Jump to content

ESET Protect 8.0 (on-prem) auto-updated all Endpoint Antivirus 8.x notebooks today


st3fan
 Share

Recommended Posts

Hi everyone

When I logged onto the PROTECT web console today, I noticed quite a few yellow warnings, saying "device restart recommended" and "...newer version is prepared. Restart your computer". I looks as if all our Endpoint Antivirus 8.x endpoints have been updated automatically to the most recent 8.x version. First time seeing this.

I thought that these auto-updates only apply to PROTECT 9.x and not to 8.x. And I thought this only impacts endpoint version 9.x but not 8.x. Does anyone understand what is going on? I emailed Support but they were just as surprised.

I have reviewed the ESET Endpoint for Windows policy. There is an auto-updates option that is disabled (and this one clearly says that it only applies to version 9.0 and higher anyway. And then there is another section for "Product Updates" where "Update mode" is set to "Never update". This one only seems to apply to version 8.x and lower. And then there is a "pause auto-updates" setting (disabled) but that also only applies to version 9.0 and higher.

Please advise what is going on and how I can stop these auto-updates for 8.x endpoints connected to PROTECT 8.0. Thank you!

Regards, Stefan

 

 

Link to comment
Share on other sites

I suddenly face this problem too without any changing in my policies. this alert appears on my devices which has endpoint security 8.0.2028.0. auto update feature is disable. I guess this is related to end of life of this product.

Link to comment
Share on other sites

  • Administrators

This was a security and stability update, meaning that the only change was a fix of a vulnerability.

Security and stability updates are applied automatically.

Link to comment
Share on other sites

so that should all of my systems restart once again? is it related to something change in my policy or console?

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

the "Security and Stability Hotfixes" are described at https://support.eset.com/en/kb2256-what-are-the-different-eset-product-update-and-release-types#SecurityStabilityHotfix

"Security and Stability Hotfixes address critical issues and ensure the maximum security and stability of your ESET product. The timing of hotfixes is determined entirely by their security impact.

Security and Stability Hotfixes are distributed in the same way as uPCU updates. However, users cannot disable automatic Security and Stability Hotfixes (even when they disable regular uPCU updates) due to their nature and importance.

Before installing the Security and Stability Hotfix, your ESET product may display "Security Alert. Restart required." or "Security and stability update to newer version is prepared. Restart your computer for all changes to take effect". If you have more updates pending before a restart, your ESET product will update automatically to the latest version and install all hotfixes."

Regards, Peter

Link to comment
Share on other sites

Wow, thanks for clarifying this @Peter Randziak.

Am I correct in assuming that this will not impact endpoint version 7.x and only 8.x and higher?

Can this also impact ESET Server Security or only ESET Endpoint Antivirus?

Link to comment
Share on other sites

Has there been any information on if clients that only use a mirror server will receive these updates in v8 and v9? I know the question was posted in another thread a while back, but I don't think there was ever a response.  We have a number of clients that are not accessible to the Internet and only pull updates from an internal server and we would like for them to auto-update like the rest of our environment. 

Link to comment
Share on other sites

  • ESET Moderators

Hello @st3fan,

release for EEA/EES 7.3 is planned as well, but as of now without a uPCU

When it comes to release of ESET security products for Windows servers this time it will be released in a way to allow to skip or postpone the upgrade.

Peter

Link to comment
Share on other sites

@Peter Randziak / @Marcos one more question please. All our endpoints had version 8.1.2031.0 installed. Some of them updated to 8.1.2031.3 whereas others have updated to 8.1.2037.9. What is this dependent on and why is this not consistent?

Link to comment
Share on other sites

  • ESET Moderators
2 hours ago, st3fan said:

@Peter Randziak / @Marcos one more question please. All our endpoints had version 8.1.2031.0 installed. Some of them updated to 8.1.2031.3 whereas others have updated to 8.1.2037.9. What is this dependent on and why is this not consistent?

As far as I know the upgrades should be applied in a way to minimize the changes i.e. to continue only that one security fix.

Link to comment
Share on other sites

3 hours ago, Peter Randziak said:

As far as I know the upgrades should be applied in a way to minimize the changes i.e. to continue only that one security fix.

hmm ok. We didn't have any 8.1.2037.2 endpoints in our environment. That's why I am a bit surprised that some were upgraded to 8.1.2037.9 instead of 8.1.2031.3. This does not make sense to me. There were quite a few other fixes in version 8.1.2037.2 that are not related to security at all.

I don't feel comfortable with these automatic updates to be honest, especially if this is not consistent. Please correct me if I am wrong but according to the documentation and your feedback, endpoints on 8.1.2031.0 should never be auto-updated to 8.1.2037.9 They should only be auto-updated to 8.1.2031.3.

Link to comment
Share on other sites

  • ESET Moderators

Hello @st3fan,

yes they should not, but by our mistake the builds 8.0.2039.0 and 8.1.2037.2 were released as as hotfix by our mistake so some of the customers were upgraded to them.

I hope it didn't cause you any severe issues.

The "Security and Stability Hotfixes" should be released rarely, but I would for sure to use the standard upgrades as well.

They help a lot top keep the fleet up to date and the technology behind them is great from my experience.

They are being applied on system reboot so the system is protected all the time, are small and very reliable...

Regards, Peter

Link to comment
Share on other sites

Hello @Peter Randziak

Thanks for clarifying this. This highlights the dangers of this approach in my opinion.

