ESET 10.0.3.0 stable blocks VPN connections on Linux

[FranceBB 3]

Hi there,

looks like ESET 10.0.3.0 stable is blocking any VPN connections on Linux.

From the documentation, everything points to ESET PROTECT which I don't have as I'm a home user, not a company https://help.eset.com/eeau/10/en-US/wap_excluded_applications.html so I wouldn't know how to exclude OpenVPN from being blocked. The GUI doesn't seem to allow any kind of configuration and I can't find any command I can put in the terminal to do this.

So... what's the solution?

I've now temporarily disabled the antivirus by stopping the eea service.

Oh, by the way, kernel 6.3.9 is the last supported kernel by ESET 10.0.3.0.

Kernel 6.4.0 and 6.5.0 are not supported and the eea service won't even start.

 

[FranceBB 3]

Regarding the kernel issue, this is what happens when the eea service tries to start on any kernel newer than 6.3.9:

 

× eea.service - ESET Endpoint Antivirus
     Loaded: loaded (/usr/lib/systemd/system/eea.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Fri 2023-07-14 18:51:00 BST; 1h 2min ago
    Process: 4897 ExecStartPre=/opt/eset/eea/lib/install_scripts/check_start.sh (code=exited, status=2)
    Process: 5576 ExecStopPost=/usr/bin/killall /opt/eset/eea/lib/egui --quiet (code=exited, status=1/FAILURE)
        CPU: 1.012s

Jul 14 18:51:00 router-localhost systemd[1]: eea.service: Scheduled restart job, restart counter is at 5.
Jul 14 18:51:00 router-localhost systemd[1]: Stopped eea.service - ESET Endpoint Antivirus.
Jul 14 18:51:00 router-localhost systemd[1]: eea.service: Consumed 1.012s CPU time.
Jul 14 18:51:00 router-localhost systemd[1]: eea.service: Start request repeated too quickly.
Jul 14 18:51:00 router-localhost systemd[1]: eea.service: Failed with result 'exit-code'.
Jul 14 18:51:00 router-localhost systemd[1]: Failed to start eea.service - ESET Endpoint Antivirus.

 

As far as the VPN issue is concerned, instead, I can send you the log I collected in the /opt/eset/eea/log/eventlog.dat

I can attach it here unless there's anything sensitive. Please let me know if I can safely attach it here.

 

 

[Marcos 4,842]

Currently we don't offer any security solution for Linux for home users. Regarding kernel support, I believe this statement still applies: "We do not support a particular kernel in Linux Endpoint products. We only support a particular Linux distribution(s), which means we should support default kernels available there."

As for OpenVPN, it's supported according to https://help.eset.com/eeau/10/en-US/web_access_protection.html. Please raise a support ticket if you have encountered issues with Web access protection and the VPN.

[FranceBB 3]

Quote

We do not support a particular kernel in Linux Endpoint products. We only support a particular Linux distribution(s), which means we should support default kernels available there

Yeah, well, you're supporting RHEL and I'm using Fedora which is basically RHEL but upstream, so I guess it's just gonna be a matter of time before support for kernel 6.4.0 gets introduced.

In a nutshell, it's Rawhide -> Fedora -> CentOS -> RHEL

Unfortunately, though, RHEL 9.2 is so downstream (for stability purposes) that its kernel is 5.14.x, to be precise 5.14.0-284.18.1.el9_2.x86_64 while CentOS is at 6.3.x, Fedora is at 6.4.x and Rawhide is at 6.5.x.

Quote

Please raise a support ticket if you have encountered issues with Web access protection and the VPN.

I will, thanks.

Quote

we don't offer any security solution for Linux for home users

I know, I know, but at least you kindly migrated all of us here for free (from Nod32), so we're still "hanging around"  

[FranceBB 3]

Well, I opened the ticket and the reply was a bit disappointing...

 

Quote

Unfortunately Fedora is not a supported operating system and while the software may work when installed, it is not fully tested and we cannot guarantee all functionality will work.

While i am aware that Fedora/RHEL/CentOS are different branches of the same software, there are differences and Fedora is not supported.

 

In other words, the fact that OpenVPN connections are being filtered won't be taken into account as my distro isn't supported.

Luckily my subscription will be up in a month or so (at the end of August if I recall correctly), so it looks like there's no point in renewing it...

It really saddens me 'cause I had no problems for years with the good old NOD32, but given that such a product is dead and that I'm not officially supported on the solution I've been migrated to (ESET Endpoint), I guess I'll just let ESET go.

