Error when applying differential update

[itman 1,659]

I am "bowing out" from any further replies. Again, you need to contract your in-country Eset tech support for further assistance in this matter.

[Samoréen 8]

16 hours ago, itman said:

I am "bowing out" from any further replies. Again, you need to contract your in-country Eset tech support for further assistance in this matter.

Thanks for your time, itman.

I'll continue feeding this thread with the information I'll be able to collect.

[Samoréen 8]

Latest news :

- Clearing the Update Cache didn't help.
- MalwareBytes is not the culprit.

Edited August 8, 2018 by Samoréen

[Peter Randziak 1,130]

Hello @Samoréen,

I'm sorry for the delayed answer, I had an vacation.

Can you please provide us with a fresh set of logs to investigate?

Regards, P.R.

[Samoréen 8]

Peter,

As I already explained multiple times, the problem appears randomly so I'm unable to anticipate. I cannot reproduce at will. Thus, providing consistent logs along with a Process Monitor log as you requested in your message from June 12 is a problem. The problem didn't re-appear since about 8 days. It may re-appear at any time without any warning. I will be notified of the error by the ESET UI after a failed attempt. So any log collecting procedure implying a before/after backup is a no go. Otherwise, I can provide any file you want.

 

[Peter Randziak 1,130]

Hello @Samoréen,

sure I understand.

I talked with the dev and it seems that the original files are crucial for us as it's highly probably corrupted somehow.

I will send you a message privately, I think one tool can cover it.

Regards, P.R.

[Samoréen 8]

Hi Peter,

The problem didn't re-appear since 12 days now. Meanwhile, I noticed that something had been changed (by my ISP) in the settings of my DSL box. The acceptable margin for the SNR (signal noise ratio) has been set to a higher value, which means that the box is now less tolerant to transmission errors. This could explain why the problem didn't show up since almost 2 weeks although I never had any file corruption problem with the previous settings (with exception of the ESET updates). I don't see why only the ESET update files should be corrupted. Maybe they go a specific route where some device between your servers and my PC is generating the problem.

Anyway, I will download the tool and use it if the problem shows up again.

[Phil_S 3]

I doubt it's of any help, but since my previous post in this thread on 24th June, I had a flurry of these differential update notifications from her laptop over a period of 3 days, seemingly affecting every download attempt, but since then nothing untoward at all.

Since she has changed nothing on her laptop, I suspect some kind of external influence must have been involved.

[Peter Randziak 1,130]

Hello @Samoréen,

sadly the tool has to be running when the error happens, most likely some file corruption on disk causes it.

In case it would be corrupted during the download, you would receive invalid signature error.

@Phil_S hmm strange as well. I would probably start with a check disk, in case it bothers her,..

Regards, P.R.

[Samoréen 8]

1 hour ago, Phil_S said:

I had a flurry of these differential update notifications from her laptop over a period of 3 days, seemingly affecting every download attempt, but since then nothing untoward at all.

Phil_S,

It would be interesting to see whether we get these notifications for the same updates. They might be triggered at a different time (or date) but they can be identified by their version number. For example, the last one that failed for me was this one

Time;Module;Event;User
08/08/2018 17:11:56;ESET Kernel;Detection Engine was successfully updated to version 17850 (20180808).;SYSTEM

The above is the success notification after 2 failed attempts.

[Samoréen 8]

1 hour ago, Peter Randziak said:

sadly the tool has to be running when the error happens, most likely some file corruption on disk causes it. 

 

I have understood that the tool must be running when the problem occurs. If the problem was related to my internet connection, it should not re-appear. If not, I will see it again one of these days and it will happen more than once. So if I see it again in the near future, I will activate all the available reporting tools and wait for the next failure.

Re: disk failure
If you re-read this thread, you'll see that I have done everything I could do to confirm or invalidate this possibility. For the moment, I exclude the idea that the 2 SSDs that are/were used to store the update files are having problems only with ESET update files.

[Phil_S 3]

2 hours ago, Samoréen said:

Phil_S,

It would be interesting to see whether we get these notifications for the same updates. They might be triggered at a different time (or date) but they can be identified by their version number. For example, the last one that failed for me was this one

Time;Module;Event;User
08/08/2018 17:11:56;ESET Kernel;Detection Engine was successfully updated to version 17850 (20180808).;SYSTEM

The above is the success notification after 2 failed attempts.

