Update Error?

[rgoldman 2]

Hello

I have a workstation, running Windows 7 Pro, theres always a error on it in ESMC, saying its not up to date etc. But what's weird is it under status/last occurred is always a date in the future. I don't understand. I've updated the installation multiple times, done maintenance on the OS, reset winsock, cleanup etc. and it's still doing this, any suggestions?

Screenshot is attached.

Thanks

Reggie

[Nightowl 202]

4 hours ago, rgoldman said:

Hello

I have a workstation, running Windows 7 Pro, theres always a error on it in ESMC, saying its not up to date etc. But what's weird is it under status/last occurred is always a date in the future. I don't understand. I've updated the installation multiple times, done maintenance on the OS, reset winsock, cleanup etc. and it's still doing this, any suggestions?

Screenshot is attached.

Thanks

Reggie

Maybe the status is about Windows 7 that it has went out of support , maybe this is why it's showing as critical because it stopped receiving updates from Microsoft unless you pay for buisiness support.

[MichalJ 434]

Maybe a "Stupid" idea, but is the Windows time set correctly? There is by default a check in ESET application, that compares the date of the issue of the latest detection update, against the system time. If the system time is set in the future, it could trigger this notification, but it´s just a guess. 

[Marcos 5,070]

What issue is Endpoint reporting on the home or update screen ?

[rgoldman 2]

Thanks guys, and sorry I thought I had email notifications for replies on and I haven't checked the forum until now.

@Nightowl  It's been doing this a while, like before Windows 7 went out of support etc. Sorry I know I should have fixed it before now but the client is working fine, it's just reporting a date in the future as an error or something, not sure.

@MichalJ Yes the time is correct on the workstation, I've checked numerous times and settings during checkout/maintenance.

@Marcos Attaching a screenshot of the Endpoint itself, is that what you're asking about?

[Marcos 5,070]

What error do you get when you click Check for updates?

Please carry on as follows:
- in the advanced setup -> Tools -> Diagnostics, enable advanced network protection and update engine logging
- run update by clicking Check for updates
- stop logging
- collect logs with ESET Log Collector and upload the generated archive here.

[rgoldman 2]

[23:52:26 PM] ESET Log Collector v4.0.2.0 (12/9/2019) - 64 bit
[23:52:26 PM] Copyright (c) 1992-2019 ESET, spol. s r.o. All rights reserved.
[23:52:26 PM] 
[23:52:26 PM] Detected product type: eea
[23:52:29 PM] ==============================
[23:52:29 PM] ESET logs collection mode: Filtered binary
[23:52:29 PM] Number of days to collect target files and log records for: 30
[23:52:29 PM] Saving metadata to C:\Users\user\AppData\Local\Temp\elc41D3.tmp
[23:52:29 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc41D3.tmp -> metadata.txt
[23:52:29 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc41D4.tmp -> info.xml
[23:52:29 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc41D5.tmp -> features_state.txt
[23:52:29 PM] === Running processes (open handles and loaded DLLs) ===
[23:52:29 PM] Exporting...
[23:52:31 PM]   OK
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc41D6.tmp -> Windows/Processes.txt
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc41D7.tmp -> Windows/ProcessesTree.txt
[23:52:31 PM] === Drives info ===
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc480F.tmp -> Windows/drives.txt
[23:52:31 PM] Exporting volume information...
[23:52:31 PM]   OK
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc4820.tmp -> Windows/volumes.txt
[23:52:31 PM] === Devices info ===
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc4AA0.tmp -> Windows/devices/setupClasses.txt
[23:52:31 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc4AC1.tmp -> Windows/devices/interfaceClasses.txt
[23:52:31 PM] === Services Registry key content ===
[23:52:31 PM] Exporting...
[23:52:32 PM]   OK
[23:52:32 PM] Adding file: C:\Users\user\AppData\Local\Temp\elc4AC2.tmp -> Windows/Services.reg
[23:52:32 PM] === Application event log ===
[23:52:32 PM] Exporting...
[23:52:32 PM] Windows event logs could not be exported in evtx format. Exporting in xml format...
[23:52:32 PM] ERROR: Failed to open event log
[23:52:32 PM] 
[23:52:32 PM] Removing temp files...
[23:52:32 PM] 
[23:52:32 PM] ==============================
[23:52:32 PM] An error occured during collection of files.   See the log for more info.

Updated and everything fine it seems. But when I run the collector I get an error. I tried Defaults, 1 and 30 days, same error.

[Marcos 5,070]

Hard to say what the issue could be, I'd need to see a Procmon log from that point. Try unchecking "System event log" prior to collecting logs.