It's been really nice 'till it lasted, so thank you for all these years together. :')

Edited July 17 by FranceBB

[Peter Randziak 1,015]

Hello @FranceBB,

I understand your frustration, but from our past experience it was really needed to list systems, on which our products bas been tested and are supposed to work as expected. With the vast amount of Linux distros it's not feasible to support all of them, as it is a wild place  

22 hours ago, FranceBB said:

Unfortunately Fedora is not a supported operating system and while the software may work when installed, it is not fully tested and we cannot guarantee all functionality will work.

Don't tell anyone 😉, but I recommend to set it up on a supported distribution to check if the issue is the same and if yes, report a ticket from it.

I guess that the solution / work-around will be than same for the Linux distribution of your choice 😉 

Peter

[FranceBB 3]

I don't know whether it's gonna be quite as easy, but for what it's worth, I have identified the errors in the journal:

ESET Endpoint Antivirus Error: Command AddCertToSystem failed. Internal error
ESET Endpoint Antivirus Critical Error: Protoscan configure failed
eea-user-agent.service: Main process exited, code=killed, status=15/TERM
eea-user-agent.service: Failed with result 'signal'.
Process 8570 (wapd) of user 960 dumped core.
                                                         
                                                         Module libpcre2-8.so.0 from rpm pcre2-10.42-1.fc38.1.x86_64
                                                         Module libcrypt.so.2 from rpm libxcrypt-4.4.36-1.fc39.x86_64
                                                         Module libselinux.so.1 from rpm libselinux-3.5-1.fc39.x86_64
                                                         Module libbrotlicommon.so.1 from rpm brotli-1.0.9-12.fc39.x86_64
                                                         Module libsasl2.so.3 from rpm cyrus-sasl-2.1.28-10.fc39.x86_64
                                                         Module libevent-2.1.so.7 from rpm libevent-2.1.12-8.fc38.x86_64
                                                         Module libkeyutils.so.1 from rpm keyutils-1.6.1-6.fc38.x86_64
                                                         Module libkrb5support.so.0 from rpm krb5-1.21-1.fc39.x86_64
                                                         Module libcom_err.so.2 from rpm e2fsprogs-1.47.0-1.fc39.x86_64
                                                         Module libk5crypto.so.3 from rpm krb5-1.21-1.fc39.x86_64
                                                         Module libkrb5.so.3 from rpm krb5-1.21-1.fc39.x86_64
                                                         Module libunistring.so.5 from rpm libunistring-1.1-3.fc38.x86_64
                                                         Module libz.so.1 from rpm zlib-1.2.13-3.fc38.x86_64
                                                         Module libbrotlidec.so.1 from rpm brotli-1.0.9-12.fc39.x86_64
                                                         Module libgssapi_krb5.so.2 from rpm krb5-1.21-1.fc39.x86_64
                                                         Module libcrypto.so.3 from rpm openssl-3.0.8-2.fc39.x86_64
                                                         Module libssl.so.3 from rpm openssl-3.0.8-2.fc39.x86_64
                                                         Module libpsl.so.5 from rpm libpsl-0.21.2-3.fc39.x86_64
                                                         Module libssh.so.4 from rpm libssh-0.10.5-1.fc39.x86_64
                                                         Module libidn2.so.0 from rpm libidn2-2.3.4-2.fc38.x86_64
                                                         Module libnghttp2.so.14 from rpm nghttp2-1.55.0-1.fc39.x86_64
                                                         Module libcurl.so.4 from rpm curl-8.1.2-1.fc39.x86_64
                                                         Module libprotobuf.so.32 without build-id.
                                                         Module libcommon.so without build-id.
                                                         Module wapd without build-id.
                                                         Stack trace of thread 8570:
                                                         #0  0x00007f40bea8fad4 __pthread_kill_implementation (libc.so.6 + 0x8fad4)
                                                         #1  0x00007f40bea3e8ee raise (libc.so.6 + 0x3e8ee)
                                                         #2  0x00007f40bea268ff abort (libc.so.6 + 0x268ff)
                                                         #3  0x0000556352c3a537 n/a (wapd + 0x3a537)
                                                         #4  0x0000556352c66230 _ZN9WapDaemon12OnCfgChangedEP11CfgSnapshotS1_ (wapd + 0x66230)
                                                         #5  0x00007f40bf9809ca _ZN17ApplicationDaemon4InitEv (libcommon.so + 0x3809ca)
                                                         #6  0x00007f40bf97a3bd _ZN15ApplicationBase3RunEv (libcommon.so + 0x37a3bd)
                                                         #7  0x0000556352c3e47d main (wapd + 0x3e47d)
                                                         #8  0x00007f40bea2814a __libc_start_call_main (libc.so.6 + 0x2814a)
                                                         #9  0x00007f40bea2820b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2820b)
                                                         #10 0x0000556352c3eb5e _start (wapd + 0x3eb5e)
                                                         
