Jump to content

ESET Endpoint Protection Agents not reporting back to ERA


pipboy3000
 Share

Recommended Posts

I have a number of devices that are not reporting back to the ERA server. While some of them are valid (users not in the office) there are a few that are turned on, can be pinged etc but for some reason still appear in ERA as last connected on Friday. No changes to the OS were made in the mean time. Any idea?

 

 

post-5681-0-68004300-1448281350_thumb.jpg

 

post-5681-0-97672600-1448281355_thumb.jpg

 

 

 

Link to comment
Share on other sites

  • ESET Moderators

Hi, did you check the Agent's trace.log and status.html files? They always contain the current information about the Agent's health, connection to the server, possible errors, etc.

The files are located in C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\

Link to comment
Share on other sites

I have checked the log (attached)

 

 

Last message in trace:
2015-11-20 10:21:34 Error: CReplicationModule [Thread 0xb0831000]: CReplicationManager: Replication (network) connection to 'host: "10.16.1.10" port: 2222' failed with: Operation timed out

 

Status log says the same.

 

While I understand that the host might have been temporarly offline, the ERA agent should attempt to reconnect again later. I suspect that reinstalling the Agent might solve the problem, but there must be a better way of dealing with this.
 

trace.log

status.html

Link to comment
Share on other sites

  • ESET Moderators

As you can see at the bottom of the status.html file, the log was also generated on November 20, only a couple of minutes after the last successful connection.

After this date, the file was not updated, so I would check whether the Agent actually runs on the client PC, or whether it is present at all.

Link to comment
Share on other sites

  • ESET Moderators

If the user has administrator permissions, they can uninstall the Agent from the PC. This is something we want to be able to prevent in the future versions.

As of now, should the Agent fail to run properly, you will be notified by ERA by the time of last connection. Then you can contact our support team in order to investigate why the Agent does not run.

Link to comment
Share on other sites

For info, we had quite a few computers where the agent stopped working, but that was on early versions of the agent. We've had no occurrences with the later versions.

 

If you get a suspicios computer you can try starting the agent service and see if it continues run or if it stops.

Link to comment
Share on other sites

What is the latest version of the agent? I'm running 6.2.190.0 on Windows and 6.2.166.0 on Mac OS. Now, I've installed a fresh version of the agen on one of the Mac devices just now and while the installation was successfull, the agent is still not reporting back to the server. I will give it another 30 minutes, but if that does not help, then I might have to open a ticket.

Link to comment
Share on other sites

I'd like to re-open this post as this problem keeps reoccuring. I have another few devices in the office where they are up to date, but not reporting back to the ERA. This is strongly suggesting problem with the agent. Any troubleshooting steps?

Link to comment
Share on other sites

  • ESET Staff

Hello,

 

we have checked your problems and unfortunately you are experiencing specific instability issue we have already identified and prepared fix for next release. Issue was triggered by network connection timeouts (according to trace logs it could be your issue).

 

In most cases no workaround is required, because AGENT service should restart itself automatically but seems that does not work in your case. Could you check in what state is agent service (when it does not work) using:

sudo launchctl list com.eset.remoteadministrator.agent

Also manual restarting of ERA Agent will restore its functionality:

sudo launchctl restart com.eset.remoteadministrator.agent
Link to comment
Share on other sites

  • 2 weeks later...

Sorry for my late reply. The outcome of the first command is:

 

"LimitLoadToSessionType" = "System";
"Label" = "com.eset.remoteadministrator.agent";
"TimeOut" = 30;
"OnDemand" = false;
"LastExitStatus" = 17920;
"Program" = "/Applications/ESET Remote Administrator Agent.app/Contents/MacOS/ERAAgent";

 

Attempt to restart the agent failed:

 

