Jump to content

The best practice to uninstall/purge the ESET Agent


Zoltan Endresz
 Share

Recommended Posts

Dear ESET Staff,

 

Based on my experience unfortunately sometimes it is neccesary to reinstall the ESET Remote Administrator Agent on a far away computer. We use a Group policy which check that the ESET Remote Administrator Agent service running on the affected computers or not. If not, the ERAA installation start automatically. I tested the following idea, for fix the damaged ERAA:

1.: Start a Uninstall ERAA task via the ERAC

2.: It works fine, I lost the connection with the client 

3.: I deleted the client from the ERAC

4.: Theoratically the Group Policy upper should reinstall the ERAA, but does not appear into the client. 

 

Could you please help me?

 

 

 

Link to comment
Share on other sites

  • ESET Staff

Why you are reinstalling the agent in the first place? As to uninstall it, you actually need to have ERA agent running. For that purpose, what is the reason to "reinstall"? 

I just want to better understand the use-case you are willing to solve. 

Link to comment
Share on other sites

Best bet (in my experience) is to run the agent package using msiexec and the quiet uninstall (/quiet /uninstall) option. A reboot is not required before re-installing the agent.

Unfortunately, the install task from ERA copies the agent msi into a temp folder, so it may no longer be available. If that's the case, one must copy the msi file and then run it:

 

We've found that the agent (both Windows and OS X) frequently stops working properly --still running, but no longer reporting and/or stopping/restarting frequently). In these cases ERA cannot uninstall it and deploying the agent again does not fix the issue. The only option is to use third-party tools to uninstall the agent, then reinstall it.

Link to comment
Share on other sites

  • 2 weeks later...
On 2/15/2018 at 1:40 PM, j-gray said:

Best bet (in my experience) is to run the agent package using msiexec and the quiet uninstall (/quiet /uninstall) option. A reboot is not required before re-installing the agent.

Unfortunately, the install task from ERA copies the agent msi into a temp folder, so it may no longer be available. If that's the case, one must copy the msi file and then run it:

 

We've found that the agent (both Windows and OS X) frequently stops working properly --still running, but no longer reporting and/or stopping/restarting frequently). In these cases ERA cannot uninstall it and deploying the agent again does not fix the issue. The only option is to use third-party tools to uninstall the agent, then reinstall it.

We're also experiencing the agent is falling off on Macs. Haven't checked Windows yet. We're seeing approximately 20 Macs per month losing connection and require an uninstall/reinstall. Huge pain!  I posted for help here as well.

 

Link to comment
Share on other sites

On 2/23/2018 at 5:02 PM, brandobot said:

We're also experiencing the agent is falling off on Macs. 

I have a case open for this issue with OS X (since May of last year!).

I'm told, at least in our case, it's due to database corruption when systems do not shut down cleanly (e.g. power outage, etc.). They're working on a new agent build but have no timeline on a release data AFAIK.

Link to comment
Share on other sites

On 2/27/2018 at 7:40 AM, j-gray said:

I have a case open for this issue with OS X (since May of last year!).

I'm told, at least in our case, it's due to database corruption when systems do not shut down cleanly (e.g. power outage, etc.). They're working on a new agent build but have no timeline on a release data AFAIK.

Same exact response I got. They provided me with a "beta" version that was created to address this issue, but I am still experiencing it with the beta version.

How are you handling this now? Our Infosec is not okay with having machines "unmanaged." We've had to uninstall and reinstall  the ESET agent periodically on all machines as we have no accurate way of telling which machines are connected.

Link to comment
Share on other sites

3 hours ago, brandobot said:

How are you handling this now? Our Infosec is not okay with having machines "unmanaged." We've had to uninstall and reinstall  the ESET agent periodically on all machines as we have no accurate way of telling which machines are connected.

Unfortunately, we're left with uninstalling/reinstalling the agent using third-party tools.

Specifically, I run a report of unmanaged systems (we use AD sync to populate all systems) then export to csv. Then import the csv into ARD and run an uninstall script on all systems. This only works for those systems online, of course. Once the script completes, I then run a deploy agent task on all unmanaged systems, hoping to catch the ones I just uninstalled. I have to do this almost daily.

Not an ideal solution at all, but best I can do.

If ESET would ever come up with a simple ping sweep tool to replace the deficient RD Sensor, this might not be so painful.

Link to comment
Share on other sites

2 hours ago, j-gray said:

Unfortunately, we're left with uninstalling/reinstalling the agent using third-party tools.

Specifically, I run a report of unmanaged systems (we use AD sync to populate all systems) then export to csv. Then import the csv into ARD and run an uninstall script on all systems. This only works for those systems online, of course. Once the script completes, I then run a deploy agent task on all unmanaged systems, hoping to catch the ones I just uninstalled. I have to do this almost daily.

Not an ideal solution at all, but best I can do.

If ESET would ever come up with a simple ping sweep tool to replace the deficient RD Sensor, this might not be so painful.

Thanks. I wonder if there's a command I can run on  an endpoint to see if a machine can actively connect to ESET. If so, I can probably script something to do a check once a week, and if it's not connecting, I can have it reinstall.

Link to comment
Share on other sites

Just ran a script to check the status of our machines. of 100 machines, 17 has errors. 15 of the 17 were completely missing from the ESET Remote Administrator console. 1 was incorrectly reported, and 1 hasn't checked in for over a month.

Link to comment
Share on other sites

On ‎2018‎. ‎02‎. ‎15‎. at 2:34 PM, MichalJ said:

Why you are reinstalling the agent in the first place? As to uninstall it, you actually need to have ERA agent running. For that purpose, what is the reason to "reinstall"? 

I just want to better understand the use-case you are willing to solve. 

All right, then I will try to describe it.

My problem is that I see many computers with outdated ERAA version and few another with suspicious phenomens. For exaple please check the screenshot below.
The ERAA is outdated on the affected computer. I ran a few Update Modules task for install the latest version. The feedback is "Task finished successfully", the process bar turned to green, but the installed ERAA still remain the expired version.

Based on my experiences on the same cases the only one chance to fix these issues to log on the affected clients remotely, reboot it in safe mode, start the ESET uninstaller tool and reinstall the ERAA. This is a really painful proces to do it from Europe on a Chinese or Mexican client. 

This is the reason because I started experiments and tried to use the built in ESET ERAA uninstall tasks and possibilities. Unfortunately it does not help because the installed (probably damaged or corrupted) ERAA still remain exist on them.

That's why I opened this new topic.

ERAA_Update_Problem.png

Edited by Zoltan Endresz
Link to comment
Share on other sites

  • ESET Staff
3 hours ago, Zoltan Endresz said:

All right, then I will try to describe it.

My problem is that I see many computers with outdated ERAA version and few another with suspicious phenomens. For exaple please check the screenshot below.
The ERAA is outdated on the affected computer. I ran a few Update Modules task for install the latest version. The feedback is "Task finished successfully", the process bar turned to green, but the installed ERAA still remain the expired version.

This seems to be an misunderstanding of what it this task supposed to do. Update modules task does update only specific part of product, but not application itself. For example if you run Update modules task, virus signature database and detection engines in security product are updated, but not AGENT or EES itself. For upgrading AGENT, there is dedicated task Remote administrator components upgrade (see documentation). Similarly when you with to update EES/EAV from for example version 6.3 to 6.6, you have to run Software installation task - in this case, modules update will update detection engines and so, but not application itself.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...