ERA thinks security product it not installed

[SysEPr 4]

Hi,

I've the following issue that comes back from time to time on different machines.

In this case right now, we have a user, who is on Mac OS X 10.13.3. In, ERA (ESET Remote Administrator (Server), Version 6.5 (6.5.522.0), ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) on Microsoft Windows Server 2012 R2 Standard (64-bit), Version 6.3.9600), in the computer list it shows that there are no security products installed, and the installation task has failed. But if I go into the computer details view, it actually shows in the "Eset security products" part, that the client (ESET Endpoint Security 6.5.600.1) and the agent (ESET Remote Administrator Agent 6.5.376.0) is installed, and if I go the user's computer, it is actually running perfectly fine (but not activated). However, because ERA thinks otherwise, it won't let me activate it remotely (the task becomes "planned: no" status). Sometimes it lets me run the installation task again remotely, and then after deleting the user from console, it usually comes back in a fixed state. Removing the user without reinstall doesn't fix it alone.

Do you have any idea why is this happening? The only solution that I could come up is to remove the installations manually, and install it again. That usually fixes it, but it's really frustrating, since it's not an individual case.

Thanks!

[MartinK 378]

Could you specify in what order you installed AGENT and EES/EAV on macOS? By removing and installing manually, which of two mentioned products you are reinstalling to make it work?

[SysEPr 4]

1 hour ago, MartinK said:

Could you specify in what order you installed AGENT and EES/EAV on macOS? By removing and installing manually, which of two mentioned products you are reinstalling to make it work?

Sure, it's always the same. The user installs the Agent with "sudo bash EraAgentinstaller.sh", and then when it connects to our ERA, it gets into a dynamic group that triggers the EES installation task.

We usually remove both, just to be on the safe side, but for example, today, it was enough to reinstall the EES remotely to fix the issue.

[SysEPr 4]

On 01/02/2018 at 7:48 PM, MartinK said:

Could you specify in what order you installed AGENT and EES/EAV on macOS? By removing and installing manually, which of two mentioned products you are reinstalling to make it work?

Do you have any idea why is this happening, or how can we troubleshoot it?

[MartinK 378]

3 hours ago, SysEPr said:

Do you have any idea why is this happening, or how can we troubleshoot it?

To be honest, I hoped it will recover after a time. Please send me AGENT trace.log (in private message) from affected machines. It would be greate if you could enable full trace logging and restart AGENT service before collecting logs (see documentatoin for trace log details).

Could you also check, whether simple restarting AGENT service helps to resolve this issue? AGENT can be restarted using command:

bash /Applications/ESET\ Remote\ Administrator\ Agent.app/Contents/Scripts/restart_agent.sh 

from root terminal.

Could you also check whether AGENT is actually connecting to ERA and responding to basic tasks (for example "Export configuratoin" task)? Just to verify there is no problem with propagating logs from AGENT to ERA.

[Beach 0]

I am running into this exact same issue on my computers running macOS, but I'm also running into an activation issue.

I just tested this with a fresh install of High Sierra. Once the operating system had all of its updates installed (10.13.3), I manually installed the ESET Agent (sudo EraAgentInstaller.sh) via Terminal.

Once the computer showed up in Lost & found on my ERA Server, I selected it and created a new Software Install task. I checked the End User License Agreement, selected the appropriate ESET License (ESET ENDPOINT SECURITY FOR MAC OS X in this case), and selected Install package from repository (ESET ENDPOINT SECURITY FOR OS X; VERSION 6.5.600.1, which is the latest version).

Upon the computer's next check-in with ERA, the Client Task started.

During the installation of ESET Endpoint Security, the following screen appears:

          

I then clicked the Open Security Preferences button shown above

I was then taken to this screen:

          

I then clicked the Allow button as shown above

After a couple of minutes the Client Task changed to green/successful on the ERA Server. Historically, ESET Endpoint Security would automatically open on the client computer upon a successful install, but it no longer does.

So, at this point I restarted the computer

Upon log in the ESET icon on the Menu Bar shows the following:

          

I click the Activate product and manually enter the License Key and the computer successfully activates.

Why do I have to manually enter the license key to activate the product when I selected the license key during the creation of the Client Task? This defeats the purpose of being able to install remotely because now I have to either physically visit each machine to enter the license key, work with the end-user to establish a remote control session so I can enter the license key, or provide the license key to the end-user and have him/her enter it which is not something I really want to do.

After the successful activation the computer updates its modules successfully, so all is good at this point.

Except on the ERA Server

For this particular computer the ERA Server thinks the latest version is an earlier version than what is installed:

 

Also, there are no Desktop or Agent icon indicators next to this computer indicating that there are products installed as there are for other computers:      

Could this be a High Sierra issue? It don't recall the System Extension Blocked pop-up window appearing before High Sierra. And, if that's the case, how can this be fixed?

