Jump to content

Problem with client ESET firewall after upgrade to ESMC7


Jimbo

Recommended Posts

Hello there

Im hoping I can get some advice here on a situation Ive got with ESET and in particular the client firewalls after upgrading from 6.5 to 7.

Ive done the upgrade manually ( a bit messy in the end but got there following the instructions for installing on a domain controller - yes I know but its a system Ive inherited).

The problem I now have is Im trying to deploy the updated agent to the clients so that they become managed on v7 and its only worked for about 10 machines out of about 100.  After checking the logs, Im getting the 0x35 Network path not found error on all failed instances of deploying the agent.  Ive tried the c$ admin to one of these machines from both my PC and from the DC that has ESMC 7 on it and Ive tried pinging as well and they fail.  The 10 that are managed after a successful deployment of the agent I can ping and can access the admin shares.  Makes sense.  I then realised this is because the ESET Endpoint I deployed with 6.3 had the firewall enabled and this looks to be blocking its own software from being able to communicate with it!

Is there any way I can get v7 to disable the firewall on the clients rather than me having to go remotely onto 80+ PCs across the estate and disable it manually on each one in order to deploy the updated agent?  Ive tried to assign a policy for the firewall forcing it to be disabled to a selection of the problem PCs in hope more than anything else as a test but no dice - 'applied on' tab remains empty and Ive left it 24 hours (probably because the clients existing ESET Endpoint firewall will be blocking that too!).

Im stuck in a loop by the looks of things.  Any ideas to save me loads of time or effort would be really appreciated..

Thanks

PS Im trying to deploy the v7 agent silently via the Server Task Agent installation method

Edited by Jimbo
Link to comment
Share on other sites

  • Administrators

In automatic mode the firewall allows all outbound communication, ie. it should not be preventing agent from connecting to your ESMC server. Could you please check if there are no custom firewall blocking rules that might be causing the issue?

Link to comment
Share on other sites

I will check on one of the clients now and let you know.  Im not aware of any rules but I do know that as a test, when I disable the ESET Endpoint firewall manually on the clients, the agent deploys and the client then becomes managed in the ESMC console, I can then also ping the machine from any other and can also reach the admin shares so theres something client side on ESET Endpoint firewall blocking this.

Link to comment
Share on other sites

  • Administrators

Actually Agent should have been upgraded by sending an ESMC  component upgrade task from ESMC to clients. This would have prevented problems with firewall or OS restrictions. How do you re-deploy agent on clients? Via GPO, logon script, etc.? If firewall is blocking the inbound communication, it could be because of incorrectly set up trusted zone.

Link to comment
Share on other sites

Ok just doing some more looking around client side.  Just booted up a client for the first time since upgrading ESMC as a test.  The firewall was set to permanently disabled and greyed out so was unable to change it (from previous 6.3 ESMC system).  I deployed the v7 agent via server task and its worked ok (now v7.0.577.0) but client still not managed in the console.  However, the firewall setting is now enabled on the client and I am able to make changes to it but I still cannot ping it from another machine or reach the admin shares.

Ive gone into the Troubleshooting wizard on the client and can see that theres NT Kernel & System being blocked - when I go to details, its the ICMP from the PC Im trying to ping from to it - Communication denied by rule 'Block ICMP Communication'. Theres also on port 445 TCP direction IN  - Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted Zone being blocked too - is that my attempt to reach the c$ share?

Are these firewall rules being picked up by the clients Endpoint software from ESMC centrally?  If so, I need to turn them off surely?

 

Link to comment
Share on other sites

An update - ESMC 7 is just using the 5 built in policies for http proxy usage.  Ive tried to add another policy to force the firewall to be turned off and moved it up the profile list to 2nd in the order.  It works perfectly for the 10 or so clients that are being managed but is having no effect on the unmanaged clients.  The Management agent deployment task from the server reports that it has failed to deploy to these clients still, but I can see in the apps lists on a couple of examples that its updated the agent to v7.0.577.0 but I still cant seem to be able to turn off the ESET firewall on these unmanaged clients from ESMC 7 which I need to happen as its blocking them from becoming managed on ESMC and I really dont want to remote onto each one, turn off the firewall and deploy the agent again so that they turn 'managed'..  Is this possible?

Link to comment
Share on other sites

Guess not :( I cannot reach web interfaces on PCs any more that I could do before installing ESET v7 - if I disable the ESET firewall on the PC I cant reach, I can then reach that PCs web interface no problem.  Wish Id never bothered and left it at 6.5..  Best go onto each of the 70 PCs I need to, disable the firewall temporarily, deploy the agent, get it managed and then reenable the firewall..  Joyous

Edited by Jimbo
Link to comment
Share on other sites

  • Administrators

What do you mean by "web interface on PCs" ?

Please carry on as follows:
- enable advanced network protection logging under Tools -> Diagnostics

image.png
- enable Diagnostic logging verbosity:

image.png

 

Then reproduce the problem with blocked communication. Next disable logging and switch back to Informative logging verbosity. Finally collect logs with ESET Log Collector and upload the generated archive here along with information about the remote IP address from which the blocked communication originated.

Link to comment
Share on other sites

We have some PCs for example that run software that we can web browse to (for example CCTV).  I am unable to browse to them if the ESET client firewall is enabled (as well as being unable to make the PC 'managed')

I will get the logs though and see if it helps...

Thank you

Link to comment
Share on other sites

  • Administrators

Yes please. From the logs we'll see what communication was and why it was blocked. Based on further information about the remote IP address from you, we should be able to tell what you have wrong and how to fix it.

On one of such machines you could run the firewall troubleshooting wizard that will display a list of blocked communications with an option to unblock the desired one with one click.

image.png

Link to comment
Share on other sites

I did mention in an earlier post I went into the troubleshooting wizard and found a couple of things being blocked but was unsure if I should unblock them (under NT kernel & system).  I could unblock them but that still wont help me from not having to do that on every single client thats not able to be managed...

Not sure if Ive done this right - Ive collected the logs but it says i can only upload 100mb...

Link to comment
Share on other sites

  • Administrators

The limit should be 512 MB. If the archive is really that big and there's a problem to upload it here, share it via a file sharing service and drop me a personal message with a download link.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...