                                                         Stack trace of thread 9263:
                                                         #0  0x00007f40bea8a409 __futex_abstimed_wait_common (libc.so.6 + 0x8a409)
                                                         #1  0x00007f40bea8cda9 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8cda9)
                                                         #2  0x00007f40bf943690 _Z15nod_eventa_waitP19_nod_event_array_t_mPKiii (libcommon.so + 0x343690)
                                                         #3  0x00007f40bf9282fd _Z27AppEventaWaitImplementationP19_nod_event_array_t_mPKiiiPi (libcommon.so + 0x3282fd)
                                                         #4  0x00007f40bf921b2e _ZN6ModApi20AppInterfaceCallbackEjz (libcommon.so + 0x321b2e)
                                                         #5  0x00007f40afd46c2a n/a (n/a + 0x0)
                                                         ELF object binary architecture: AMD x86-64
ESET Endpoint Antivirus Error: Child process enable-user-monitoring[9276] terminated by signal 15
ESET Endpoint Antivirus Error: Child process wapd[8570] did not handle signal 6, restart in 32 seconds
Package 'eea' isn't signed with proper key
'post-create' on '/var/spool/abrt/ccpp-2023-07-19-17:57:46.60633-8570' exited with 1
Deleting problem directory '/var/spool/abrt/ccpp-2023-07-19-17:57:46.60633-8570'
ESET Endpoint Antivirus Error: Cannot receive data from server: Network is unreachable
ESET Endpoint Antivirus Critical Error: Protoscan configure failed
 

 

Journal.txt

[FranceBB 3]

Reverting to 9.1.11 worked (9.11 to be precise).

I can now browse the web just fine.

So I think I'm gonna stick to 9.1.11 for the time being until there's gonna be an option in the GUI in the future versions to actually disable web filtering etc.

How long is 9.x gonna be supported?

[megb 0]

I'm using Mullvad VPN and ESET Antivirus for Linux on Ubuntu 22.04.2 LTS

After updating my ESET I was unable to reach my local network devices through split tunneling. I tried everything from using different versions of the Mullvad VPN app, removing and purging, checking my router/network config and updating everything on Ubuntu and eventually got it solved by uninstalling ESET Antivirus for Linux, which is really NOT a sollution.

ESET Protect cloud, where my device is managed didn't gave any errors.

It was after i saw lots of packets drop in output of "sudo ifconfig -s" that i suspected ESET. If you need logs or anything please let me know

We are also a distributor for ESET (100+ seats)

[Marcos 4,842]

20 minutes ago, megb said:

I'm using Mullvad VPN and ESET Antivirus for Linux on Ubuntu 22.04.2 LTS

According to https://help.eset.com/eeau/10/en-US/web_access_protection.html?zoom_highlightsub=vpn, this VPN is not supported.

Web access protection supports following VPNs:

• OpenVPN
• PulseSecure
• Wireguard
• ProtonVPN

You can contact your local ESET distributor or ESET HQ and ask to research the possibilities of intergration with Mullvad VPN. Until then it's likely that Web access protection will have to stay disabled.

[Peter Randziak 1,015]

Hello @FranceBB,

2 hours ago, FranceBB said:

Reverting to 9.1.11 worked (9.11 to be precise).

well yes, as the v9 didn't have the Web Access Protection feature at all.
I recommend to follow it up via a ticket so it can be checked and resolved / work-around-ed.
The WAP brings an important additional level of protection...

2 hours ago, FranceBB said:

How long is 9.x gonna be supported?

The support schedule is available at https://support-eol.eset.com/en/policy_business/product_tables.html

Peter

[FranceBB 3]

4 hours ago, Peter Randziak said:

I recommend to follow it up via a ticket so it can be checked and resolved / work-around-ed.

Will do.

 

Quote

 

The support schedule is available at https://support-eol.eset.com/en/policy_business/product_tables.html

 

July 11, 2026.

Looks like I'm gonna be fine for quite some time, though.