Activate a Client

[linuxhitman 0]

I have a temporary license and an I created a business account.  I installed on a test machine from the rpm file efs-8.0.375.0.x86_64.rpm.  What I cannot do yet is get the client activated.  Is there some documentation I can use to get this moving?

I tried:

sudo /opt/eset/efs/sbin/lic --key=TEMP_OR_ARY_LICENCE_KEY

but it just returns after a minute or so with:

Activation error: Activation failed in association.

This is a headless machine without a GUI so command line only.

[Marcos 4,693]

Please carry on as follows:

1, Enable activation log service by executing the following command as a privileged user:
sudo /opt/eset/eea/sbin/ecp_logging.sh -e -f

2.Try the activation process again. If it fails, run the log collecting script as a privileged user:
sudo /opt/eset/eea/sbin/collect_logs.sh

3.Open a support ticket with your local ESET distributor and send them the collected logs.

4.Disable activation logs by executing the following command as a privileged user:
sudo /opt/eset/eea/sbin/ecp_logging.sh -d -f

[linuxhitman 0]

First thing I noticed is that I must have picked the wrong package to install. I installed efs-8.0.375.0.x86_64.rpm which does not have the utility listed.  Once the other package -- eea-8.0.3.0-el7.x86_64.rpm -- was installed, I tried again.  Same error

I did find this in the logs:
 

Apr 15 10:48:56 scageosocket01d.lereta.net licensed[56507]: ESET Endpoint Antivirus Error: Cannot receive data from server: Network is unreachable

Apr 15 10:48:56 scageosocket01d.lereta.net licensed[56507]: ESET Endpoint Antivirus Error: Activation failed in association.

Apr 15 10:48:56 scageosocket01d.lereta.net licensed[56507]: ESET Endpoint Antivirus Error: Activation was not successful: 0x4e26

Any idea what server the software is trying to go to? It may need to be whitelisted at the firewall.

I can see an established connection to 38.90.226.51 on port 8883. The certificate from that IP and port identities it as epns.eset.com which has at least two IPs -- 38.90.226.51 and 91.228.165.145.

[kurco 9]

Hi,

@Marcos sadly script from above steps is not present in EFS package (your steps are from EEA). But still there is possibility to enable ecp logging.

But firstly, @linuxhitman what kind of distribution are you using? For enabling ECP logs you need to proceed according this steps:

1) stop efs service

2) edit this file: /var/opt/eset/efs/licensed/license_cfg.json (this file is created after first activation attempt, also when it fails with association)

2.1) change "Logging": false -> "Logging": true

2) start efs service

3) run again activation through lic utility

4) logs should appear in this folder: /var/opt/eset/efs/licensed/ecp

5) collect all xml files and please attach these files here, I will look if there is something suspicious on first sight.

Maybe also tcpdump from activation could help, if you are able to provide it.

Thanks.

[Marcos 4,693]

For a list of addresses and ports that ESET products communicate with and must be allowed on a firewall, please read https://support.eset.com/en/kb332.

[linuxhitman 0]

@kurco

The dump was good idea.  It established to a high degree of confidence that traffic is being blocked.  I see SYN packets to 91.228.166.181:80 leaving but no SYN-ACK packets come back.  This may have to wait unitl the firewall admin gets back from Arizona.  At elat unitl tomorrow morning...

 

Edited April 15, 2021 by linuxhitman

[kurco 9]

@linuxhitman

Looks like this communication issues could be really the cause of activation fails. Please let us know, if firewall rules resolves it. If not we will investigate it further.

 

[linuxhitman 0]

OK, it was definitlly that the communal NAT IP could not talk to servers in Slovakia.  Why is a mystery of the Cisco Firepower security model.

The next step is to create a proxy so how do I configure your software to use a proxy?

[Marcos 4,693]

You will need to configure the proxy in agent and Endpoint via a policy.

As for the ESET PROTECT server, proxy can be set up in the server settings.

[linuxhitman 0]

Policy implies Windows.  These are being installed on Linux.  Specifically, CentOS and Oracle Linux.

Does this means I cannot just set up an Apache proxy and point the individual installations to it?

[Marcos 4,693]

Is it that EFS doesn't report to ESET PROTECT? If so, you should be able to configure the proxy via a policy as shown below:

[linuxhitman 0]

Oh.  I see now.  You didn't mean a policy in AD but in ESET Protect. I'll give it a try.

[linuxhitman 0]

Finally have some time to test eset with a proxy.  I set it up based on the instruction at https://help.eset.com/esmc_install/72/en-US/http_proxy_installation_linux.html.

I deactivated one of my test boxes in the "trusted" network from the console (https://eba.eset.com/ba/devices). I then tried to run /opt/eset/efs/sbin/lic to register it again but there does not appear to be an option to specify a proxy to handle the request.

$ sudo /opt/eset/efs/sbin/lic --help
Usage: lic [OPTIONS..]
ESET File Security License management utility

Options:
  -s, --status             Activation status
  -k, --key=VALUE          Activation using a License Key
  -f, --file=FILE          Activation using an offline license file
  -u, --username=USERNAME  Activation using ESET Business Account or ESET
                             License Administrator
  -i, --pool-id=VALUE      Pool Id
  -p, --public-id=VALUE    Public Id
Common options:
  -h, --help               show help and quit
  -v, --version            show version information and quit

Copyright © 1992-2021 ESET, spol. s r. o. All rights reserved.
To report issues, please visit hxxp://www.eset.com/support

I can register via a static one-to-one NAT but that is impractical except for a tiny number of machines. Even if I had that many public IPs to burn I certainly do not want the inside servers exposed to the Internet like that.

Can someone point me to a resource explaining how to get a server to register via a proxy?  If there is another path I am listening.

[MartinK 375]

Is there any reason or limitation, why you are not using standard web GUI of product to configure HTTP proxy there? In case local web gui is not accessible, there should be also possibility to configure HTTP proxy via policies from  ESMC or PROTECT management consoles.

[linuxhitman 0]

Thanks for the help and I was able to get a node registered.  However, the word came down today that management has decided to use Microsoft Defender for Endpoint.

[Marcos 4,693]

3 hours ago, linuxhitman said:

Thanks for the help and I was able to get a node registered.  However, the word came down today that management has decided to use Microsoft Defender for Endpoint.

That's unfortunate since ESET typically outperforms Defender in performance, detection and FP tests.