Jump to content

Cannot download installers with Protect 8.0


Command IT
 Share

Recommended Posts

When I try to download installers, I get the following

image.png.83c9abc5425f251e2258a635eac1bd38.png

image.png.4e11a95981cc8b73c8ae4bf9ea108a8f.png

Doesn't matter if it's an existing installer or a newly created one

Edited by Command IT
typo
Link to comment
Share on other sites

  • ESET Staff

Could you please verify your connection to ESET repository servers? Also if possible, please provide version details of your environment (version of ESET PROTECT Server) and possibly also SERVER's trace.log so that we can check whether there are more details present.

Link to comment
Share on other sites

  • ESET Staff

There seems to be some network related issue preventing SERVER to download file:

http://repository.eset.com/v1/com/eset/tools/installers/bootstrapper_era/v4/4.0.12.0/epi.exe

using both HTTP proxy and direct connection. Could you please verify configuration of proxy/firewall whether there is no issue that would prevent download. Version of file has changed since ESMC (v2 -> v4) so maybe it is not whitelisted anymore? In case Apache HTTP proxy is used, I would recommend to restart it if not done already to be sure it is in functional state, even that download error indicates firewall issue.

Link to comment
Share on other sites

  • 3 weeks later...
  • ESET Staff

Could you please provide more details of what firewall type was used, and possibly also what detection/blocking module had to be modified? As hostname/IP addresses of repository servers has not changed, I suspect there is some kind of whitelisting of executables or more advanced techniques used by enterprise firewalls.

Link to comment
Share on other sites

Same issues here. Turns out that the file under

hxxp://repository.eset.com/v1/com/eset/tools/installers/bootstrapper_era/v4/4.0.12.0/epi.exe

is being declared malicious by various AntiMalware solutions: https://www.virustotal.com/gui/file/950a48235da3dde7f4376cebcceb85353ab2feff03646ff72f9718b9cf5c30a7/detection

Link to comment
Share on other sites

  • Administrators
1 minute ago, Intenta said:

Same issues here. Turns out that the file under


hxxp://repository.eset.com/v1/com/eset/tools/installers/bootstrapper_era/v4/4.0.12.0/epi.exe

is being declared malicious by various AntiMalware solutions: https://www.virustotal.com/gui/file/950a48235da3dde7f4376cebcceb85353ab2feff03646ff72f9718b9cf5c30a7/detection

So it's blocked at your ISP that uses some of the AVs that erroneously report the file as malicious? If it's detected in your network. make sure to whitelist the url to prevent the false positive from being detected.

Link to comment
Share on other sites

It's being blocked by our Unified Threat Management solution which uses vendor specific anti-malware measures to be precisely. It's possibly checking file hashes against VirusTotal or whatever. That's not the important point right now.

Just that I understand your proposed solution correctly: you want me to to whitelist the download of the "epi.exe", which isn't digitally signed, and ignore the VirusTotal results of other AntiVir products?

Link to comment
Share on other sites

1 hour ago, Intenta said:

Same issues here. Turns out that the file under


hxxp://repository.eset.com/v1/com/eset/tools/installers/bootstrapper_era/v4/4.0.12.0/epi.exe

is being declared malicious by various AntiMalware solutions: https://www.virustotal.com/gui/file/950a48235da3dde7f4376cebcceb85353ab2feff03646ff72f9718b9cf5c30a7/detection

Perhaps the prudent thing to do here is that Eset provide the file hash for epi.exe. Then compare that hash value to the epi.exe file hash value downloaded.

-EDIT- Also the VT detection is for bootstrapper.exe which appears to create the following:

  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\epi.exe
  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\sciter-x.dll
  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\eguiActivation.dll
  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\eguiActivationLang.dll
  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\plgInstaller.dll
  • C:\Users\<USER>\AppData\Local\Temp\eset\bts.session\{02D83BBE-EB93-B7D9-1A5E-10CDAD2E32F1}\BootHelper.exe

Checking the file hash for epi.exe yields a clean scan at VT.

Edited by itman
Link to comment
Share on other sites

36 minutes ago, itman said:

Perhaps the prudent thing to do here is that Eset provide the file hash for epi.exe. Then compare that hash value to the epi.exe file hash value downloaded.

Actually this could help with the process of deciding weather it might be safe to whitelist the file at all. Additionally I'd prefer the file being digitally signed.

 

I'm sure most IT professionals have been following the news regarding SolarWinds. Someone can never be too cautious these days, although the VT result looks indeed like an false positive only and potential threat actors wouldn't be so sloppy to get caught by VT in the first place.

Link to comment
Share on other sites

VT is slowing conflicting info. per the below screen shot.

Again, its flagging bootstrapper.exe as the problem. This file is signed. Also, VT lists epi.exe. But, when I scanned the hash for the extracted file, there were no detections. It's as if VT is perhaps detecting the downloaded ver. of epi.exe which I assume is a latest ver. update of the file?

Eset_bootstrapper.thumb.png.21a62c1da063b2133eae619ba59068df.png

Link to comment
Share on other sites

Mine was being blocked on our Fortigate firewall.

Don't have the logs from back then to identify which module, but probably AV. I ended up whitelisting repository.eset.com

Link to comment
Share on other sites

Further analysis of VT sandbox findings confirms my early suspicions.

To understand what is going on, two epi.exe, aka bootstrapper.exe, processes are running. One as the parent process and one as a child processes. Note that the epi.exe processes are not the same. The malicious process being detected at VT is the unsigned parent epi.exe process. The child epi.exe process spawned is legit and validly signed.

Eset_EPI.thumb.png.5dcceb4ef78ae15e57ba79d4d849c6d3.png

Ref.: https://www.virustotal.com/gui/file/a7af6d852fadd2bf4b9ef36b3f96e322e08254b20682fe174b0c38738e5f3864/detection

Of note is most of the VT detection's for the parent epi.exe process relate to razy malware. That in itself is interesting in that razy malware is browser extension based. Ref.: https://securityboulevard.com/2020/12/how-to-spot-razy-malware-undetected-by-av-systems/?utm_campaign=Oktopost-Media&utm_content=Cato+Networks&utm_medium=social&utm_source=facebook

Edited by itman
Link to comment
Share on other sites

Thanks for your eager efforts @itman. However I fear you might possibly cause further confusion to fellow readers of this topic, hehe. No offense intended.

After some further analysis of my own regarding the "epi.exe" with the sha256 hash of 950a48235da3dde7f4376cebcceb85353ab2feff03646ff72f9718b9cf5c30a7 seems to be a confirmable false-positive. I'd like if ESET posted an official statement or tries to build a new bootstrapper which doesn't get falsely flagged as potentially malicious. Similar to their old one from Aug 2020 (hxxp://repository.eset.com/v1/com/eset/tools/installers/bootstrapper_era/v2/2.0.47.0/epi.exe - sha256: d821eb22cbe802d4077a6f57bf8b9ed1a6fc93bdc1605e50426b09f41ca7ec7b).

Link to comment
Share on other sites

2 hours ago, Intenta said:

Thanks for your eager efforts @itman. However I fear you might possibly cause further confusion to fellow readers of this topic, hehe. No offense intended.

No offense taken.

My advice is submit the installer to Hybrid-Analysis: https://www.hybrid-analysis.com/ , for a full sandbox analysis and see what it determines.

Link to comment
Share on other sites

Some vendors updated their signature databases and no longer flag the file "epi.exe" as malicious. The download of All-In-One installers through the ESET Protect UI is finally working for us now (without configuring any exceptions). Thanks!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...