j-gray 37 Posted September 24, 2015 Share Posted September 24, 2015 I'm running a task on 6 clients to remove 'Active Threats'. From Client Tasks, I can see the task started and is presumably still running. However, one client finished the full/in-depth scan in 1 hour, yet the other 5 are apparently still scanning after 3+ hours. Is there any way to tell percent scanned/percent remaining, time to estimated completion, or anything that indicates progress for each client? Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 24, 2015 Author Share Posted September 24, 2015 Scans are still running after almost 6 hours, according to RA console. Is this normal for 500GB hard drives? Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted September 24, 2015 Share Posted September 24, 2015 Can you RDP or team viewer etc to the client and double click the eset icon, as that will show you what scans are in progress. Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 24, 2015 Author Share Posted September 24, 2015 Can you RDP or team viewer etc to the client and double click the eset icon, as that will show you what scans are in progress. Thanks for the reply. Looks like they're all offline now and they're remote, so I don't have access at the moment. Oddly, the client task still shows that status as 'Running'. The workstations have likely been off close to an hour and our RA agent connection policy is set to every 60 seconds, so I'm not sure why the task status is not updating correctly. Either way, if the scans take this long to complete, I'm not sure we'll ever clear the 'Active Threat' statuses. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted September 24, 2015 Administrators Share Posted September 24, 2015 It could be that the computers were shut down when the scan was still running or it crashed for some reason and thus agent did not report it as completed. I'd suggest checking it directly in the Endpoint scan log when the user gets online. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted September 25, 2015 Share Posted September 25, 2015 exactly. If the client computers were shut down, they won't check-in and therefore they can't update the status in ERA. Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 25, 2015 Author Share Posted September 25, 2015 It could be that the computers were shut down when the scan was still running or it crashed for some reason and thus agent did not report it as completed. I'd suggest checking it directly in the Endpoint scan log when the user gets online. What is the expected behavior when the workstations come back online? Will the scan resume, or will it simply trigger a failed status in the RA console once the agent reports back? Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 28, 2015 Author Share Posted September 28, 2015 It could be that the computers were shut down when the scan was still running or it crashed for some reason and thus agent did not report it as completed. I'd suggest checking it directly in the Endpoint scan log when the user gets online. Which log file are you referring to and where is it located? I'm looking at the trace.log file, which looks pretty cryptic. It doesn't seem to reflect the correct time, either. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted September 28, 2015 Share Posted September 28, 2015 Remember that the log files have times stored in UTC time. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted September 29, 2015 Administrators Share Posted September 29, 2015 I mean "Computer scan" logs in Endpoint on the client. These should use the local time. Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 29, 2015 Author Share Posted September 29, 2015 I mean "Computer scan" logs in Endpoint on the client. These should use the local time. Quite a few seem to be failing and logging in to each workstation to launch and check the endpoint GUI is not feasible. Are the log files located in a directory where they can be viewed without requiring the GUI? If so, where are they located? Link to comment Share on other sites More sharing options...
j-gray 37 Posted October 1, 2015 Author Share Posted October 1, 2015 Are the log files located in a directory where they can be viewed without requiring the GUI? If so, where are they located? Link to comment Share on other sites More sharing options...
ESET Moderators TomasP 318 Posted October 1, 2015 ESET Moderators Share Posted October 1, 2015 They are saved in a .dat file which is not in a plain text format. The folder is C:\ProgramData\ESET\<product name>\Logs Link to comment Share on other sites More sharing options...
j-gray 37 Posted October 5, 2015 Author Share Posted October 5, 2015 They are saved in a .dat file which is not in a plain text format. The folder is C:\ProgramData\ESET\<product name>\Logs Can these client logs be viewed at all via the Remote Administration server? Or is there any other way to view logs and/or troubleshoot the client without having to remote into individual systems? Link to comment Share on other sites More sharing options...
bbraunstein 27 Posted October 5, 2015 Share Posted October 5, 2015 Nope. Client logs are not fetched at all by the server. Same goes for the actual Remote Administration server as well: the Web Console does not pull the logs, even if the Web Console is installed on the same server as the ERAS. It makes troubleshooting from either end, client-side and server-side, a pain in the . Link to comment Share on other sites More sharing options...
bbraunstein 27 Posted October 5, 2015 Share Posted October 5, 2015 Or is there any other way to view logs and/or troubleshoot the client without having to remote into individual systems? Your only options are to have the clients send you the logs or you physically walk over to the computer. Link to comment Share on other sites More sharing options...
ESET Moderators TomasP 318 Posted October 6, 2015 ESET Moderators Share Posted October 6, 2015 Can these client logs be viewed at all via the Remote Administration server? Or is there any other way to view logs and/or troubleshoot the client without having to remote into individual systems? When you create reports in ERA, the Agent then reads data from these logs, sends them to ERA and the information can then be viewed and analyzed. Link to comment Share on other sites More sharing options...
genopsyde 0 Posted November 12, 2015 Share Posted November 12, 2015 (edited) I'm running a task on 6 clients to remove 'Active Threats'. From Client Tasks, I can see the task started and is presumably still running. However, one client finished the full/in-depth scan in 1 hour, yet the other 5 are apparently still scanning after 3+ hours.... I'm running ERA 6.2 and I have noticed the same behavior for many of my computers. There is a dynamic task in the "client tasks" which will run an "in-depth with cleaning" scan on any computer that is placed in the group "computers with active threats". My Surface Pro 2 was the first and only ESET 6 Agent enabled computer while testing and I noticed that my laptop was running something idiotic like 5 scans a the same time. I'm very mobile as well so when I move from my docking station to wireless and then back, I noticed another scan started up. This is after it had finished the 5 previous scans... then a few more scans would start. I thought my laptop was also starting scans when unlocking so I tried turning down the "startup scan" settings (since you cannot turn OFF the startup scan). The dynamic scan for the group "computers with active threats" when computers are added to the group has some kind of flaw in ERA. If the computer does not clear the threats, then it starts another scan, then another, then another. I have a few machines that had 24 separate scans run in the course of 1 day. All because of the something like ASK TOOLBAR. They are not fast scans either of course and take up to 1hr each because they are "in-depth" Deleting this dynamic task will stop the multi-scanning... sort of. There is still times when I notice my laptop running 2 scans at the same time and I think it has to do with the startup scan or somehow thinking that my changing network connections is causing a scan to start. So now I have to check ERA every couple of days and run a manual "in-depth" scan on every computer in the list which has something benign like ASK which gets pushed alongside of Java updates. It's just ridiculous though. I can't figure out where all these scans are coming from. Edited November 12, 2015 by genopsyde Link to comment Share on other sites More sharing options...
Recommended Posts