[rgoldman 2]

logs removed

 

Edited May 13, 2020 by rgoldman
removing for logs (they were already reviewed by help)

[Marcos 5,070]

The engine seems to have updated to the latest version alright today, no errors are logged:

13. 5. 2020 4:48:54    ESET Kernel    Detection Engine was successfully updated to version 21318 (20200513).    SYSTEM    

Please keep an eye on this machine and make sure it updates the modules automatically. Should the issue return, enable advanced update engine logging and keep logging enabled for the next few hours, at least until a newer engine is released and at least one hour has passed to ensure that the automatic update task was run. Then disable advanced logging and collect fresh logs with ELC.

In your configuration I've noticed that you have the LiveGrid Feedback system disabled. I'd strongly recommend enabling it. It would not only enable us to add a proper detection and cleaning for new malware but it would also activate some additional protection mechanisms, e.g. in Ransomware shield.

[rgoldman 2]

Thanks. I also noticed some abnormalities in that policy so I've started a fresh basic policy and we'll see how it goes.

[cmit 2]

On 5/12/2020 at 10:23 PM, Marcos said:

The engine seems to have updated to the latest version alright today, no errors are logged:

13. 5. 2020 4:48:54    ESET Kernel    Detection Engine was successfully updated to version 21318 (20200513).    SYSTEM    

Please keep an eye on this machine and make sure it updates the modules automatically. Should the issue return, enable advanced update engine logging and keep logging enabled for the next few hours, at least until a newer engine is released and at least one hour has passed to ensure that the automatic update task was run. Then disable advanced logging and collect fresh logs with ESET Log Collector.

In your configuration I've noticed that you have the LiveGrid Feedback system disabled. I'd strongly recommend enabling it. It would not only enable us to add a proper detection and cleaning for new malware but it would also activate some additional protection mechanisms, e.g. in Ransomware shield.

how long does it take for the newer detection engine version to kick in once the ESET Malware Team upload the new virus data to servers? it's been over 1 hr but our modules haven't got updated.

[Marcos 5,070]

20 minutes ago, cmit said:

it's been over 1 hr but our modules haven't got updated.

One hour since when? Modules are updated about 6 times a day.

[cmit 2]

5 minutes ago, Marcos said:

One hour since when? Modules are updated about 6 times a day.

since customers submitted a threat example to ESET Malware Response Team and after they have confirmed replied that "The detection for this threat will be included in the next update of detection engine."

6 times a day means every 4 hours which isn't it too long? i.e. shouldn't it be once every 30min? what happens if before the update kicks in and computer already affected because of this? or is the real-time engine gonna have another layer of protection?

just trying to understand exactly how ESET works.

[Marcos 5,070]

It depends, most of threats are detected via LiveGrid or streamed updates within a few minutes without updating the engine.  If you provide the subject of the email, I can check when the detection was added.

[cmit 2]

3 minutes ago, Marcos said:

It depends, most of threats are detected via LiveGrid or streamed updates within a few minutes without updating the engine.  If you provide the subject of the email, I can check when the detection was added.

[TRACK#5EC6A2EF0178] from the ESET Malware Response Team's reply.

[Marcos 5,070]

We started building engine 21366 an hour ago. It should be on update servers within 15-30 minutes.

[cmit 2]

31 minutes ago, Marcos said:

We started building engine 21366 an hour ago. It should be on update servers within 15-30 minutes.

detection engine still in v21365. should be v21366 by now but still not. please check asap. thanks.

[cmit 2]

We don't use MS Exchange Server so we don't use ESET Mail Security.

May I confirm:
In this module not-yet-updated case, is the ESET Dynamic Threat Defense any useful for MS Outlook users if the detection engine hasn't had this new virus data?

If yes, what exactly more protection layers does EDTD has comparing to only have the ESET EndPoint AntiVirus installed in this case?

[Marcos 5,070]

With EDTD, any file potentially carrying malware is submitted for analysis in the cloud where the file will be run. Based on the behavior analysis and evaluation by 3 different machine learning models, the file is then evaluated either as malicious, highly suspicious, suspicious and probably clean. EDTD can be configured to block access to files downloaded by browsers or email clients until a result of EDTD analysis is received.

Let's assume a spammed VBA office document with a malicious macro that is not covered by a detection.

Without EDTD: A user receives the email and opens the attachment. Since there's no detection for it yet, it will be run. Depending on what it does, further operations may be detected by some of the protection modules (e.g. if it downloads payload from a blocked url, web access protection will block the download). If it dropped payload and ran it, the payload could be detected by Advanced memory scanner, Deep Behavioral Inspection, etc. upon execution. It could also happen that it wouldn't do anything that could be detected by other protection modules. The user would need to wait until the next module (engine) update to get the malicious document detected.

With EDTD: The user receives the email. The attachment is sent to EDTD. The user attempts to open the attachment but EDTD blocks the operation (results from analysis have not been received yet). During the analysis the document is evaluated as malicious (e.g. the detection has been added in the meantime, the behavior of the document was suspicious, etc.). Once the analysis has completed, all machines in the organization are informed that the file is malicious and Endpoint on machines acts accordingly, ie. blocks access to the malicious document.