Updating the ESET Management Agent got HIPS-Locked by "Self-Defense: Protect ESET files"

[Nono 3]

I'm on the process to upgrade from ESET Security Endpoint 7 to version 8 (following my upgrade from ESMC to ESET Protect).

Depending of the user (for a similar configuration), some agent upgrade failed because either explorer.exe or msiexec.exe process can't access ESET files, here is the HIPS log :

C:\Windows\explorer.exe;Get access to file;C:\Program Files\ESET\RemoteAdministrator\Agent\*;blocked;Self-Defense: Protect ESET files;Write to file
C:\Windows\explorer.exe;Get access to file;C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Modules\**;blocked;Self-Defense: Protect ESET files;Write to file
C:\Windows\System32\msiexec.exe;Get access to file;C:\Program Files\ESET\RemoteAdministrator\Agent\*;blocked;Self-Defense: Protect ESET files;Write to file
C:\Windows\System32\msiexec.exe;Get access to file;C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Modules\*;blocked;Self-Defense: Protect ESET files;Write to file

 

on SOME case, uninstall manually the agent and installing the new works, but on some others, it didn't, leaving some user without agent at all (but the rules still applied from the server aka, not editable).

Now, two things:

1) How can I install back the agent, knowing that I can't access user rules (without agent / with the client still manage by the server?)

2) How to prevent this self protection, when the installation is legit ?

[Marcos 4,909]

Please switch to pre-release updates to get the latest HIPS module 1403.1 (should be released on standard update servers today)
Should the issue occur with the above HIPS module, carry on as follows:
- create an ekrn dump via adv. setup -> tools -> diagnostics -> click Create
- collect logs with ESET Log Collector and provide us with the generated archive.

[Nono 3]

Hi @Marcos

How am I supposed to install this on my endpoint, knowing that there is no communication anymore with the server, but the rules are still "locked" / not editable ?

 

I've generated (a quite huge) dump + log collection. Where/how can I send it to you ?

[Nono 3]

I'm still on the situation that some endpoint aren't communicated with the server. Any help on this @Marcos ?

[Marcos 4,909]

On 1/8/2021 at 10:22 AM, Nono said:

I've generated (a quite huge) dump + log collection. Where/how can I send it to you ?

You can upload it to OneDrive, Dropbox, Wetransfer, Google Drive, etc. and drop me a pm with a download link.

Quote

I'm still on the situation that some endpoint aren't communicated with the server.

Please check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log for possible errors.

[Nono 3]

1 hour ago, Marcos said:

You can upload it to OneDrive, Dropbox, Wetransfer, Google Drive, etc. and drop me a pm with a download link.

Please check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log for possible errors.

As I failed to OVERWRITE the agent, I manually try to uninstall the current agent, to install the new.

But installing the new AND the previous (working one) failed, so I ended with no agent installed at all ... Therefor there is no such file / folder (C:\ProgramData\ESET\RemoteAdministrator\)

[Marcos 4,909]

Just to make sure, does disabling self-defense and rebooting the machine always resolve the above issue with upgrading agent from v7 to v8? 

[Nono 3]

@Marcos The problem is :

Those endpoint are not able to disable self-defense by themselve. It has to be disable/enable via the ESET Protect Server (using the agent).

I'm on the situation that : Rules are still applied (not editable) ""from the server"".

The endpoint are still getting the Client updates, that's it.

Does it means that I will have to uninstall the client, to be able to install the agent v8, before re-installing the client ?

[Marcos 4,909]

Even if you enforce SD via a policy, you can activate override mode on a client, temporarily disable SD, reboot the machine and then try to upgrade agent by sending an ESMC component upgrade task to the client.

If SD is not enforced by a policy, you can disable it in the setup right away, reboot the machine and try to upgrade the agent.

We must be sure that the issue is caused by SD, hence the test with SD disabled.

[Nono 3]

The policy is enforced, and I can't deal with the override mode, as there is no agent installed anymore.

Unless there is another way that this link : https://help.eset.com/era_admin/65/en-US/admin_pol_override.html to do if from the client ?

Edited January 12, 2021 by Nono
link edit

[Nono 3]

Hi @Marcos

I had another endpoint to update so I give it a try :

Disabling the SD didn't help.

What helps on this case, was changing the policy. I've two sets of policy "advanced" and "not advanced" user.

The main difference between the 2 policies are the rules :

DETECTION ENGINE => Real-time file system protection => File open.

the "Not advanced" group have it enabled, when the "advanced" group have it disabled.

Could this be the reason ?!

After checking, it seems that the installer failed to download the .msi / shasum checker application.

[Marcos 4,909]

Did the upgrade work for the "advanced" group that had scan on open disabled?

By the way, disabling default "scan-on" events may be dangerous and for instance script malware may not be detected or cleaned,  if scan on open is disabled.

If you had a reason to disable it, we'd like to hear more about the issues you encountered with the setting enabled.

[MartinK 376]

10 hours ago, Nono said:

After checking, it seems that the installer failed to download the .msi / shasum checker application.

Could you possibly provide some logs or output summary so that we can check which phase actually fails? My understanding is that generated live installer (BAT) is used, which actually downloads MSI installers from ESET repository servers, and once done, it verifies it's checksum using tool, that is part of installer script, which might theoretically also fail in case of very strict protection rules, but we have not encountered that yet.

[Nono 3]

Hi @MartinK, please liase with @Marcos. I send him the log over wetransfer, so I hope he has it as his end.

When I realised that this failed, I tried to donwload the msi (which is on the bat) manually over my webbrower : this works !

On top of that, I put the manually download files on the %temp%/.eset.XXXXX/ folder and try to execute it manually (together with the config file).

The behaviour was almost the same : the .msi didn't really finish the installation, but I ddidn't remember if it's was still caused by the SELF-DEFENSE or not.

Note: On both of my policy (advanced & not advanced), the self-defense is activated.

[Nono 3]

Without anwser, I'll have to uninstall ESET, and re-install it manually, which is a shame 😕

[Marcos 4,909]

We need to know if temporarily disabling self-defense make a difference or not. Or is it the scan-on-open option that resolves the issue?

[Nono 3]

On 1/15/2021 at 10:27 AM, Marcos said:

We need to know if temporarily disabling self-defense make a difference or not. Or is it the scan-on-open option that resolves the issue?

Hi @Marcos

I can't tell now. I already tried to explained you many times (and provide you the log) that I can't disable self-defense.

I finally "solve" my issue by uninstall ESET completetly.

This thread can now be closed, but I don't considered it "resolved".