After server migration, endpoints keep duplicating/creating new entries in Eset Protect Server..

[Ryan O 2]

An Eset tech helped me migrate our database from an Win 2012 server > Win 2022 server late last week (both servers were on version 9). That completed successfully but when we were done I noticed our number of clients skyrocketed on the new server. We originally had around 470 clients, but post migration its now showing we have 700+ in the computers 'all' folder. After further scrutiny, those 'new' ones are all duplicates. Interestingly enough, our licenses haven't used any new seats (still using 469) which is good. The pcs that are duplicating, I can remove all of the entries for such a endpoint, then after several reboots of the tested endpoint during the day it will create multiple entries on the sever again.

 

Things I've learned looking into this (and related info):

1) About 95% of our problem (duplicating) endpoints are the half of our pcs that are using a piece of software called Deep Freeze. After a pc is rebooted it goes back to its original configuration. Note even if I 'thaw' a pc so it remembers its changes between reboots, when I have one of these deep freeze pcs reboot it still creates new entries over time. Having/using Deep freeze isn't something new to our organization either. We've used it for a long time and our old server didn't create duplicates like this.

2) These pcs that are having this issue, weren't cloned with Eset installed. We installed it after the clone so there shouldn't be an overlap with Eset's tracked fingerprints.

3) After the migration we created an DNS alias so when the endpoints try to connect to their Eset server they're redirected to the new one. This works as intended. Additionally on the old sever I stopped and disabled the "Eset Protect server" service.

4) After the migration I also exported/imported the firewall rules from the old server to the new one. Further testing showed that didn't resolve the issue.

5) See attached example of one of our duplicating endpoints

Any idea why this is happening and how I can go about fixing it (having the clients not duplicate themselves over and over in the server gui)?

 

Thanks for your time.

[MartinK 378]

Could you possible describe of what steps were made during DB migration? Asking as I cannot imagine how standard migration of database would result in this state.

New entries in console are created when:

• ESET Management Agent is reinstalled -> new installation would results in new entry in the console
• After execution of client task "reset cloned agent" is executed
• or after significant HW changes are detected on device

but I am not sure how it worked previously. But still I would expect it to be independent from DB version, except that there might have happened something that broke environment during migration.

[Ryan O 2]

Hi MartinK,

Yeah the tech I worked with (who I'm also messaging) is also perplexed by this. I can't give you a detailed report of his exact steps during database migration as he was fluent in the migration procedure while I was not. I mean he downloaded the installer for the new Eset server, installed the components individually (as we first had issues with the automated installer), and also copied/moved/imported the database to the new server. After it was done we tested it and it worked.. but with this complication. He though it would fix itself if I just deleted the duplicates.. unfortunately they keep re-appearing/reproducing.

If I inferred from you that it might have been an issue importing the database.. if so could re-importating the database maybe fix this?

Also by your definition of when new entries are created on the server, in this case they indeed shouldn't be doing this behavior. The endpoints aren't just cloned, have had no new hardware changed on them and didn't have this issue on the previous server  (which was running the same ESET PROTECT Server v9 software).

Note: I tested running a "reset cloned agent" task on one of our endpoints that kept duplicating and it appears to have made that endpoint not replicate any further on the new server. However I'm hesitant to run this task on the majority of all of our endpoints/pcs.

 

Where do I go from here? I appreciate your help.

[Ryan O 2]

The only other thing I could think of is maybe one of the daily server/client tasks we have running could do this?

 

Client tasks:

1) A CRON using daily "ESET PROTECT Components Upgrade" task that runs on a dynamic group for both staff and public pcs (read the problem group and the non-problem/non-dupicating group). This task automates bringing out of date agents in line with the rest. Note: these dymanic groups only include endpoints with outdated agents.

2) A CRON using daily "Software install task" that runs on a dymanic group to get Eset Antivirus to the latest version. Note: this dymanic group only include endpoints with outdated Antivirus software.

3) A daily "activate pc" task that runs on a dynamic group that only shows endpoints that weren't activated.

Server task:

1) Daily 'FQDN rename computer' task that runs on the 'lost and found' folder.

 

That's it as far as daily run tasks. Hmm, after reviewing these I don't' think they are the culprit. There is no significant overlap with what group of computers they're running on when compared to the ones that are duplicating.