Jump to content
Chilliflavour

ESET Security Management Center version 7.2.11.1 hotfix won't install

Recommended Posts

Hi all.

My Security Management Center console is showing there is an update available. I run through the process via the link under the Help menu dropdown in the console. The Update Product task is scheduled which completes successfully but the update doesn't appear to have installed. The version under control panel Programs & Features is still at 7.2.1266.0 and the update notification shows up in the console again after re-opening the console or rebooting the server. Have tried the process half a dozen times and the same thing happens each time.

Anyone have any thoughts?

Thanks,

Share this post


Link to post
Share on other sites
Posted (edited)

Could you please double check that client task configuration references version 7.2.1278.0 which is supposed to be your new version after upgrade? Any chance you are using some custom repository server, for example offline repository created by mirror tool? Could you check also version of WebConsole, especially whether it has been updated to version 7.2.230.0?

If possible, could you please enable full trace logging on ESMC Agent (i.e. via ESMC Agent policy assigned to ESMC server), re-run task and attach it for further analysis? It is probable that for some reason, suitable upgrade package is not found, which might be related to already installed components or version of operating system.

Edited by MartinK

Share this post


Link to post
Share on other sites

Thanks for the response.

The client task configuration definitely references version 7.2.1278.0 and I'm not using a custom repository server. The version of the webConsole still shows as 7.2.221.0 after the client task has completed.

Could you please advise how to enable the full trace logging you describe?

Thanks.

Share this post


Link to post
Share on other sites
2 hours ago, Chilliflavour said:

Could you please advise how to enable the full trace logging you describe?

Thanks.

You will have to create configuration policy for ESET Management Agent with enabled trace log verbosity - ideally lowest possible value should be enabled to that all details are present (Advanced->Logging, see documentation). Once policy is created, it has to be applied to problematic client, in this case server that is hosting your ESMC server. Once done, please re-run upgrade task and after some time or after task success is reported please provide trace log:

C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\trace.log

Ideally it should be verified that log captures moment of upgrade, as relevant information might be already "rotated" in case logging will be enabled for longer time.

Share this post


Link to post
Share on other sites

Thanks for the instructions. I have attached the trace log which captures another upgrade attempt.

Not sure if it's relevant but I noticed the time stamps in the log are 1 hour behind the actual time. The system time on the server is correct.

trace.log

Share this post


Link to post
Share on other sites

Thanks for logs, they shows that ESMC upgrade is failing (unfortunately for some reason, it is not communicated correctly, which we will have to report):

2020-08-05 14:41:29 Error: CSystemConnectorModule [Thread 12f0]: UpgradeInfrastructure: Installation command 'cmd.exe /c msiexec.exe /qn /i "C:\WINDOWS\TEMP\de14-602f-e362-4140\server_x64.msi" /l*v "%TEMP%\ra-upgrade-infrastructure.log" ALLUSERS=1 REBOOT="ReallySuppress"' exited with 0x643: Fatal error during installation
2020-08-05 14:41:29 Error: CSystemConnectorModule [Thread 12f0]: UpgradeInfrastructure: Skipping webconsole upgrade. Server upgrade failed

As it is failing during installation itself, there are no more details. Could you please search for log:

%TEMP%\ra-upgrade-infrastructure.log"

i.e. for log placed in temporary directory of local system user? It will be located somewhere on system disk, depending on operating system version. Just be aware that search for log will require full administrator access.

Alternatively, manual upgrade might be performed, it will probably fail with the same error, but it might be easier to get to the logs.

 

PS: timestamps in ESMC trace logs are in UTC format, so in case offset one hour corresponds with timezone where ESMC is installed, it is expected.

Share this post


Link to post
Share on other sites

No problem. Installation log contains following errors:

[Microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security error

that break ESMC upgrade in initial phase, during database connectivity check. Unfortunately I do not recall seeing similar errors in relation with ESMC -> any chance there is some custom DB configuration used? Maybe modified DB connection string for ESMC created after upgrade to previous version? As error indicates some problem with SSL connection, maybe there is no-longer-valid certificate used by DB server?

Share this post


Link to post
Share on other sites

That might throw some light on it. I recently updated the ESMC server from WS 2012 R2 to WS 2016. As per our company security procedures I ran IIS Crypto (using the Best Practices setting) to disable TLS 1.0 & TLS 1.1 and any insecure SSL ciphers. It could be there's a SSL cipher that ESMC uses to connect to SQL which is now disabled?  Are you able to tell me which ciphers are used? I've attached the list of active TLS 1.2 ciphers on the server.

Regarding SQL, the DB has not been customised. It's using the version and defaults from the ESMC install. All I've done is updated SQL to the latest version, SP3 CU4.   

ESMC Ciphers.png

Share this post


Link to post
Share on other sites

TLS connection is actually initiated by ODBC driver installed in system, so it is not in ESMC control. Could you please check what ODBC driver is actually used by ESMC and possibly install latest version. My best guess is that older version is used, which has no support for TLS 1.2. Also it seems that SQL Server 2014 in latest version you are using is supposed to fully support TLS 1.2: just for information, with recent versions we are installing SQL Server 2019 + all-in-one installer do even support upgrade of database server is supported by operating system, but ODBC driver is not installed nor upgraded.

In order to check or change ODBC driver used by ESMC, please check DB connection string file as described in documentation. In referenced article, relevant parameter is Driver=SQL Server, i.e. in example, very old ODBC driver is used. In case it is also in your case, I would recommend to upgrade to Microsoft ODBC Driver 17 for SQL Server. It will also require to modify ESMC DB connection string, probably to Driver=ODBC Driver 17 for SQL Server, where exact name can be verified in ODBC Data Source control panel:

image.png

Share this post


Link to post
Share on other sites

Happy to report the update has successfully installed after upgrading the ODBC driver and modifying the ESMC DB connection string as per your instructions. Thanks for all your help, it's much appreciated!

Just wondering if it is possible to upgrade the SQL Server to 2019 without having to reinstall ESMC?

 

ODBC.png

ODBC2.png

Share this post


Link to post
Share on other sites
4 hours ago, Chilliflavour said:

Just wondering if it is possible to upgrade the SQL Server to 2019 without having to reinstall ESMC?

This should be even supported by "All-in-one" installer that can be downloaded from ESET web pages. It is technically possible to upgrade, you just have to ensure that database and related security users (used by ESMC) are migrated to new server. I am currently not sure, but upgrade of SQLServer2014 to SQLServer2019 should support this transparent upgrade, but I am not sure it is default scenario -> it might happen that instead of upgrade, side-by-side installation will be performed, which would require more work, but even in this case it would work without reinstalling of ESMC.

Before upgrade, I would definitely recommend to backup ESMC database or ideally whole operating system if possible (i.e. if it is virtual machine ...).

Share this post


Link to post
Share on other sites

It's a VM so not a problem to back it up. I'll take a look at some point and see if I can get it up to SQL 2019 somehow.

Thanks again for your help.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...