No, as I say all updates have completed without any errors since the end of June. I'm afraid I deleted all the notifications that I has, as there have been no problems for three weeks now, and my mailbox was filling up with successful notifications due to the bug in the current version.

It is interesting though that my daughter's laptop also has an SSD.

[Peter Randziak 1,130]

It seems to be an excalibur issue ? :-), but I hope it will either disappear by itself or we will crack it together. 

[Samoréen 8]

On 8/21/2018 at 11:49 AM, Samoréen said:

The problem didn't re-appear since 12 days now. Meanwhile, I noticed that something had been changed (by my ISP) in the settings of my DSL box. The acceptable margin for the SNR (signal noise ratio) has been set to a higher value, which means that the box is now less tolerant to transmission errors. This could explain why the problem didn't show up since almost 2 weeks although I never had any file corruption problem with the previous settings (with exception of the ESET updates). I don't see why only the ESET update files should be corrupted. Maybe they go a specific route where some device between your servers and my PC is generating the problem.

OK. The problem didn't re-appear since more than one month. Nothing has changed on my system beside what's explained above. So there's a good chance that this was the problem - crossing my fingers - (although I still don't understand why only the ESET update files were affected).

[Peter Randziak 1,130]

Hello @Samoréen,

thank you for for keeping an eye on it and for your patience.

I hope, that this ghost issue won't reappear as it is really tough one to debug,...

Regards, P.R.

[Samoréen 8]

Additional information about this issue...

The problem now appears to be clearly related to my DSL box settings. Quoting a previous message :

Quote

 

I noticed that something had been changed (by my ISP) in the settings of my DSL box. The acceptable margin for the SNR (signal noise ratio) had been set to a higher value, which means that the box was now less tolerant to transmission errors.

 

As soon as I have tried to lower again the acceptable SNR value, the problem re-appeared within the next 24 hours. After setting it to a higher value, it was gone again.

Now, I'm still wondering why this caused problems to ESET NOD32 updates only. I'm downloading a lot of files that have to be error free (images, Windows updates, installation files, etc.) and I never observed a file corruption or a failure due to a corrupted file. These downloads are too frequent to merely consider a coincidence. No idea about what could make ESET downloads specific.

 

[itman 1,659]

1 hour ago, Samoréen said:

Now, I'm still wondering why this caused problems to ESET NOD32 updates only. I'm downloading a lot of files that have to be error free (images, Windows updates, installation files, etc.) and I never observed a file corruption or a failure due to a corrupted file.

Many file downloads are not signed. Even if they are signed, the software employing those files does not usually compared download hash value to that in the certificate to ensure file corruption has not occurred. Most software installers rely exclusively on the certificate validity check; e.g. not expired, revoked, etc., to ensure the file is valid.

[Peter Randziak 1,130]

Hello @Samoréen,

nice spot, thank you for the info and your investigation of it.

As far as I know our update files are downloaded via HTTP/1.1, served from a standard web server and checked once download, no idea how special our downloads could be,...

Regards, P.R.

[Samoréen 8]

Peter,

The only difference with other sensitive files that I can think of is the way these files are following to reach my PC. I agree with Itman's statements but I'm sure I have downloaded a lot of files that would have been rejected if they were corrupted. Well, we are now aware that the problem was due to some corruption caused by an SNR value on my DSL line that was too low. What we don't know is what was actually corrupted. Referring to a message from Itman at the beginning of this thread : 

Eset modules use a code signed Eset certificate. This cert. is not stored in Windows root CA store. As such, cert. "pinning" path to root CA issuer must be validated via Internet connection. If this chain validation lookup is blocked locally, Eset certificate validation will fail.

So maybe the files themselves were not corrupted but something repeatedly went wrong during the exchange mentioned by Itman OR the firmware of my DSL box was not able to recover FEC errors (which are normally recoverable) during this exchange because of the SNR value. The exchanged data during the certificate validation could have a particular "signature" that caused the bug while other certificates are not affected.

I guess we'll never know.

[itman 1,659]

Eset is unique among security vendors in that their modules are not downloaded as executable code. Rather they are assembler code than is assembled on the device. As such, Eset has much more stringent checking on download tampering that is found in conventional software update downloads. Also to my best knowledge, you have been the only one that has been affected by this checking on a continuous basis.