 

 

[MartinK 378]

Hello, you mentioned multiple issues or known limitations:

• Problem with non-starting GUI of ESET product for macOS is reported (and most probably fixed) issue and will be resolved in future releases. If I recall correctly, it is possible to start GUI automatically by starting it from "Applications".
• System Extension Blocked popup is known limitations since macOS 10.13. This is actually security feature of operating system preventing loading of kernel drivers (see for example this article). There is nothing what can be done except accepting as you described. There seems to be possibility to automate this, but I don;t think it has been verified - details are available in referenced article.
• Activation task is executed after software installation, but it may take few minutes (even more). Any chance you restarted application before this could happen? If so, it has technically canceled activation. I would also recommend to create separate "Product activation task" in ERA and execute it remotely, in case post-installation activation won't be working properly.
• Regarding version. It actually reports correctly installed version (6.5.600.1 in column Version), what is not working properly is so called version check, i.e. reporting of currently latest application version as available on ESET download servers (6.5.432.1 in Latect application version column) which may have multiple reasons, including problems in ESET infrastructure, or inability of ERA server to synchronize data with ESET repository servers (repository.eset.com) - any chance you are using HTTP proxy? Could you also provide EES/EAV language? Vesion checks are language dependent.
• Regarding missing icons - could you verify AGENT is actually connecting? At least desktop icon should be available in all cases and missing icon may indicate connection problems. Missing EES/EAV icon indicate that EES/EAV might not be running properly - this may happen after installation (until product is detected) or in case product is not installed correctly = for example in case you do not accept loading of kernel extensions in time, product is installed, but not running properly. Non running products is not able to communicate with AGENT = missing icon.

[Beach 0]

1 hour ago, MartinK said:

Hello, you mentioned multiple issues or known limitations:

• Problem with non-starting GUI of ESET product for macOS is reported (and most probably fixed) issue and will be resolved in future releases. If I recall correctly, it is possible to start GUI automatically by starting it from "Applications".
• System Extension Blocked popup is known limitations since macOS 10.13. This is actually security feature of operating system preventing loading of kernel drivers (see for example this article). There is nothing what can be done except accepting as you described. There seems to be possibility to automate this, but I don;t think it has been verified - details are available in referenced article.
• Activation task is executed after software installation, but it may take few minutes (even more). Any chance you restarted application before this could happen? If so, it has technically canceled activation. I would also recommend to create separate "Product activation task" in ERA and execute it remotely, in case post-installation activation won't be working properly.
• Regarding version. It actually reports correctly installed version (6.5.600.1 in column Version), what is not working properly is so called version check, i.e. reporting of currently latest application version as available on ESET download servers (6.5.432.1 in Latect application version column) which may have multiple reasons, including problems in ESET infrastructure, or inability of ERA server to synchronize data with ESET repository servers (repository.eset.com) - any chance you are using HTTP proxy? Could you also provide EES/EAV language? Vesion checks are language dependent.
• Regarding missing icons - could you verify AGENT is actually connecting? At least desktop icon should be available in all cases and missing icon may indicate connection problems. Missing EES/EAV icon indicate that EES/EAV might not be running properly - this may happen after installation (until product is detected) or in case product is not installed correctly = for example in case you do not accept loading of kernel extensions in time, product is installed, but not running properly. Non running products is not able to communicate with AGENT = missing icon.

• Yes, it can be started manually, I was just wondering if it was another thing that macOS 10.13 was preventing
• ok, makes sense
• It's possible I restarted the computer before the initial activation could begin. I created a Product activation task a couple of times for different computers but the task(s) were never started. I'll test another computer
• Yes, that's the behavior I was reporting -- the Latest Application Version isn't actually showing the latest version. Yes, I am using HTTP proxy for the ERA server itself: ADMIN->Server Settings->Advanced Settings->HTTP Proxy. Should I disable this? Also, I have my Endpoint clients configured via policies to use HTTP Proxy for Updates and also in Tools->Proxy Server.
• Yes, I was able to verify the agent was connecting. The group this particular computer is in is for testing and I have it reporting to ERA every 20 seconds. I have a different computer (actually a few like this) that I manually entered the license key on and activated successfully, which then updated the modules successfully. The computer has the Agent icon, but not Desktop: . It's checking in properly (10 minutes)  ,  , and ERA knows that Endpoint Security is installed, but there is no Desktop icon: 

                     

Edited February 20, 2018 by Beach
duplicate images

[MartinK 378]

Forgot to mention, that non-starting GUI will be fixed in EES/EAV itself, not ERA.

I mentioned HTTP proxy because in case it is not working properly, it may block communication between ERA end ESET infrastructure. Later I realized that you used software installation task, which indicates newest version is already known to ERA, so issue is elsewhere. Logic in this case is simple, ERA searches for latest version depending on application parameters as detected on AGENT, but I don't see any obvious reason why it should fail ... all languages seems to be configured correctly. Version check data is re-calculated every hour -> any chance it fixed itself in the meantime? It may take hour especially in case this is first device with this specific product version installed.

Regarding icons, now it makes more sense, as missing AGENT icon would indicate unexpected state. Security product icon is somehow related to application detection as I mentioned in activation task. Does this missing icon issue persist even after reboot you mentioned? If so, I may check trace logs from AGENT if you send me them using private message (trace logs location). Missing icon may indicate there is problem with communication between AGENT and EES/EAV, which technically prevents remove management.

[Beach 0]

I think I figured it out.

I removed both the Agent and Endpoint Protection and then reinstalled them on my test machine that was not showing any icons and both of the icons showed up.

On the other machines that were showing the Agent but not the Desktop icon: even though the users had clicked the Allow button in Security & Privacy System Preferences, the application itself wasn't actually running because none of them had performed a reboot up to that point. I manually launched ESET Endpoint Protection on them and a new window appeared (that can't be dismissed) informing that the system needs to be rebooted. Upon reboot, all of the systems have the Desktop and Agent icon next to their computer name on the ERA Server.