djgera 0 Posted June 11, 2022 Share Posted June 11, 2022 Hello This happens on 2022/06/07 at around 07:40 GMT. I have the license (ESET PROTECT Essential On-Prem: ESET Endpoint Antivirus) for some numbers of machines. Many machines are running Windows 10 Pro (19044.1706) and few others remaining with Windows 7 Pro, all of them with ESET Endpoint Antivirus on latest version 9.0.2046.0. They are running 24 hours per day. I do not administer products via any cloud service (like ESET PROTECT), except with EBA, to track license status. Looks like on some machines 7 of 27, ESET decided that the product was obsolete, then execute a legacy upgrade automatically from 9.0.2046.0 (uninstalling it) to 9.0.2046.0 (installing it from C:\Windows\Temp\eset\bts.session\{UUID}\eea_nt64.msi) leaving the machine waiting for "accept" the license since "legacy product" was updated. This was bad, because non-admin users can not do this step since admin privileges are needed plus a reboot to work again. So machines was vulnerable until I can take the action. Indeed I tested with EICAR file and ESET did not anything to block it. On machines that this was not happens, only the executable from "legacy upgrade" keep running without doing any action. To avoid this fault in future (I guest), now all ESET are configured with "Disabled Product Upgrade". If more information is needed please let me know. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted June 12, 2022 Administrators Share Posted June 12, 2022 Could you confirm or deny that the troublesome clients were managed (ie. had the ESET management agent installed)? Link to comment Share on other sites More sharing options...
djgera 0 Posted June 12, 2022 Author Share Posted June 12, 2022 No, all installations of "ESET Endpoint Antivirus" are standalone, no management, no proxy, no mirrors, just plain with default config (only disabled warnings from windows updates) from the .msi downloaded from eset [#1]. In fact, my license does not have an "elegible" so I can not manage endpoints from cloud. Thanks. [#1] https://download.eset.com/com/eset/apps/business/eea/windows/latest/eea_nt64.msi Link to comment Share on other sites More sharing options...
djgera 0 Posted June 21, 2022 Author Share Posted June 21, 2022 For now I am tracking all machines if this directory [C:\Windows\Temp\eset\] exists and launch an alert to me. This has not happened again for the moment. Correction: In initial commment I said this incident was on 07:40 ART (so in GMT is 10:40). Link to comment Share on other sites More sharing options...
djgera 0 Posted July 11, 2022 Author Share Posted July 11, 2022 Also I set "SkipLegacyUpgrade" in all machines in order to avoid future wrong upgrades from ESET. reg.exe add "HKLM\SOFTWARE\ESET\Legacy Upgrade" /v "SkipLegacyUpgrade" /t REG_DWORD /d "1" /f Maybe setting a configuration password looks like a good idea, since "upgrade" to the same version is locked without entering the right password. Link to comment Share on other sites More sharing options...
Recommended Posts