Eset Endpoint v8.1 LiveGrid connection problem

[Panagiotis Karaberis 0]

Hello to everyone,

I have the same problem with lot of friends over here, with the newer ver of EEA (antivirus product) and EES (firewall)

Got messages that indicated 

(a) Limited Direct Cloud Connectivity 
(b) The ESET LiveGrid servers cannot be reached

Following the KB from ESET, 
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall?ref=esf
I've tested /monitored my firewall and got no indication of blocked ports (especially on TCP/UDP 53535 ....) on any request coming from my clients !!

BUT nevertheless, I create a new rule on my firewall (I'm using WatchGuard M470), allowing access to all *.eset.com and *.e5.sk servers, ONLY on those specific ports (TCP & UDP 53535), and by a magic way, everything was working again ! 

Really don't know how ESET is "controlling" the access to those services, and got no idea why they changed the previous behavior without prior notice ... 

Anyway, I just wanted to share my experience with everyone else that got same problem , and I hope you will find a similar way to overcome this, 

Regards
Panagiotis

 

[tbsky 8]

19 hours ago, Panagiotis Karaberis said:

BUT nevertheless, I create a new rule on my firewall (I'm using WatchGuard M470), allowing access to all *.eset.com and *.e5.sk servers, ONLY on those specific ports (TCP & UDP 53535), and by a magic way, everything was working again !

so you mean if you block Eset client to Eset servers (except port 53535), then it will work fine?  that's interesting.

[HexousKoneko 0]

Any update to this issue? I still keep getting the "The ESET LiveGrid servers cannot be reached" notification over and over again and its getting really annoying.

 

[Marcos 4,845]

16 minutes ago, HexousKoneko said:

Any update to this issue? I still keep getting the "The ESET LiveGrid servers cannot be reached" notification over and over again and its getting really annoying.

Please read the above post by @Panagiotis Karaberis.

You can enable advanced antispam logging under Tools -> Diagnostics, wait until the notification pops up, disable logging and collect logs with ESET Log Collector. When done, upload the generated archive here.

[Tobias 1]

Hi, we have multiple locations with seemingly random PC's showing this issue. reinstalling did not resolve the error. 

Any chance this is a problem in a new ESET Endoint update? 

[Marcos 4,845]

5 minutes ago, Tobias said:

Hi, we have multiple locations with seemingly random PC's showing this issue. reinstalling did not resolve the error. 

Any chance this is a problem in a new ESET Endoint update? 

Please enable advanced antispam logging under Tools -> Diagnostics in the advanced setup and wait until the error occurs. Then disable logging, collect logs with ESET Log Collector and upload the generated archive here.

Are those machines behind a firewall? Do they connect directly to the Internet or through a proxy server? Are they always in the same network?

[Tobias 1]

1 hour ago, Marcos said:

Please enable advanced antispam logging under Tools -> Diagnostics in the advanced setup and wait until the error occurs. Then disable logging, collect logs with ESET Log Collector and upload the generated archive here.

Are those machines behind a firewall? Do they connect directly to the Internet or through a proxy server? Are they always in the same network?

Hi marcos,

machines are all behind different Watchguard firewalls with different ISP's but they stay the same per machine. The error does not appear on my own machine(also watchguard firewall) with the same installation and the same connection to our own Protect server, and i dont have this issue. 

I dont have direct acces to the computers, so retrieving those logs is impossible at this time.

[ocornet 0]

On 7/19/2021 at 11:57 AM, Marcos said:

With Endpoint 8.1 the communication with LiveGrid has changed and instead of DNS it is now carried out via TCP and UDP on port 53535. In case of using an http proxy, you don't need to open communication on port 53535 but the proxy needs to have http tunnel to avcloud.eset.sk:53535 allowed.

Dear Marcos,

I'm also experiencing this annoying Live Grid pop message, but on EIS product.
Reading your quoted post where you mention avcloud.eset.sk, I did try to resolve the domain and I got no answer for him, this domain cannot be resolved, 8.8.8.8 is main Google DNS server.

Olivier

❯ dig avcloud.eset.sk @8.8.8.8

; <<>> DiG 9.16.15-Debian <<>> avcloud.eset.sk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53883
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;avcloud.eset.sk.               IN      A

;; AUTHORITY SECTION:
eset.sk.                1800    IN      SOA     dns1.p04.nsone.net. domains.eset.com. 1631081630 3600 600 604800 3600

;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 11 12:24:18 CEST 2021
;; MSG SIZE  rcvd: 114

 

Edited September 11, 2021 by ocornet

[Marcos 4,845]

31 minutes ago, ocornet said:

I'm also experiencing this annoying Live Grid pop message, but on EIS product.
Reading your quoted post where you mention avcloud.eset.sk, I did try to resolve the domain and I got no answer for him, this domain cannot be resolved, 8.8.8.8 is main Google DNS server.

Please enable advanced antispam logging under Tools -> Diagnostics, reproduce the error, disable logging, collect logs with ESET Log Collector and finally upload the generated archive here.

[ocornet 0]

31 minutes ago, Marcos said:

Please enable advanced antispam logging under Tools -> Diagnostics, reproduce the error, disable logging, collect logs with ESET Log Collector and finally upload the generated archive here.

Dear Marcos,

How the logs would give you informations on the fact that the domain avcloud.eset.sk cannot be resolved ??
Domain resolution have nothing to do with ESET application.
I'm not willing to send logs as I don't know which informations are gathered.

Regards,

Olivier

[Marcos 4,845]

I assume that a colleague of mine made a mistake and meant avcloud.e5.sk. Anyways, the logs would yield more details on the issue.

[Scene 0]

We're using Protect Cloud and are intermittently receiving these warnings randomly on user machines (who all work from home). I had to apply a firewall rule policy within Protect Cloud to stop the warning.

