Error when applying differential update

[Samoréen 8]

Hi,

Since 11.1. 54, I systematically get the following message when updates are available :

Modules update failed
Error occurred when applying differential update to base file

If I click on "Check for updates" in the main window, I get the same error again. If I click again on "Check for updates", then the update succeeds. Very same process each time. The error appears upon system startup, just after the logon. Using Windows 10 1709.

In Tools | Log files | Events, I can see 2 error lines :

Update Module - Compiler error (1af8)
Update Module - Error occurred when applying differential update to base file

Anyone having the same problem ?

Edited May 12, 2018 by Samoréen

[Samoréen 8]

I have cleared the update cache. Now waiting for the next module update to see if that helped...

[Peter Randziak 1,130]

Hello @Samoréen, 

please let us know how it went, I would start with a system reboot (we had an issues, where updates were failing when Windows updates were applied and the system was not rebooted)

In case you need a further assistance with this issue, please enable the Update engine advanced logging, wait until the issue occurs again.

Regards, P.R.

[Samoréen 8]

1 minute ago, Peter Randziak said:

please let us know how it went, I would start with a system reboot (we had an issues, where updates were failing when Windows updates were applied and the system was not rebooted)

Hi Peter,

I'll tell you when the next module update is released. Any known schedule ?

My system is rebooted every morning and after each Windows update, so this is not the cause of the problem, I guess.

[Peter Randziak 1,130]

Hello,

new set of modules is prepared and it's distribution should start in few moments,...

Regards, P.R.

[Samoréen 8]

OK. The last updates succeeded. Now I'm wondering what could have corrupted the update cache.

[Samoréen 8]

The problem is back. Same error message. It re-appeared just a few minutes ago.

I still have to click twice on Check for Updates before the update succeeds. The fist attempt always fails.

Edited May 15, 2018 by Samoréen

[Samoréen 8]

The logs are here : https://www.dropbox.com/s/2nxif7adcjdwamf/eav_logs.zip?dl=0

 

[Marcos 5,070]

We'll also need the content of the c:\ProgramData\ESET\Updfiles and c:\program files\eset\eset security\modules folders from the time when the error occurs. When reproducing the issue, enable advanced logging in the main gui -> help and support -> details for customer care. After reproducing the issue, disable advanced logging, gather logs with ELC and also provide the content of the above mentioned folders.

[Samoréen 8]

Marcos,

My updfiles folder is here : https://www.dropbox.com/s/y36yumgvpiwxrqa/updfiles.zip?dl=0

As of the Modules folder, there's no file or folder there having a Date Modified timestamp corresponding to the date and time of the error. It's rather hard to explore these folders because the Date modified date and time of the folders and subfolders are not in sync.

There's only one DLL that has been modified yesterday : em042_64.dll . But the timestamp doesn't correspond to the time of the error. Here are the top level folders having a Date Modified timestamp corresponding to yesterday : https://www.dropbox.com/s/j7h88q0ux3l1bme/Modules.zip?dl=0

I'll wait until the next module update to reproduce the issue. Just to be sure : for me, reproducing the issue is clicking on the Check for updates  button once I have got the error message again because I'm sure that the error comes up again once when clicking that button the first time.

 

[Samoréen 8]

Marcos,

Please also note that there's no problem with the Detection Engine updates. There was an update one hour ago and it succeeded.

> It's rather hard to explore these folders because the Date modified date and time of the folders and subfolders are not in sync.

More about this. When you say "c:\program files\eset\eset security\modules folders from the time when the error occurs", I don't really understand what this means. For example, I have a C:\Program Files\ESET\ESET Security\Modules\em042_64 folder, Date modified 05-15-2018. It contains 2 subfolders named 2225 and 2227, Date Modified 05-14 and 05-15. The files in these subfolders have the same timestamps. There are 31 folders in the Modules folder and each of these subfolders also have subfolders with various timestamps. This makes finding the "module folders from the time the error occurs" rather hard because I don't exactly know what to look for.

[Samoréen 8]

13 hours ago, Marcos said:

enable advanced logging in the main gui -> help and support -> details for customer care.

Does enabling advanced logging affect system performances ?

The "I" icon in that window, on the right of the "Create Advanced Logs" button is grayed. No effect. No information displayed.

Edited May 16, 2018 by Samoréen

[Marcos 5,070]

2 hours ago, Samoréen said:

Does enabling advanced logging affect system performances ?

The "I" icon in that window, on the right of the "Create Advanced Logs" button is grayed. No effect. No information displayed.

