ESMC Agent install fails "The system cannot find the file specified"

[PuterCare 3]

I have had this issue with 2 endpoints since yesterday, each used a different Agent as they are different clients and the same agent worked fine on multiple other systems at each client. When running the bat file on some Windows boxes as admin, the CMD box opens saying installing then Windows Script Host pops up (image attached). It says the issue was line 184 of uacinstall.vbs, code 80070002.

Any ideas how to resolve?

Thanks

 

 

[Marcos 5,074]

Please provide a Procmon log from the time when the batch Live installer is run. Looks like the vbs file could not be created in the temporary folder probably due to insufficient permissions or some security measures preventing vbs and other files potentially carrying malware in the system temp folder.

[PuterCare 3]

Log attached, thanks.

Logfile.zip

[PuterCare 3]

Any ideas? Thanks

[PuterCare 3]

Bump

[Marcos 5,074]

The file C:\Users\Jamie Jarvis\AppData\Local\Temp\uacinstall.vbs was dropped and wscript.exe read it successfully.

Couldn't it be a policy or another 3rd party software that would block execution of VBS scripts from temporary folders?
If you put your own vbs script in that folder, are you able execute it?

[PuterCare 3]

It is a standalone workgroup computer with no policies in place, I don't think there is any software on there that would block (unless it is Windows doing it). I will see if I can find a script that I can put in there and try to run. 

[Marcos 5,074]

You can try creating a simple test file test.vbs with the following code inside:
wscript.echo "Hello"

[PuterCare 3]

I did as you suggested and the test vbs ran fine from temp, I then copied all of the Eset files from %temp% to a new folder on C:\ and ran the vbs from an elevated CMD and the same issue occurred. Any other ideas?

Thanks

Edited September 19, 2019 by PuterCare

[PuterCare 3]

I now have 4 different systems with this same issue, all from different offices, not domain connected and no policies applied. All other systems in all 4 offices work fine. Any idea on the cause or what more I can do to try and fix? Thanks

[Marcos 5,074]

If I understand it correctly, you're unable to run uacinstall.vbs neither from the temp folder nor any other folder but if you give a VBS script a different name, it can run. Correct?

[PuterCare 3]

On 9/20/2019 at 11:57 PM, Marcos said:

If I understand it correctly, you're unable to run uacinstall.vbs neither from the temp folder nor any other folder but if you give a VBS script a different name, it can run. Correct?

Yes that’s right. I think the uacinstall.vbs script runs but it then fails as per the screenshot on my original post. It is the same error on all 4 systems. Other scripts run fine so it doesn’t seem to be the computers blocking scripts from running, it seems to be something specific to the uacinstall script. I opened in notepad++ and checked line 184 but nothing obvious there to cause a problem, but this is outside of my skill set so might be missing something.

[PuterCare 3]

Is there anything else I can try?

[MartinK 378]

Could you please provide more details of system you are trying to execute this script? We somehow run out of ideas as no similar issues were reported. Could you possibly provide some non-sensitive part of line 184 that is failing? Asking just to be sure which part of script is failing as it might be different in your environment.

[ewong 8]

I'm not entirely sure if I'm repeating the correct steps (I use GPO and not the live installer); but, the downloaded ESMCAgentInstaller.bat (assuming this is the file that PuterCare is talking about) and seeing as this batch file creates a vbs file in the tempdir, my guess is that it can't find the sha1sum.exe file.   

PuterCare, after running and getting that error, does sha1sum.exe exist in the %TMP% folder?

 

[PuterCare 3]

Sorry for the delay, I was no longer working on that client site so took time to get back onto an affected system. 

It is Windows 10 Pro x64 1903, I have identical systems in the same office that work perfectly. Across 4 different offices with different hardware and different agent installers I have a single machine in each office that has exactly the same problem. All other offices have no issues at all, really puzzling! I just ran SFC and rebooted - same issue.

Line 184 reads: exitCode     = WshShell.Run(command, 0, True)

ewong - yes there is a sha1sum.exe created in %temp% when the bat file is ran. There is also the agent_x64.msi, two certificate files, uacinstall.vbs.

Edited October 3, 2019 by PuterCare

[Marcos 5,074]

Just to make sure, isnt't ESET Endpoint already installed with some extra antiransomware HIPS rules in place?

[PuterCare 3]

EES is already installed, no changes to the default config (by me at least) and it is already installed on the other systems where the agent install works however EES is a common denominator between all the systems with an issue so will disable protection and try again!

[PuterCare 3]

I disabled protection, and then disabled HIPS in the advanced settings (although the toggle in the normal settings remained on and green) and it still failed. I am going to remove EES and try again.

[PuterCare 3]

I removed EES, rebooted, ran the bat file and had the same issue. I then disabled Windows Defender realtime and the same issue again.

[PuterCare 3]

I ran the AIO installer and the agent and program have installed successfully. I do need to try and fix this issue though so the agent can be installed independently so if you have any more ideas please let me know. Thanks

[MartinK 378]

My last idea is that problem is caused by "space" in path to script. It is stored in user's temp directory which contains space in absolute path (Not clear from screenshot but is it actually space in name of user?). If there is a space, special escaping would be required. Any chance you used different user on machines where it works? Is it possible to use other user (Administrator) to run installer?

[MartinK 378]

6 hours ago, PuterCare said:

I do need to try and fix this issue though so the agent can be installed independently so if you have any more ideas please let me know. Thanks

Just a sidenote: are you aware that in ESMC 7.0 you can create also AGENT-only all-in-one installer? It will install just AGENT and it won't be downloading installer as it will be already included in executable file.

[PuterCare 3]

18 minutes ago, MartinK said:

My last idea is that problem is caused by "space" in path to script. It is stored in user's temp directory which contains space in absolute path (Not clear from screenshot but is it actually space in name of user?). If there is a space, special escaping would be required. Any chance you used different user on machines where it works? Is it possible to use other user (Administrator) to run installer?

In the case of todays system, there is a space in the local username therefore the path to the %temp% dir has a space in it. This sounds like a credible cause, when I set up users I don't use spaces but some systems at different offices were not set up by me. I will try this out when I am next able to get onto an affected machine and see if it helps!

[PuterCare 3]

I think you've solved it! I was at another affected office today and that user had a space in their name, I created a temp user account with no space and the agent installed successfully. Thanks for your help on this, is the best method to use the AIO agent installer for such systems?