ESET File Security not reporting in to ERA server

[Dan.Gurney 0]

Hi,

 

We have ESET ERAS 5.05 serving circa 175 clients, and ESET File Security 4.5.12011 on all servers.

 

We have about 12 virtual servers running on Hyper-V 2008 which have suddenly stopped communicating with the ERAS as of last night. When I try and manually update them from the mirror I get "Error opening socket". If I manually uninstall and reinstall File Security it works ok, until I reboot at which point it stops again. This behaviour is consistent across all the RDS servers, while none of the rest of the estate appears to be affected. I thought about it being some sort of policy change but forcing a policy update before the second reboot in the above scenario doesn't break it.

 

I have also tried looking at netstat and there's nothing using the ports in question. I can see it communicating on 2222 before the second reboot but after the reboot; nothing.

 

The firewall on all machines is off.

 

Does any one have any ideas?

 

Cheers,

 

Dan

 

[PiT 0]

Same problem here since yesterday :-/

 

All my Windows Server 2012R2 machines after last restart stopped communicating with ERA. Not only virtual ones (Hyper-V) but also physical hosts.

 

Exactly the same situation as you described. Tried to uninstall last 2 waves of Windows updates on one machine, but it didn't help.

 

Nothing changed in our network before/after the EFS stopped communicating.

 

Tried with EFS 4.5.12011, 12015 and 12017. All stop communicating and throw "Error opening socket." after reboot.

Edited September 23, 2015 by PiT

[Gonzalo Alvarez 66]

Hi Dan,

 

That kind of "mysterious" behavior the IT goes to collect logs, like Wireshark, Process Monitor, ESET SysInspector and ESET Log Collector.

With all those logs the investigation starts.

 

Also, seems someone has the same problem: https://forum.eset.com/topic/5932-error-opening-socket/

 

Any particular change of software installed, or else on network/system?

[erlend_oyen 2]

Same issue, 50 clients out of 900 stopped reporting to ERA last night, the same client are also unable to download new definition files

It's file security 4.5 running on servers.

 

Tried:

reboot

clearing the update cache

 

issue persist, must be related to a update

 

same as:

hxxp://support.eset.com/alert5553/

 

i am waiting on feedback from ESET support.

 

[S t e v e 0]

Same problem here since yesterday.

 

Server displays "Virus signature database could not be updated" & "An error occurred while downloading update files" and won't connect to the Remote Administrator.

 

Windoes Server 2008 R2 Standard. Eset File Security version 4.5.12011, stuck on database 12288. Server hasn't been touched for a while so I can't see what would have changed out of the blue yesterday.

 

Also when I check License Validity I get "License could not be verified. Please enable access to the expiration database server expire.eset.com" but I can still access the web through a browser OK.

 

I've tried clearing update cache, pre-release updates, etc, but still broken.

[Dan.Gurney 0]

Further info: not just RDS but all servers. After reboot = "Error opening socket"

[RvW 6]

Same here.

 

@ Dan & @ PiT : have you considered upgrading to File Security 6.2?

[Dan.Gurney 0]

Just off the phone with ESET support. Looks like this may not be an isolated issue.

 

TBH we haven't considered an update. We have a number of update projects running through change management at the moment and up to now it AV hasn't been an issue. My understanding, admittedly based on not much reading, is that if we move to v6 we'd have to do it across the board (servers, workstations, ERAServer)?

[TomasP 316]

Hello everybody,

We have received similar reports from our customers in the last couple of days and our developers are currently looking into the issue with high priority. We understand this is a pressing matter and we thank you for your patience.

Can you please verify whether ESET Service (ekrn.exe) is able to perform other network connections (such as to check the license on the license server, communicate with ESET Live Grid, etc...)?

Thank you.

[S t e v e 0]

TomasP. Glad to hear it's being worked on.

 

Checking licence server gives this error: "License could not be verified. Please enable access to the expiration database server expire.eset.com"

Not sure how to check Live Grid.

[stickman00 0]

Same issue here- very sporadic as to what server types it is affecting - some 2008r2, some 2012r2, some VM some physical, some on same subnet as update server, some not-  no clear rhyme or reason as to failure.  

[YvesM 0]

Hi,

we have Eset File Security Version 4.5.12017.0.

We have a few client which didn't work anymore correctly.

When I reboot the server then I get the Error opening socket.

 

I can uninstall file security and also do a push install or a local install. After the install I can import the settings from an xml file and also do the virus signature updates.

When I restart the server I will get only the socket error.

I tested with telnet to open the server port. This works also.

I tried also to delete the local cache.

The server shows that he can not connect to the client anymore. I think because he gets the socket error.

Can someone help me please thx.

 

 

 

 

[PatrickHoban 1]

Having this issue as well. Only seems to be effecting "ESET File Security Microsoft Windows Server 4.5.12017" & not "ESET Endpoint Antivirus 5.0.2237". It would appear that the error starts happening after a reboot of the endpoint. Does not seem to matter whether physical or virtual. Appears to happen on all OS 2003-2012R2.

