All servers are auto-updated to version 9.0.12013.0 - but why?

[st3fan 6]

We use ESET Protect 9.0.1144.0 and have ESET Server Security 8.0.12011.0 installed on our Windows Servers. Yesterday we started noticing that some of our servers are automatically updated to ESET Server Security 9.0.12013.0. This seems to happen even though we have disabled this new auto-update feature, following these intructions.

I would like to understand why the 9.0.12013.0 update is being rolled out and I hope someone can clarify this for me.

1. According to this article, only ESET Endpoint Antivirus/Security 9.0 and later and ESET security products for Windows Server version 9.0 and later support automatic updates. We currently use ESET Server Security 8.0.12011.0, so why did we receive the automatic update? Sounds to me this is not even supported.

2. According to this article, it is not possible to disable the auto-update for "security and stability" updates. Is ESET Server Security 9.0.12013.0 a "security and stability" update? In the release notes I found this:
- Fixed: Issues with upgrading to the latest product version
- Fixed: Issues to uninstall a product version
- Fixed: Machine deadlock after a reboot

Sounds like it might qualify as a stability update, however, do these bugs and fixes even affect our version 8.0.12011.0?

I am honestly confused about ESET's approach. Half of our servers are now red in the PROTECT console, we have no clue what is happening and no control over this entire process. I would appreciate if someone could explain to me why we are receiving this update in this case, referring to points 1 and 2.

Thanks a lot!
 

[st3fan 6]

Follow-up question: since we generally only reboot servers for Windows updates, is this going to cause problems if both Windows updates and the ESET update is done at the same time?

[Peter Randziak 1,130]

Hello @st3fan,

my colleague tried to reproduce the issue in a testing environment and the automatic upgrade did not happen,

Can you please provide us (via a private message) output from the ESET Log Collector to check for the start?

Peter

[Peter Randziak 1,130]

20 hours ago, st3fan said:

Follow-up question: since we generally only reboot servers for Windows updates, is this going to cause problems if both Windows updates and the ESET update is done at the same time?

It should not, the ESET auto-update is being applied on system reboot.

[st3fan 6]

Hi @Peter Randziak

I messaged you privately. Please advise which logs you need. Thank you.

[st3fan 6]

I will open a support ticket.

[st3fan 6]

Support figured it out. This setting had to be changed to "never update".

Additionally, we've already had the following settings.

 

 

[Marcos 5,070]

For v8 it was necessary to change the above setting to "Auto-update" in order to enable program auto updates (by default it's set to Never update). As of v9, program auto updates are controlled via the Auto-update policy. This policy has no effect on v8 which uses the above mentioned setting.

[st3fan 6]

Assuming v9 is in use on all endpoints. Why is there a need for this policy

if auto-updates can be disabled here

and be paused here?

 

I think I don't quite understand the difference between these settings/options. I would appreciate if you could clarify @Marcos  - thank you.

[Marcos 5,070]

As the labels suggest, the first setting is for v8 which had auto-updates disabled by default ("Never update"). It was not possible to stop program updates at a specific version.

Full updates have been fully supported as of v9 (again, indicated by a label in the policy) and were enabled by default. As of v9 program updates can be only temporarily paused but not disabled. Also a new "Auto-update" policy was assigned to clients.

[st3fan 6]

For anyone else confused by all these options, this might help a bit.