Real-time file protection is non-functional after update to 7.3

[noorigin 3]

I got one server out of several dozen that has a problem after the update to File Security 7.3.12002.0

I initially pushed it out via ESMC. I have tried reinstalling, uninstalling/reinstalling, safe-mode esetuninstaller, using an AIO installer, run repairs.

nothing I do can get it to work. What should I try next?

[Marcos 5,069]

Please carry on as follows:

- in the advanced seutp -> tools -> diagnostics click Create to generate a dump of ekrn
- collect logs with ESET Log Collector
- upload the generated archive to a safe location and drop me a personal message with a download link.

[noorigin 3]

msg sent

[Marcos 5,069]

Where did you download ELC from? The thing is you've used an obsolete version 3.1 not compatible with latest products. The link in my post points to a KB that should point to the latest version of ELC 4.1.

[Marcos 5,069]

This is a known issue with the operating system not reporting correctly the state of OOBE. Unfortunately currently we can only suggest to reinstall Windows. As of the next version there will be a workaround for the OS issue and real-time protection will activate even if OOBE is not reported correctly by the OS.

[noorigin 3]

Ill reupload the files. I saw a response in another thread regarding the OOBE. The thread mentioned a reg key to check. That key is present on this server if it makes a difference.

[noorigin 3]

So what is the issue? Simply saying " you gotta reinstall the OS" then dropping the mic and walking away is not cool. Does this mean we all run a risk of OS reinstallation when upgrading ESET FS? How can we update and NOT be affected by this, or at least know if we will be? Anywhere we can read more about this "known issue"? More info please!

Edited February 10, 2021 by noorigin

[Marcos 5,069]

The thing is Windows is incorrectly reporting that OOBE has not completed yet which causes real-time protection not to activate. As of EFSW 8.X, this erroneous state of the OS will be ignored and real-time protection will activate. Currently we don't know of other way how to make Windows report OOBE status correctly than by reinstalling the OS.

[noorigin 3]

Would an over the top install (reinstall without wiping) work? How do we check OOBE status before updating other servers?

Edited February 10, 2021 by noorigin

[noorigin 3]

This is important guys.... with no ETA on v8 and some of us managing dozens/hundreds of servers, we really need to kinda know if it is safe or not to upgrade. I have a few dozen more to do but am terrified RTFP wont work and my only recourse is to reinstall the OS. Can you give us ANY guidance at all regarding what to look out for before upgrading? I feel like there should be an announcement on the front page or something....

[Marcos 5,069]

OOBE check has been there since EFSW 7.1. As for the issue after upgrade to v7.3, did you upgrade from an older version (7.0, 6.5) that didn't check the OOBE status?  That said, after upgrade to v7.3 from v7.1 or 7.2 you shouldn't end up with non-functional real-time protection.

According to developers, the status is determined through a Windows API function and registry values are unreliable.

[noorigin 3]

I honestly did not check version number before the update but it is highly likely that they were v7.1 or later.  The one server i am having a problem with is a session host in a RDS collection. All the hosts were built from a template at the same time. All are identical. But this one is pitching a fit, others are fine. Doing a install repair on it now to see if it helps.... 

 

At lease we all know now there is a definite risk upgrading from pre-7.1 to current.

[noorigin 3]

Just to follow up, in the end I reinstalled v7.2 and everything is now OK. I'll be waiting for v8 before doing any more upgrades.