Eset Endpoint v8.1 LiveGrid connection problem

[Marcos 5,074]

8 hours ago, vanroy said:

Cloud Communication module 1122 is only for EES 8.1 or all Business solutions for windows? 

It's for all ESET products for Windows. They all use the same modules.

[Cousin Vinny 6]

Just popping in to say that this has been affecting my clients for a while as well.  Seems completely random, i'll have a PC or two pop up in the Protect console showing that LiveGrid is not accessible.  Always clears up with a reboot.  No idea what's causing it and it hasn't really been a big enough issue for me to compose a new thread about it.  But it's been going on for months.  Outbound tcp/udp 53535 is open.  Identical 8th gen Intel/Win10 PC's across the board.  Users spread across 5 physical locations in three states.

I'll try to grab some data next time it occurs.

[Marcos 5,074]

11 minutes ago, Cousin Vinny said:

I'll try to grab some data next time it occurs.

Please enable advanced antispam logging in the advanced setup -> tools -> diagnostics and wait until the error occurs. Then disable logging, collect logs with ESET Log Collector and provide the generated archive. Also let us know if the machines connect via VPN and if they are connected to the Internet both via wi-fi and wire.

[Cousin Vinny 6]

9 minutes ago, Marcos said:

Please enable advanced antispam logging in the advanced setup -> tools -> diagnostics and wait until the error occurs. Then disable logging, collect logs with ESET Log Collector and provide the generated archive. Also let us know if the machines connect via VPN and if they are connected to the Internet both via wi-fi and wire.

Sure no prob.

Remote machines do connect over VPN and there are a number of local machines in the same building as me that exhibit the behavior as well (this is not a local vpn to the device, the offices are hub/spoke).  These machines are all hardwired and currently running Win10 v10.0.19042.1288.  I saw it happen to two machines earlier today so the environment is still susceptible to the issue.

[Cousin Vinny 6]

Didn't have a chance to turn on logging yet but I have a machine unable to connect to LiveGrid today.  This machine in particular has been powered on for the past four days.  Event was triggered upon user logon this AM.

Here's the Windows event log just prior to the warning being reported:

2021 Oct 22 07:15:10
The ESET LiveGrid® servers cannot be reached

Information    10/22/2021 7:15:07 AM    Kernel-General    16    None
The access history in hive \??\C:\Users\-------\AppData\Local\Microsoft\Windows\UsrClass.dat was cleared updating 2998 keys and creating 455 modified pages.

Information    10/22/2021 7:15:07 AM    Kernel-General    16    None
The access history in hive \??\C:\Users\-------\ntuser.dat was cleared updating 2588 keys and creating 342 modified pages.

Information    10/22/2021 7:15:07 AM    Winlogon    7001    (1101)
User Logon Notification for Customer Experience Improvement Program

[Panagiotis Karaberis 0]

On 9/4/2021 at 5:39 AM, tbsky said:

so you mean if you block Eset client to Eset servers (except port 53535), then it will work fine?  that's interesting.

No , exactly the opposite

eventhough on my FW I didn't get any notification that traffic was blocked, I opened specific access to ESET servers on port 53535 only, and everything was back to normal ! 

the strange thing I wanted to share is that I got NO indication that traffic was blocked ... 

BUT after opening the ports/url that ESET recommended, all was back to normal ! 

 

Hope it helped, 
Panagiotis

[Orionz 0]

Anyone was able to make it working with fortigate firewall using policies? I used premade "ESET-Eset.Service" as destination IPs and everything works fine besides LiveGrid

[Marcos 5,074]

1 hour ago, Orionz said:

Anyone was able to make it working with fortigate firewall using policies? I used premade "ESET-Eset.Service" as destination IPs and everything works fine besides LiveGrid

Isn't it possible to create filtering exceptions on the Fortigate firewall for IP addresses listed at https://support.eset.com/en/kb332 ?

[Orionz 0]

They assure that all mentioned in kb332 IP's are listed in this service, thats why I'm asking here: does anyone was able to get LiveGrid working with this service?

As far as I know ESET-Eset.service should contain 675 entries covering 1670 IPs.

[Marcos 5,074]

We have received a confirmation from a user that removing http inspection on the firewall resolved LiveGrid connection issues.

[kingoftheworld 10]

Has this been isolated to customers using Fortigates?

[Marcos 5,074]

54 minutes ago, kingoftheworld said:

Has this been isolated to customers using Fortigates?

So far we've got a confirmation in one case where a Fortigate firewall was causing the issues.

[Cousin Vinny 6]

I fixed this a while ago and forgot to update here.

I'm also doing content inspection and if I remember correctly the https proxy was stripping unrecognized response headers and that resulted in the loss of connection to livegrid.  I just had to allow those headers fields through the proxy and everything has been fine since.  I am not using a Fortigate.

