Virus Signature Database out of date and up to date

Discussion in 'ESET NOD32 Antivirus' started by Minerone, Aug 8, 2012.

Thread Status:
Not open for further replies.
  1. Minerone
    Offline

    Minerone Registered Member

    Nod32 Antivirus 5.2.9.1 Win XP SP3

    System tray icon for Nod 32 is red and shows a warning Virus Signature Database is out of date. When I go to Update it shows Virus Signature Database is Up To Date

    Last Successful Update 8/8/2012
    Virus Signature Database Version 7364 (20120807)

    I have tried checking my username and password but have not made any progress and am unable clear this problem.

    Help please
  2. Marcos
    Offline

    Marcos Eset Staff Account

    Check the system date and make sure it's set up correctly. Otherwise set it to a correct date and restart the computer.
  3. dwood
    Offline

    dwood Registered Member

    I'm seeing the same issue with new Windows installs and installs of ESET EndPoint AV 5.0.2126.0

    The signatures are from the 04 07 2012 (7269) and fail to update from ERAS. I've double checked the date and time is correct.

    Existing clients seem to be fine.

    Any ideas?
    Last edited: Aug 9, 2012
  4. Marcos
    Offline

    Marcos Eset Staff Account

    Could you please compress the content of your mirror folder, upload it somewhere and PM me the download link?
  5. dwood
    Offline

    dwood Registered Member

    Do you know where the ERAS internal web server keeps the mirror directory?
  6. dwood
    Offline

    dwood Registered Member

    Marcos,

    PM sent as requested.

    Regards,

    Daniel
  7. Marcos
    Offline

    Marcos Eset Staff Account

    By default, it's located in %ALLUSERSPROFILE%\Application Data\ESET\ESET Remote Administrator\Server\mirror
  8. Mister Natural
    Offline

    Mister Natural Registered Member

    I'll mention a couple of things that happened to me yesterday. I installed 5.0.2126 on a clean install of windows xp in a standalone situation. This pc was not getting updates from a eras server, but from the internet. The same thing occurred, it reported it was up to date although the signature file was dated back from July when this version was released. Attempting to update would not do anything. It showed it was connecting and then suddenly stopped. I cleared the cache a couple times and still would not work. I then uninstalled, rebooted, then re-installed and then it updated properly.

    On another note yesterday afternoon all of my clients retrieving updates from eras were not updating. I checked the server update setting and the progress bar was showing an error. I checked the box to clear the cache on the server and forced an update and this corrected the problem on the eras server. All clients are now updating properly again.
  9. Marcos
    Offline

    Marcos Eset Staff Account

    Most likely these issues were caused by the recent larger updates and a temporary server overloads. However, updating from an ERAS mirror should always work fine so if somebody is able to reproduce it, let me know. I'd be interested in connecting to such a computer remotely and checking it out myself as updates from a mirror supplied by one of the affected users worked here like a charm.
  10. Mister Natural
    Offline

    Mister Natural Registered Member

    Marcos if my eras errors again on updates I'll let you know. I also suspect it had something to do with yesterdays updates. I don't anticipate it to occur again.
  11. rockshox
    Offline

    rockshox Registered Member

    FYI - I had this happen yesterday morning also with version 4.2.76. The computer had not been on in several weeks so it was well behind in virus definitions, however clicking update would show it reading update.ver and then said everything was up-to-date. Clearing the cache and trying again worked and the updates were downloaded. I thought it was just an anomaly, but with a couple other people seeing the same thing, I figured I'd throw it out there that I saw this yesterday also.
  12. kan
    Offline

    kan Registered Member

    Exactly the same here.
  13. RobJanssen
    Offline

    RobJanssen Registered Member

    Sure there has been something wrong.

    Yesterday evening, I got the following alert from ERAS:

    The server (name) has not been updated since 2012-08-07 21:12:21 .

    I immediately researched the issue, because there is a lot of virus activity locally these days.
    The latest version downloaded was 7364. I manually kicked the update from ERAS and it ensured it was uptodate.

    Our ERAS is connected to internet via a proxy. I checked the proxy logs and it appeared that the update.ver file had been returned as a HIT from the proxy all that time.
    This indicates that the modification time of that file probably has been way back in the past at the time it was returned. The proxy checks for new versions of the file only after a certain time after it has been retrieved, and this time increases when the file was very old when it was retrieved.
    (for example, when you get a file dated 1-1-2000 and store it in the proxy cache, then look for it a day later, chances are it is still the same file).

    I then added some patterns to make sure that the proxy would never cache update.ver files from eset (not so easy because the files are sometimes fetched with domain names, sometimes with hardcoded IP addresses), then I did another update and it fetched version 7371.

    So I think there has been a mistake at ESET, but I cannot prove it anymore as I forgot to keep the old file returned from the proxy.

    I also think that ERAS, when it fetches the file via a proxy, should add the proper header in the request to avoid getting a proxy HIT.
    (Cache-Control: no-cache)

    When it uses an "If-Modified-Since" header, which would be good in cases where a lot of systems are behind the same proxy, it should be careful what to put in the date/time field after that.
    Do not blindly put in the modification time of the previous version of the file, but sanitize this value e.g. never before 1 hour before current system time.
  14. Marcos
    Offline

    Marcos Eset Staff Account

    That's how it's always worked so it's strange you've had issues with this on your proxy server:
    GET /eset_upd/update.ver HTTP/1.1
    Accept: */*
    Host: um14.eset.com
    Connection: Keep-Alive
    X-NOD32-Mode: passive
    Pragma: no-cache
    Cache-Control: no-cache
    If-Modified-Since: Wed, 01 Aug 2012 12:23:15 GMT
  15. RobJanssen
    Offline

    RobJanssen Registered Member

    When I look in the old proxy logs I see that it always had returned TCP_REFRESH_MODIFIED or TCP_REFRESH_UNMODIFIED before two days ago, and then it suddenly started returning TCP_MEM_HIT and TCP_HIT.

    This indicates an issue with the last modified time of the page, I think.
    I see the Cache-Control header now that I do a trace, no idea why it is not obeyed, I'll research that.
    However it seems quite apparent that there has been a problem at ESET, only I don't fully understand what it can have been.
  16. Marcos
    Offline

    Marcos Eset Staff Account

    The only problems I can think of could be update servers not serving updates at first attempts intermittently when being overloaded.
Thread Status:
Not open for further replies.