Jump to content

ESET Security Management Center version 7.2.11.1 hotfix won't install


Recommended Posts

Hi all.

My Security Management Center console is showing there is an update available. I run through the process via the link under the Help menu dropdown in the console. The Update Product task is scheduled which completes successfully but the update doesn't appear to have installed. The version under control panel Programs & Features is still at 7.2.1266.0 and the update notification shows up in the console again after re-opening the console or rebooting the server. Have tried the process half a dozen times and the same thing happens each time.

Anyone have any thoughts?

Thanks,

Link to comment
Share on other sites

  • ESET Staff

Could you please double check that client task configuration references version 7.2.1278.0 which is supposed to be your new version after upgrade? Any chance you are using some custom repository server, for example offline repository created by mirror tool? Could you check also version of WebConsole, especially whether it has been updated to version 7.2.230.0?

If possible, could you please enable full trace logging on ESMC Agent (i.e. via ESMC Agent policy assigned to ESMC server), re-run task and attach it for further analysis? It is probable that for some reason, suitable upgrade package is not found, which might be related to already installed components or version of operating system.

Edited by MartinK
Link to comment
Share on other sites

Thanks for the response.

The client task configuration definitely references version 7.2.1278.0 and I'm not using a custom repository server. The version of the webConsole still shows as 7.2.221.0 after the client task has completed.

Could you please advise how to enable the full trace logging you describe?

Thanks.

Link to comment
Share on other sites

  • ESET Staff
2 hours ago, Chilliflavour said:

Could you please advise how to enable the full trace logging you describe?

Thanks.

You will have to create configuration policy for ESET Management Agent with enabled trace log verbosity - ideally lowest possible value should be enabled to that all details are present (Advanced->Logging, see documentation). Once policy is created, it has to be applied to problematic client, in this case server that is hosting your ESMC server. Once done, please re-run upgrade task and after some time or after task success is reported please provide trace log:

C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\trace.log

Ideally it should be verified that log captures moment of upgrade, as relevant information might be already "rotated" in case logging will be enabled for longer time.

Link to comment
Share on other sites

Thanks for the instructions. I have attached the trace log which captures another upgrade attempt.

Not sure if it's relevant but I noticed the time stamps in the log are 1 hour behind the actual time. The system time on the server is correct.

trace.log

Link to comment
Share on other sites

  • ESET Staff

Thanks for logs, they shows that ESMC upgrade is failing (unfortunately for some reason, it is not communicated correctly, which we will have to report):

2020-08-05 14:41:29 Error: CSystemConnectorModule [Thread 12f0]: UpgradeInfrastructure: Installation command 'cmd.exe /c msiexec.exe /qn /i "C:\WINDOWS\TEMP\de14-602f-e362-4140\server_x64.msi" /l*v "%TEMP%\ra-upgrade-infrastructure.log" ALLUSERS=1 REBOOT="ReallySuppress"' exited with 0x643: Fatal error during installation
2020-08-05 14:41:29 Error: CSystemConnectorModule [Thread 12f0]: UpgradeInfrastructure: Skipping webconsole upgrade. Server upgrade failed

As it is failing during installation itself, there are no more details. Could you please search for log:

%TEMP%\ra-upgrade-infrastructure.log"

i.e. for log placed in temporary directory of local system user? It will be located somewhere on system disk, depending on operating system version. Just be aware that search for log will require full administrator access.

Alternatively, manual upgrade might be performed, it will probably fail with the same error, but it might be easier to get to the logs.

 

PS: timestamps in ESMC trace logs are in UTC format, so in case offset one hour corresponds with timezone where ESMC is installed, it is expected.

Link to comment
Share on other sites

  • ESET Staff

No problem. Installation log contains following errors:

[Microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security error

that break ESMC upgrade in initial phase, during database connectivity check. Unfortunately I do not recall seeing similar errors in relation with ESMC -> any chance there is some custom DB configuration used? Maybe modified DB connection string for ESMC created after upgrade to previous version? As error indicates some problem with SSL connection, maybe there is no-longer-valid certificate used by DB server?

Link to comment
Share on other sites

That might throw some light on it. I recently updated the ESMC server from WS 2012 R2 to WS 2016. As per our company security procedures I ran IIS Crypto (using the Best Practices setting) to disable TLS 1.0 & TLS 1.1 and any insecure SSL ciphers. It could be there's a SSL cipher that ESMC uses to connect to SQL which is now disabled?  Are you able to tell me which ciphers are used? I've attached the list of active TLS 1.2 ciphers on the server.

Regarding SQL, the DB has not been customised. It's using the version and defaults from the ESMC install. All I've done is updated SQL to the latest version, SP3 CU4.   

ESMC Ciphers.png

Link to comment
Share on other sites

  • ESET Staff

TLS connection is actually initiated by ODBC driver installed in system, so it is not in ESMC control. Could you please check what ODBC driver is actually used by ESMC and possibly install latest version. My best guess is that older version is used, which has no support for TLS 1.2. Also it seems that SQL Server 2014 in latest version you are using is supposed to fully support TLS 1.2: just for information, with recent versions we are installing SQL Server 2019 + all-in-one installer do even support upgrade of database server is supported by operating system, but ODBC driver is not installed nor upgraded.

In order to check or change ODBC driver used by ESMC, please check DB connection string file as described in documentation. In referenced article, relevant parameter is Driver=SQL Server, i.e. in example, very old ODBC driver is used. In case it is also in your case, I would recommend to upgrade to Microsoft ODBC Driver 17 for SQL Server. It will also require to modify ESMC DB connection string, probably to Driver=ODBC Driver 17 for SQL Server, where exact name can be verified in ODBC Data Source control panel:

image.png

Link to comment
Share on other sites

Happy to report the update has successfully installed after upgrading the ODBC driver and modifying the ESMC DB connection string as per your instructions. Thanks for all your help, it's much appreciated!

Just wondering if it is possible to upgrade the SQL Server to 2019 without having to reinstall ESMC?

 

ODBC.png

ODBC2.png

Link to comment
Share on other sites

  • ESET Staff
4 hours ago, Chilliflavour said:

Just wondering if it is possible to upgrade the SQL Server to 2019 without having to reinstall ESMC?

This should be even supported by "All-in-one" installer that can be downloaded from ESET web pages. It is technically possible to upgrade, you just have to ensure that database and related security users (used by ESMC) are migrated to new server. I am currently not sure, but upgrade of SQLServer2014 to SQLServer2019 should support this transparent upgrade, but I am not sure it is default scenario -> it might happen that instead of upgrade, side-by-side installation will be performed, which would require more work, but even in this case it would work without reinstalling of ESMC.

Before upgrade, I would definitely recommend to backup ESMC database or ideally whole operating system if possible (i.e. if it is virtual machine ...).

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...