The client machines are all running ESET Endpoint Security which takes over and disables Windows Defender Firewall. None of the servers have had the warning and the server client does not override the Windows firewall, which means ESET is blocking itself from acccessing LiveGrid.

[Marcos 4,845]

24 minutes ago, Scene said:

We're using Protect Cloud and are intermittently receiving these warnings randomly on user machines (who all work from home). I had to apply a firewall rule policy within Protect Cloud to stop the warning.

You can enable advanced antispam logging in the advanced setup -> tools -> diagnostics and wait until the error occurs. We will check the logs and provide time periods when there was an issue communicating with ESET's servers. Maybe it will give a clue about what was going on with the machines at that time.

[Scene 0]

I have enabled it on my machine for the time being and will monitor. I did see the LiveGrid warning flag up for me even with the rules in place, so it will be interesting to see what the logs record if it happenes again.

[HexousKoneko 0]

On 9/5/2021 at 12:50 AM, Marcos said:

Please read the above post by @Panagiotis Karaberis.

You can enable advanced antispam logging under Tools -> Diagnostics, wait until the notification pops up, disable logging and collect logs with ESET Log Collector. When done, upload the generated archive here.

Heres the logs i collected

eis_logs.zip

[vanroy 0]

Hello, @Marcos 

Same issue on multiples clients 8.1 not firewall, not proxy, not blocking any traffic. 

What is the solutions? 

 

Best

[Marcos 4,845]

On 10/13/2021 at 4:57 PM, HexousKoneko said:

Heres the logs i collected

DNS resolution started to fail at 20:08 and it had been failing for 2 hours until logging was disabled. Offline state was detected.

Resolving hostname 'avcloud.e5.sk' failed
SendAndReceive failed: offline

Was the computer disconnected from the Internet at that time?

[Marcos 4,845]

10 hours ago, vanroy said:

Hello, @Marcos 

Same issue on multiples clients 8.1 not firewall, not proxy, not blocking any traffic. 

What is the solutions?

Can you resolve avcloud.e5.sk on that machine when the issue occurs?

Please enable advanced antispam logging in the adv. setup -> tools -> diagnostics, reproduce the issue, then disable logging, collect logs with ESET Log Collector and upload the generated archive here.

[HexousKoneko 0]

1 hour ago, Marcos said:

DNS resolution started to fail at 20:08 and it had been failing for 2 hours until logging was disabled. Offline state was detected.

Resolving hostname 'avcloud.e5.sk' failed
SendAndReceive failed: offline

Was the computer disconnected from the Internet at that time?

No, internet connection is 24/7 always connected, im working at home using remote desktop during this hour so its impossible that the internet connection is disconnected that time.

[Marcos 4,845]

23 hours ago, HexousKoneko said:

No, internet connection is 24/7 always connected, im working at home using remote desktop during this hour so its impossible that the internet connection is disconnected that time.

Looks like that the domain cannot be resolved via CloudFlare DNS when you are connected through VPN. If you are not connected through VPN does it work?

When you are connected through VPN, are you able to resolve any other hostnames? E.g. run "nslookup www.eset.com 1.1.1.1" or "nslookup www.google.com 2606:4700:4700:0000:0000:0000:0000:1111". 

Please enable advanced antispam logging once again but now after 1-2 minutes disconnect from VPN, after 1-2 minutes connect through VPN and repeat this about 3 times. We'd need to see how name servers are changing with with VPN connected and disconnected. Please provide times when you connected and disconnected from VPN.

[Marcos 4,845]

Please switch to the pre-release update channel to download Direct Cloud Communication module 1122 which contains a logic for cases when DNS resolution is failing through all available name servers like in your case when CloudFlare name servers were used. Let us know if it resolves the issue for you. The module will be released for general public in a couple of days.

[Scene 0]

I just saw the LiveGrid alert pop up again, and so decided to try pinging all the listed umXX.eset.com hostnames and the avcloud.e5.sk hostname.

I was getting successful ping returns from the avcloud.e5.sk and the umxx.eset.com hostnames up until um14.eset.com, where upon it timed out a couple of times and then resolved on the 3rd attempt. As soon as it resolved the warning disappeared. Note that I was also using a remote VPN to connect to the company domain at the time.

Edited October 20, 2021 by Scene

[HexousKoneko 0]

On 10/19/2021 at 9:39 PM, Marcos said:

Please switch to the pre-release update channel to download Direct Cloud Communication module 1122 which contains a logic for cases when DNS resolution is failing through all available name servers like in your case when CloudFlare name servers were used. Let us know if it resolves the issue for you. The module will be released for general public in a couple of days.

So I just reconfigured my VPN server and my PC/Router to use Google DNS instead of Cloudflare. 2 days has passed and the problem seems went away. Ill wait a few more days to confirm its a fix.

[Marcos 4,845]

1 hour ago, HexousKoneko said:

So I just reconfigured my VPN server and my PC/Router to use Google DNS instead of Cloudflare. 2 days has passed and the problem seems went away. Ill wait a few more days to confirm its a fix.

Could you try setting up CloudFlare DNS again and see how it works with the Direct Cloud Communication module 1122? This module remembers the last working DNS server and uses it instead of the current one if it's failing.

[vanroy 0]

On 10/19/2021 at 8:39 AM, Marcos said:

Please switch to the pre-release update channel to download Direct Cloud Communication module 1122 which contains a logic for cases when DNS resolution is failing through all available name servers like in your case when CloudFlare name servers were used. Let us know if it resolves the issue for you. The module will be released for general public in a couple of days.

Hi 

Cloud Communication module 1122 is only for EES 8.1 or all Business solutions for windows?