~ sudo launchctl restart com.eset.remoteadministrator.agentclear
Unrecognized subcommand: restart
Usage: launchctl <subcommand> ... | help [subcommand]
Many subcommands take a target specifier that refers to a domain or service
within that domain. The available specifier forms are:
system/[service-name]
Targets the system-wide domain or service within. Root privileges are required
to make modifications.
user/<uid>/[service-name]
Targets the user domain or service within. A process running as the target user
may make modifications. Root may modify any user's domain. User domains do not
exist on iOS.
gui/<uid>/[service-name]
Targets the GUI domain or service within. Each GUI domain is associated with a
user domain, and a process running as the owner of that user domain may make
modifications. Root may modify any GUI domain. GUI domains do not exist on iOS.
session/<asid>/[service-name]
Targets a session domain or service within. A process running within the target
security audit session may make modifications. Root may modify any session
domain.
pid/<pid>/[service-name]
Targets a process domain or service within. Only the process which owns the
domain may modify it. Even root may not do so.
When using a legacy subcommand which manipulates a domain, the target domain is
inferred from the current execution context. When run as root (whether it is
via a root shell or sudo(1)), the target domain is assumed to be the
system-wide domain. When run from a normal user's shell, the target is assumed
to be the per-user domain for that current user.
Subcommands:
bootstrap Bootstraps a domain or a service into a domain.
bootout Tears down a domain or removes a service from a domain.
enable Enables an existing service.
disable Disables an existing service.
uncache Removes the specified service name from the service cache.
kickstart Forces an existing service to start.
attach Attach the system's debugger to a service.
debug Configures the next invocation of a service for debugging.
kill Sends a signal to the service instance.
blame Prints the reason a service is running.
print Prints a description of a domain or service.
print-cache Prints information about the service cache.
print-disabled Prints which services are disabled.
plist Prints a property list embedded in a binary (targets the Info.plist by default).
procinfo Prints port information about a process.
hostinfo Prints port information about the host.
resolveport Resolves a port name from a process to an endpoint in launchd.
limit Reads or modifies launchd's resource limits.
runstats Prints performance statistics for a service.
examine Runs the specified analysis tool against launchd in a non-reentrant manner.
config Modifies persistent configuration parameters for launchd domains.
dumpstate Dumps launchd state to stdout.
reboot Initiates a system reboot of the specified type.
bootshell Brings the system up from single-user mode with a console shell.
load Bootstraps a service or directory of services.
unload Unloads a service or directory of services.
remove Unloads the specified service name.
list Lists information about services.
start Starts the specified service.
stop Stops the specified service if it is running.
setenv Sets the specified environment variables for all services within the domain.
unsetenv Unsets the specified environment variables for all services within the domain.
getenv Gets the value of an environment variable from within launchd.
bsexec Execute a program in another process' bootstrap context.
asuser Execute a program in the bootstrap context of a given user.
submit Submit a basic job from the command line.
managerpid Prints the PID of the launchd controlling the session.
manageruid Prints the UID of the current launchd session.
managername Prints the name of the current launchd session.
error Prints a description of an error.
variant Prints the launchd variant.
version Prints the launchd version.
help Prints the usage for a given subcommand.

 

When is the next agent release planned for?

Link to comment
Share on other sites

  • ESET Staff
Attempt to restart the agent failed:

 

Hello,

 

I am sorry - command I recommended was not correct .. there is no "restart" when using launchctl. Sequence of commands:

sudo launchctl stop com.eset.remoteadministrator.agent
sudo launchctl start com.eset.remoteadministrator.agent

should do the trick. In normal case even first command would be sufficient (service should be automatically restarted after stop).

 

 

 

When is the next agent release planned for?

 

It is currently planed for early Q1/2016.

Link to comment
Share on other sites

Hi Martin,

 

I've tried to restart the agent as recommended, but no joy, below is the outcome:

BSF-A017:~ Administrator$ sudo launchctl list com.eset.remoteadministrator.agent
Password:
{
    "LimitLoadToSessionType" = "System";
    "Label" = "com.eset.remoteadministrator.agent";
    "TimeOut" = 30;
    "OnDemand" = false;
    "LastExitStatus" = 17920;
    "Program" = "/Applications/ESET Remote Administrator Agent.app/Contents/MacOS/ERAAgent";
};
BSF-A017:~ Administrator$ sudo launchctl stop com.eset.remoteadministrator.agent
BSF-A017:~ Administrator$ sudo launchctl start com.eset.remoteadministrator.agent
BSF-A017:~ Administrator$ sudo launchctl list com.eset.remoteadministrator.agent
{
    "LimitLoadToSessionType" = "System";
    "Label" = "com.eset.remoteadministrator.agent";
    "TimeOut" = 30;
    "OnDemand" = false;
    "LastExitStatus" = 15;
    "Program" = "/Applications/ESET Remote Administrator Agent.app/Contents/MacOS/ERAAgent";
};


The client is still not reporting back to the server :rolleyes:

Link to comment
Share on other sites

  • 2 months later...
  • ESET Staff

Hello, ESET Remote Administrator 6.3 was released on January 21, 2016. What I would recommend is to perform the infrastructure upgrade task.

Not connecting computers, should be upgraded manually, or agent should be redeployed.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...