ESET Endpoint Antivirus broke licensing service

[bi4sam 2]

Hi!

 

We are a software company and have our own licensing service to which our software installations (installed at our clients) need to connect to in order to license the software. We also use, for purposes of protecting our workstations, ESET Endpoint AV v.6.0.2033.1. Recently, on 15th of March at 19:37 CET (UTC+1) there's been a program modules update (not only definitions update, but a program components update) that is now blocking the access to our own licensing service!

 

There is no information in any logs about ESET blocking this website (which I will not paste here for obvious security reasons). Looking at WWW logs on the licensing server, I've noticed the POST requests to the service (an IIS-hosted .asmx or .svc file) are being sent to the server, but somehow the response must be filtered/blocked/altered by one of AV modules. Disabling modules one by one did not help, disabling protection for 10 minutes temporarily did not help, only UNINSTALLING the AV suite completely off the machine is the only solution OR rolling back module version using the Advanced Settings ---> Rollback (I'm translating from a localized translation so this might not be the accurate English title of the settings panel).

 

Please advise or direct me to your support directly; in this case, I believe we are looking at a case of false positive or a new "feature" of the smart AV protection algorithms that is a blocker to our work as well as potentially a problem for our clients!!!

[Gonzalo Alvarez 66]

Hi @bi4sam,

 

You are a bit off-version, latest are Endpoint 6.3,

 

Besides that, I suggest you wait for someone of the official stuff

to reply to you so you can go into the right path to your case.

[Marcos 5,074]

Does temporarily disabling web protection or protocol filtering make a difference? If so, you could try temporarily excluding that particular application from protocol filtering.

Also please post information about installed modules from the About window.

[bi4sam 2]

Thank you both for your helpful advice.

 

I've mistyped the version, it's 6.2.xxxx not 6.0.xxxx, so not that ancient. An upgrade to 6.3.2016 appears to have helped on a test machine, will deploy this version ASAP on all workstations as well.

 

If this will solve the problem, I will report back next week that the issue has been completely resolved. Would be interested in knowing how and why this happened though, especially since it exhibited very odd behaviour. As stated in my original post, temporarily disabling modules or entire ESET AV protection did not rectify the situation, only a complete uninstall of the suite did (or a rollback).

[Gonzalo Alvarez 66]

If want logs to catch, the Wireshark and Process Monitor perhaps bring some light.

[bi4sam 2]

Upgrading to 6.3.2016 solved this issue on all machines. Wanted to debug using the recommended diagnostics software, but ultimately I ran out of time I can spend on this issue. Will try it though if it comes back.

 

Thanks for the help.

[Gonzalo Alvarez 66]

Glad to heard is solved.

 

Anytime!