->Profile->Connect To LAN As setting to Current user, which allowed the scheduled update to run; however, this was done under a domain admin account.  By this point, the user had been kicked off her machine for over an hour and I couldn't offer the tech any more time to test (for example, if the update would run under a standard user account).  Silly me for thinking ESET would have a testing lab to use for this purpose.

So for anyone else dealing with this issue, it sounds like it's a new bug.  Hooray for quality control!

[Marcos 5,070]

Do the problematic computers update from ESET's servers or from a mirror created by another Endpoint 6.6? If the former, do they connect directly or through a proxy server?

What we'd need you to do:

- enable advanced update engine logging under tools -> diagnostics in the advanced setup
- start logging with Process Monitor (for instructions, see the FAQ section at the right-hand side of this forum)
- run manual update
- stop logging (both)
- collect logs with ELC
- compress the Procmon log and upload it along with the zip archive generated by ELC to a safe location and pm me the download links.

[Mike Rigsby 0]

Been having the same problem here (as well as several others) since the upgrade to 6.6.2046 as well so thanks for figuring this one out.

Now to work out the rest of the bugs that this update caused.

[MichalJ 434]

@Mike Rigsby What other bugs you are referring to? We are preparing a service release for Endpoint 6.6, where we would like to fix the issues. But it is essential, that you report the full set of problems, so we can guarantee that they will be resolved.

[Orascu Vlad 1]

Hello all, 

I have the same issue on some computers.

Has it been identified what is causing this and how to fix it?

Thank you

[OEC GROUP IT 0]

I've pushed out the update for endpoint antivirus 6.6.2052.0 and issue is still present from the previous update.  When receiving this error, does it mean the computer's virus db definitions are not being updated?  Is there any solution to this error? I receive a number of ESET error emails everyday from the same computers.

[Marcos 5,070]

Momentarily I'll provide you with further instructions for troubleshooting the issue. I've come across this error once and never again. If the issue is occurring on more computers, does switching to pre-release updates in the advanced setup make a difference?

[mrac 5]

Have today this issue on my own computer. Version 6.6.2052, on ERA enabled pre-release updates. Seen this on many computers...

[mrac 5]

Hmm... I tried several times "Check for updates", always was Failed to rename file.

I enabled  "Advanced update engine logging" and error disappeared itself...

[Marcos 5,070]

If somebody is able to reproduce this error at any time, please let us know. We'll need a log from a special version of Process Monitor for perusal.

[Orascu Vlad 1]

2 hours ago, Marcos said:

If somebody is able to reproduce this error at any time, please let us know. We'll need a log from a special version of Process Monitor for perusal.

Hello Marcos

I get that error quite often, so I think I can help. Please let me know what to do.

Would it be possible to give you the logs privately?

[OEC GROUP IT 0]

Well, what file would be failing to be renamed on an update?  ESET is the one who programs these errors into the software.  It would be helpful for a technician working on a computer with this error to have more information from the software. What is the location of the file(s) that gets renamed on update?

Please advise.

[OneEyeGringoJoe 0]

I get the same error.

[Mike Rigsby 0]

I've got two different computers, both of which I've updated to 6.6.2052.0, that still have this issue. One occasionally and one constantly.

I've done repair installs, and completely uninstalled and reinstalled, on the one that it happens constantly on without success. I've changed the Connect to LAN As under our default domain policy on the machine from System to Current User, per some other forum discussion and that didn't work either.

I'm at a total loss as to why this one system seems to refuse to update and throws this failed to rename file error every time.

[Marcos 5,070]

2 hours ago, Mike Rigsby said:

I've got two different computers, both of which I've updated to 6.6.2052.0, that still have this issue. One occasionally and one constantly.

Please create logs as follows:

- download Process Monitor from this link
- enable advanced update engine logging in the advanced setup -> tools -> diagnostics
- run Process Monitor, select Filter -> Enable advanced output
- clear the existing log and start logging from scratch
- manually run update
- disable logging
- save the Procmon log as unfiltered pml file and compress it
- collect logs with ELC
- upload both archives to a safe location (e.g. Dropbox, OneDrive, etc.) and provide me with download links.

[nateb 0]

I've only pushed out 6.6.2052 to a single computer at this point and have the same issue. I watched the versioning on the modules and it seems to happen when it's updating both the detection engine and the rapid response modules. If I hit check for updates a number of times it will eventually update and the version numbers on those two modules will increment.

[Marcos 5,070]

13 hours ago, nateb said:

I've only pushed out 6.6.2052 to a single computer at this point and have the same issue. I watched the versioning on the modules and it seems to happen when it's updating both the detection engine and the rapid response modules. If I hit check for updates a number of times it will eventually update and the version numbers on those two modules will increment.

Please follow the instructions from my post above. The logs must be from an update attempt that failed with the error.

[nateb 0]

I you the logs via a message. I hope you got them.

[hawkunsh 0]

Same here. Get the error occasionally on two Win 10 computers, several times a day. It seems to depend on if, and what kind of updated content, is present at the time om the update, whether the error occurs or not. So a bit hard to reproduce in a controlled way.

After the error occurs (auto update initiated) I can manually trigger updates 0 – ~6 times before the update finally succeeds.

Both computers are recently updated to "Windows 10 Fall Creators Update" as opposed to several other Win 10 machines not getting this error. But we also have a third Win 10 machine updated to "Fall..." that as far as I know don't get this error, so...

All these Win 10 machines runs latest Endpoint Security 6.6.2064.0.

I have traced file access with Process Monitor during a failed update. I filtered the output like this:

The lines I've found interesting looks like this:

Unfortunately the Update engine advanced logging wasn't activated at the time, but I'll send you the collected logs anyway.

You'll get the ELC and PML files mentioned in a PM.

If you also need Update engine advanced logging, let me know.

/ Håkan

Edited November 29, 2017 by hawkunsh
Added some additional info.

[MikeRigsby 0]

A couple weeks ago I disabled the Windows Search service on two of the PCs that this error was the most frequent on and the error hasn't happened since. I'm assuming that the Windows file Indexing is clashing with the ESET update service.

I don't really consider this a 'fix' because disabling a service that is fairly important to many of my users isn't a solution.

Edited December 6, 2017 by MikeRigsby

[hawkunsh 0]

@Marcos Will soon send you a new ELC file with Update engine advanced logging during at least two update attempts generating this. Sending as PM.

Edited November 29, 2017 by hawkunsh

[MikeRigsby 0]

After a few weeks of not getting this error on the two PCs that I had disabled the Windows Search Service on I decided to re-enable the service again to make sure it was related.

Very next morning after turning the Windows Search service back on, I got the error again on those PCs so this issue is most definitely related to a conflict with Windows Indexing.

[Marcos 5,070]

We'll need to get this confirmed by more users since in most Procmon logs we didn't see any SearchProtocolHost records. Moreover, in one ticket the user stated that disabling the Windows Search service didn't make any difference but we could not verify if the user really did what he had claimed.

(Un)fortunately, the issue manifests very rarely and we have only very few reports of it in the last months to definitely confirm that Windows Search is involved.

[OneEyeGringoJoe 0]

I have been working separately with ESET support on this same problem, But, following this thread as well.  I think procmon effects the error somehow.  If I do not start procmon, I get the error is 3's.  Three files get updated and error every time.  But, if I see the first error, start procmon, and click update, expecting to see the 2nd error, it absolutely will not happen. And, leaving procmon running indefinitely is not an option because of the disk space it will consume.