It may have negligible effect on performance. Create advanced logs should always be clickable, at least I can't think of a scenario when it would be greyed out (at least as long as you have administrator permissions).

[Samoréen 8]

9 minutes ago, Marcos said:

Create advanced logs should always be clickable, at least I can't think of a scenario when it would be greyed out (at least as long as you have administrator permissions).

The Create Advanced Logs button IS enabled. I was talking about the (i) icon on its right. Such a button is supposed to give information about what the associated command does. This icon does nothing in my case. It is grayed out.

Edited May 16, 2018 by Samoréen

[Samoréen 8]

I got a bunch of module updates this afternoon. None failed. No error message. Some had a return code apparently indicating that they were not needed ( ? ? ). See attached Event log captures.

By the way : could it be possible to make the main UI window resizable ? Viewing all the reported data requires a lot of horizontal and vertical scrolling and makes it difficult to upload useful screen captures.

The logs are here : https://www.dropbox.com/s/tf97b4vmwg93772/eav_logs2.zip?dl=0

The updfiles folder is here : https://www.dropbox.com/s/vd9y0h1o4xs3nlz/updfiles2.zip?dl=0

Today's modified Modules folders are here : https://www.dropbox.com/s/7qeuzoiflch3mlb/Modules2.zip?dl=0 (Please wait at least one hour before the upload of this one completes. The Modules folder contains huge DLLs. Uploading everything is just impossible. So I just uploaded those folders having a Date Modified timestamp for today - just waiting for an answer to my question above about this issue; I don't exactly know what to upload).

Please note that Advanced logging disabled itself multiple times after I enabled it. It also disabled itself just after the last module updates.

Edited May 16, 2018 by Samoréen

[Samoréen 8]

11 minutes ago, Samoréen said:

Today's modified Modules folders are here : https://www.dropbox.com/s/7qeuzoiflch3mlb/Modules2.zip?dl=0 (Please wait at least one hour before the upload of this one completes. The Modules folder contains huge DLLs. Uploading everything is just impossible. So I just uploaded those folders having a Date Modified timestamp for today - just waiting for an answer to my question above about this issue; I don't exactly know what to upload).

If you just want a directory listing of the Modules folder, here it is :

https://www.dropbox.com/s/o5is1ixfxdzhm6v/listing.txt?dl=0

[Samoréen 8]

The problem is back. Since I didn't get any feedback about my previous uploads, I guess that it is useless to upload again the log files.

Edited May 30, 2018 by Samoréen

[Samoréen 8]

At least, there's one thing I'd like to know : when these errors occur, clicking on "Check for updates" re-launches the update process. In that case, no error message is displayed and the Event log doesn't show any additional error. But it doesn't acknowledge a successful installation either. So finally, are these modules actually updated ? Is there any way to check this ? If there is only one thing I'd like to be sure for an antivirus software, it is that it's correctly updated. Below, my list of components...

Edited May 30, 2018 by Samoréen

[Peter Randziak 1,130]

Hello @Samoréen ,

I'm sorry for the delay :-(, I opened a ticket with our devs to check your logs.

I can see many Detection Engine was successfully updated to version ,... entries in your log so in that attempts the update was successful.

I will keep you posted about the logs analysis results.

Regards, P.R.

[Samoréen 8]

The problem occurred again today. I clicked on Check for updates, and the update failed again. I clicked a second time on Check for updates and the update succeeded. Immediately after that, the event log reported a successful Detection Engine update. So, I guess that these module updates are actually Detection Engine updates. If I'm correct, this means that if I do not update manually, my system is not protected against the latest threats normally detected by the Detection Engine. Time to do something...

 

[Samoréen 8]

[Samoréen 8]

Problem going on...

[Marcos 5,070]

The "Invalid digital signature" error appears if update files were tampered with on their way, ie. between your computer and your ISP or between your ISP and ESET's update servers (outside ESET's infrastructure). If the error occurs frequently, I'd suggest trying to connect to the Internet via another ISP, if possible and avoiding any proxy servers. You can capture such communication with Wireshark so that we can check what modifications were made to the update files.

[Samoréen 8]

Hi,

Strange. I have no other corruption problem when downloading files from other sources. And I'm daily downloading a lot of files that are potentially sensitive to corruption. Why should especially the Eset files be corrupted on their way to my PC ?

[itman 1,659]

Do you monitor outbound firewall communication? Given you are using NOD32, this would be done by some non-Eset based software.

Eset modules use a code signed Eset certificate. This cert. is not stored in Windows root CA store. As such, cert. "pinning" path to root CA issuer must be validated via Internet connection. If this chain validation lookup is blocked locally, Eset certificate validation will fail.