I'm like, 90% sure this is what the problem was.

[kingoftheworld 10]

1 hour ago, Marcos said:

So far we've got a confirmation in one case where a Fortigate firewall was causing the issues.

Thank you for the response.  In that case, do you know if Fortinet support was contacted for the issue?

Edited January 27, 2022 by kingoftheworld

[John PW 0]

On 1/27/2022 at 5:57 PM, Cousin Vinny said:

I fixed this a while ago and forgot to update here.

I'm also doing content inspection and if I remember correctly the https proxy was stripping unrecognized response headers and that resulted in the loss of connection to livegrid.  I just had to allow those headers fields through the proxy and everything has been fine since.  I am not using a Fortigate.

I'm like, 90% sure this is what the problem was.

Can you share your configuration?

[Cousin Vinny 6]

9 minutes ago, John PW said:

Can you share your configuration?

Sorry I posted that without realizing it could be confusing.

I was talking about my UTM's proxy, not the ESET firewall.

If you have a firewall/UTM at the perimeter running an http/s proxy that is configured to strip unrecognized response headers, this is where you would make the configuration change.

[SteveKwok 0]

I also have this annoying issue. Is this confirmed an issue with fortigate? 

[Marcos 5,074]

9 minutes ago, SteveKwok said:

I also have this annoying issue. Is this confirmed an issue with fortigate? 

It doesn't have to be necessarily caused by Fortigate but by any firewall or proxy that can block or intervene in the communication when performing http/https inspection.

[kingoftheworld 10]

5 hours ago, Marcos said:

It doesn't have to be necessarily caused by Fortigate but by any firewall or proxy that can block or intervene in the communication when performing http/https inspection.

Judging by the number of posts in this page, is ESET planning on any fixes on their end to change the response from these servers to avoid this issue?  As someone from ESET previously mentioned, there was a change in the LiveGrid components between versions 7 and 8 which is when this started becoming a problem.

[Marcos 5,074]

14 minutes ago, kingoftheworld said:

Judging by the number of posts in this page, is ESET planning on any fixes on their end to change the response from these servers to avoid this issue?  As someone from ESET previously mentioned, there was a change in the LiveGrid components between versions 7 and 8 which is when this started becoming a problem.

The change was vital for LiveGrid to work. The configuration and creation of exceptions will probably become easier later this year when we will introduce a new hub. More information on this should be available later this year.

[Peter Randziak 1,130]

24 minutes ago, kingoftheworld said:

Judging by the number of posts in this page, is ESET planning on any fixes on their end to change the response from these servers to avoid this issue?  As someone from ESET previously mentioned, there was a change in the LiveGrid components between versions 7 and 8 which is when this started becoming a problem.

I may confirm, that we are working on a changes it the protocol.

The dev team planes to simplify it and remove our proprietary headers / header values.

 

Anyway the is needed to have the traffic allowed and make sure that http inspection solutions does not block / modify it...

Peter

P_EESW-8218

[Peter Randziak 1,130]

Hello guys,

Direct Cloud communication module 1124 is available on pre-release update channel.

The communication protocol has been simplified in it to improve compatibility especially with http inspection solutions.

If you use any and you are still receiving warnings like

On 10/22/2021 at 3:16 PM, Cousin Vinny said:

The ESET LiveGrid® servers cannot be reached

try to switch to pre-release updates and let us know if the Direct Cloud communication module 1124 resolved the issue for you.

Peter

[kingoftheworld 10]

1 hour ago, Peter Randziak said:

Hello guys,

Direct Cloud communication module 1124 is available on pre-release update channel.

The communication protocol has been simplified in it to improve compatibility especially with http inspection solutions.

If you use any and you are still receiving warnings like

try to switch to pre-release updates and let us know if the Direct Cloud communication module 1124 resolved the issue for you.

Peter

While I can't switch my entire environment to the pre-release, I did change my test machines and it resolved the issue.  How long will it be the pre-release before going to the main channel?

[Peter Randziak 1,130]

4 minutes ago, kingoftheworld said:

While I can't switch my entire environment to the pre-release, I did change my test machines and it resolved the issue.  How long will it be the pre-release before going to the main channel?

Thank you for trying it out and sharing the positive results with us.

 

The release to standard update channel is expected on next Monday (February 21), if everything goes well..

Peter

[CraigF 0]

Based on the data we've collected regarding these alerts over the past two months, it seems that it's only devices that are connected to remote/home/wifi networks that are logging "The ESET LiveGrid servers cannot be reached" warnings. This leads me to believe that it is a network connectivity issue causing the alert.

Can you advise what thresholds are applied to the alerts (e.g. how may connection failures over what period before the alert is generated), and whether these thresholds can be adjusted?