 

I was chatting with support for about 5 hours yesterday. Once we were able to uninstall ESET FS on an endpoint then reinstall it would check in every 10 minutes as configured & download updates. If I use ProcEx & watch the TCP/IP tab of the ekrn process I see it reach out to the RAC server. But if I restart the endpoint I would get the "Error opening socket" message. Now looking at the TCP/IP tab in ProcEx I don't see it even trying to connect to the RAC server.

 

I have an open case (2 really) with ESET & am waiting to hear back from them. If anyone from ESET is monitoring this thread feel free to reach out to me (trust me when I get to work I'm going to be lighting up their phones). I can reproduce this very easily.

[Topper_J 0]

Have the same issue. so far only two servers. Please let us know when you have a resolve for this.

[Topper_J 0]

My servers that are affected have File Security for Microsoft Windows Server versions 4.5.12011, 4.5.12015 and 4.5.12017.

[TomasP 316]

Hello everyone,

Upon closer analysis of the situation, the issue seems to be caused by populating the list of running processes (either directly in Tools > Running processes, or by generating an in-product ESI log). The component requests the files' LiveGrid reputation online and if done multiple times, this communication cripples the subsequent network connections of the ekrn.exe process.
Our developers are already working on the fix, we will let you know of any progress.
In the meantime, you can restart ekrn.exe as a workaround (i.e. reboot the PC, or just restart the service in case ESET SelfDefense is disabled) - the communication will work again until the issue is invoked by populating the running processes multiple times again.

Regards,
T.

[erlend_oyen 2]

Hello everyone,

Upon closer analysis of the situation, the issue seems to be caused by populating the list of running processes (either directly in Tools > Running processes, or by generating an in-product ESI log). The component requests the files' LiveGrid reputation online and if done multiple times, this communication cripples the subsequent network connections of the ekrn.exe process.

Our developers are already working on the fix, we will let you know of any progress.

In the meantime, you can restart ekrn.exe as a workaround (i.e. reboot the PC, or just restart the service in case ESET SelfDefense is disabled) - the communication will work again until the issue is invoked by populating the running processes multiple times again.

Regards,

T.

 

Hi all our FS clients are servers, and reboot is not a option for all of them.

i would think this is the case for most of the customers in this thread. 

Self Defens is enabled by default so.

[PatrickHoban 1]

Hello everyone,

Upon closer analysis of the situation, the issue seems to be caused by populating the list of running processes (either directly in Tools > Running processes, or by generating an in-product ESI log). The component requests the files' LiveGrid reputation online and if done multiple times, this communication cripples the subsequent network connections of the ekrn.exe process.

Our developers are already working on the fix, we will let you know of any progress.

In the meantime, you can restart ekrn.exe as a workaround (i.e. reboot the PC, or just restart the service in case ESET SelfDefense is disabled) - the communication will work again until the issue is invoked by populating the running processes multiple times again.

Regards,

T.

 

From what I can tell a restart of the server does not get it working again. I was only able to get a server to keep downloading updates by uninstalling, reinstalling & NOT rebooting again.

[PiT 0]

 

Hello everyone,

Upon closer analysis of the situation, the issue seems to be caused by populating the list of running processes (either directly in Tools > Running processes, or by generating an in-product ESI log). The component requests the files' LiveGrid reputation online and if done multiple times, this communication cripples the subsequent network connections of the ekrn.exe process.

Our developers are already working on the fix, we will let you know of any progress.

In the meantime, you can restart ekrn.exe as a workaround (i.e. reboot the PC, or just restart the service in case ESET SelfDefense is disabled) - the communication will work again until the issue is invoked by populating the running processes multiple times again.

Regards,

T.

 

From what I can tell a restart of the server does not get it working again. I was only able to get a server to keep downloading updates by uninstalling, reinstalling & NOT rebooting again.

 

 

Exactly the same here. Uninstall+install or update (e.g. from 2011 to 2015 or 2017) and NOT rebooting again. Repair install doesn't work either.

[erlend_oyen 2]

By creating a sysinspector snapshot you can trigger a update and a connection to ERA. (update during the sysinspector run or right after its completed.)

 

it's not a fix, but it's a workaround to get the updates without rebooting. 

Edited September 23, 2015 by erlend_oyen

[markande55 0]

We have the same problem on a Windows 2008 R2 Server. The Sysinspector snapshot did not seem to update the virus definition file. Waiting for a fix.

[PatrickHoban 1]

By creating a sysinspector snapshot you can trigger a update and a connection to ERA. (update during the sysinspector run or right after its completed.)

 

it's not a fix, but it's a workaround to get the updates without rebooting. 

Very interesting. I started a snapshot & immediately while it was running started an update & it worked. As work arounds go that a pretty good one.

[erlend_oyen 2]

Any updates from ESET?

[Dan.Gurney 0]

Apparently they have a fix in testing.

[ruidc 0]

My EFSW server has continued to receive updates and has never received the socket error, but is not connecting to ERA since reboot. Sysinspector workaround also fixes it for me. I hope the fix being tested also resolves this.