On servers we use ESET Server Security 8.0.12010.0. All our servers have now received an automatic update too. They all appear red in the web console, saying that a device restart is required and that a "Security and stability update to newer version is prepared". 

Version 8.0.12010.0 does contain the security fix. Version 8.0.12011.0 does not contain security fixes according to the changelog.

Please, what on earth is going on here and how can we stop this? This should not happen unannounced and unplanned, certainly not on servers.

 

Link to comment
Share on other sites

This only seems to affect ESET Server Security version 8.0.12010.0.

8.0.12003.0 has not received any automatic updates from what I can see.

8.0.12010.0 has been updated to 8.0.12011.0.

Please advise what is going on @Peter Randziak and how we can avoid this from happening again. Thank you.

 

 

 

Link to comment
Share on other sites

  • ESET Moderators
3 hours ago, st3fan said:

Version 8.0.12010.0 does contain the security fix. Version 8.0.12011.0 does not contain security fixes according to the changelog.

The changelogs are differential, so higher version contains the fixes from the previous ones.

The upgrade has been released with a spread control, so the distribution is gradual.

Note that the old version protects the server, the upgrade is applied on reboot so you can decide when you will reboot it and apply it.

Peter

Link to comment
Share on other sites

But aren't you contradicting yourself? Based on your previous comment, I assumed that automatic updates should only apply to builds where security vulnerabilities were fixed? Did I misunderstand you?

I can understand if servers are forced to version 8.0.12010.0 since this version contains a fix for CVE-2021-37852.
But I cannot understand why they would be forced to version 8.0.12011.0.

Does version 8.0.12011.0 contain security fixes that would justify the auto-update? Yes I understand that version 8.0.12011.0 also includes the fix for CVE-2021-37852 but my point is that servers should only be auto-updated to version 8.0.12010.0 in order to receive the security fix for CVE-2021-37852 - and not to version 8.0.12011.0.

It takes weeks for us to evaluate and test new ESET versions. I do not feel comfortable this way. There is no way for us admins to evaluate and test newer versions anymore. As soon as we reboot, we are on the latest versions. We have zero control - and it should not be this way.

Link to comment
Share on other sites

On 1/28/2022 at 11:51 AM, Peter Randziak said:

When it comes to release of ESET security products for Windows servers this time it will be released in a way to allow to skip or postpone the upgrade.

Peter

Please advise how we may skip this?

Link to comment
Share on other sites

  • ESET Moderators

Hello @st3fan,

If the question is why we released this version, even if it does not carry a critical update I assume we decided to do so because of further fixes it contains like “Fixed: Incorrectly displayed AMSI alert when changing the advanced scanning of browser scripts”.

This was a quite bad UX bug and I think many users won't be happy if we would keep it there, especially when delivered by automatic upgrade...

 

I understand the you want to have it under control, as you are responsible for the infrastructure. 

The upgrades are necessary to keep the maximal level of protection and experience for our users. 

 

As far as I know, the upgrade window should have the options available.

May I ask why you would like to skip the upgrade? 

You can let in in waiting state until you reboot the server for example during the monthly OS patching.

Link to comment
Share on other sites

2 hours ago, Peter Randziak said:

You can let in in waiting state until you reboot the server for example during the monthly OS patching.

Customers running Server Protect 8.0.12003.0 don't see the critical update. Neither 8.0.12010 nor 8.0.12011. So there is no "waiting state" for those. Is this still an intended delay caused by "spread control"?

Edited by Sec-C
Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

May I ask why you would like to skip the upgrade?

I'm not sure about @st3fan's use case, but updates always carry the risk of breaking stuff. Which is why we test new releases before we roll out to thousands of managed devices. Eset has quite a history re-introducing problems that were already fixed in past releases (like here ).

Another point is, that large companies usually have a software managment system that might undo your automatic update (downgrade) - just to watch eset redo the update - creating race conditions and reboots along the way...

So every time you decide to ignore an explicit "do not update automatically" configuration our whole software management team starts to panic...
We love the "waiting state" feature for updates - but PLEASE give us a chance to choose the activation date of this feature by ourself!

In an enterprise environment we justify decisions for/against updates to our management and to our customers - not to Eset.

Edited by Sec-C
Link to comment
Share on other sites

3 hours ago, Peter Randziak said:

This was a quite bad UX bug and I think many users won't be happy if we would keep it there, especially when delivered by automatic upgrade...

This is a perfect example why it should be up to the IT teams to determine whether (and when) an update should be applied.

Link to comment
Share on other sites

  • Administrators

Feature updates are those that introduce new features or fix issues in existing versions that are not critical. These updates are fully under control of administrators; you can even specify at which version product updates will stop until you test a newer version.

Then there are servicing updates with stability and security fixes addressing very specific issues which are based on the code of the existing version that you've been using and do not contain other changes than critical stability and security fixes. These are perfectly stable since the program code has not changed with the exception of fixes. These updates are mandatory, however, currently we offer an option to skip even such critical servicing updates on servers.

Link to comment
Share on other sites

On 2/3/2022 at 10:01 PM, Marcos said:

 however, currently we offer an option to skip even such critical servicing updates on servers.

Can you elaborate? Does that mean that "Product updates -> update mode -> never update" is handled differently on clients and on servers? Or is there a different option to manage auto-update of critical patches on servers? I have not found this in the documentation.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...