Virus Signature DB is not updating on some clients

Discussion in 'ESET Server & Remote Administrator' started by Rubberduck, Nov 6, 2012.

Thread Status:
Not open for further replies.
  1. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    Hello all,

    I have very strange issue in my environment, my company has a Business License for ESET NOD32 AV software. We are using ERA to maintain all te stuff related to AV software, so the configuration is simple ERA is downloading all updates and deploy them to clients in network, all the clients are server systems.

    So we have :
    - ERA version 5.0.122.0
    - NOD32 clients versions 4.2.76.0

    So, last month we experience strange issue, all machines added to network like 1 year, few months ago are fine, and updating without any problems, but machines added last weeks are not fine.

    I mean they are updating modules also but they are NOT updating Virus Signature DB ! What the funny thing is that message prints: Update is not necessary - the virus signature database is current. And below I can see Version of virus signature database: 6568 (20111023)

    From properties of client and System Information tab I can see:
    Information about executive parts
    Virus signature database: 6568 (20111023)
    Update module: 1040 (20120313)
    Antivirus and antispyware scanner module: 1369 (20121025)
    Advanced heuristics module: 1136 (20121017)
    Archive support module: 1155 (20121015)
    Cleaner module: 1058 (20121005)
    Anti-Stealth support module: 1032 (20120806)
    ESET SysInspector module: 1227 (20120927)
    Self-defense support module: 1018 (20100812)
    Real-time file system protection module: 1006 (20110921)

    So, It is clearly that client update some of modules, but didn't update Virus signatur DB at all, also didn't update Self-defense support module and Real-time file system protection module...

    Connection to ERA is OK, I can telnet to port 2221 from client, ping's are working, client is visible on ERA clients list, etc.

    Anybody experience that weird behavior ??

    BTW. I just updated ERA to version 5.0.242.0 and the problem stil exist

    Thanks in advance
     

    Attached Files:

    Last edited: Nov 6, 2012
  2. seg_fault

    seg_fault Registered Member

    Joined:
    Aug 10, 2012
    Posts:
    15
    Location:
    United States
    I just posted a new thread on an issue that might be similar. (my issue occurs on my file server, but my clients work fine) - hopefully we get some resolution to this. :)

    Does a local update work (i.e. internet update vs. from ERA)?

    seg_fault
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It will be necessary to provide the content of the mirror folder and some other stuff to ESET to reproduce it on their end. Have you already contacted Customer care on this?
     
  4. captainfish

    captainfish Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    35
    Location:
    USA
    All of our machines are reporting the same. Systems that include workstations, virtual and real servers are not updating. They have not update after thursday - 11/8/12.

    Our ESET server, last updated itself on 11/8 and has DB of 7672.

    However, the mirror that we have just set up is getting the updates and those certain machines that are set to update via the mirror have the most recent updates - DB 7681 from 11/11.

    Re-installing ESET on a few machines I found a few days earlier seems to fix the issue.

    Am wondering if an update has broken the update server list.
     
  5. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    Yes I contacted ESET support but nothing really helps, they just told me what I've already checked, so I have exported configuration from "working" client and imported it into "non-working" client - NO changes still not updating virus DB

    I also cleared the cache.

    ERA has the latest updates on mirror.

    No idea what could be wrong.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    If updates on clients updating from a mirror are failing, collect the following stuff:
    - the content of the mirror
    - dat files from the ESET folder on a client
    - the content of the "C:\ProgramData\ESET\%ProductName%\updfiles" folder on the client
    - SysInspector log or at least the appropriate records pertaining to the error from the ESET event log

    If updates are failing when updating from ESET's servers, collect the following:
    - ESET SysInspector log
    - dat files from the ESET folder on a client
    - the content of the "C:\ProgramData\ESET\%ProductName%\updfiles" folder on the client
    - network communication from an update attempt captured to a pcap log using Wireshark

    When done, compress the stuff to a package, upload it to a safe location and PM me the download link.
     
  7. captainfish

    captainfish Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    35
    Location:
    USA
    Marcos,
    "- dat files from the ESET folder on a client"

    Could you please elaborate on what you are needing here and where that may be found.

    thanks.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I meant files like em002_32.dat, em003_32.dat, etc. located in the ESET install folder.

    If having an issue updating ERA from ESET's servers, check the HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Remote Administrator\Server\CurrentVersion\Settings registry key and make sure the update server urls have the "http://" prefix.
     
  9. captainfish

    captainfish Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    35
    Location:
    USA
    I don't have that Registry configuration either on client or our ESET server. (see image)

    And, we only have a "130.msi" file in our installer directory ("C:\ProgramData\ESET\ESET Endpoint Antivirus\Installer"). Nothing else. Which I am assuming is the backup to our original installation package. I even did a search on the filename you mentioned on the client and returned nothing.
     

    Attached Files:

    Last edited: Nov 13, 2012
  10. captainfish

    captainfish Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    35
    Location:
    USA
    MOD pm'd with data
     
  11. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    Marcos hi,

    I sent You PM with FTP details , I uploaded files You requested. Let me know if You need something more.

    BR, Jacek (rubberduck)
     
  12. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    Okay I did some manual "workaround" :

    - switch off "Self-defense" in AV settings to be able to stop AV and be able to delete files in AV program folder
    - deleted "old" virus signature file em002_32.dat
    - copy "new" virus signature file em002_32.dat from client which updates properly
    - switch on "Self-defense" in AV setting

    And actually host shows right virus signature DB, let see today is it gona update it automatically from ERA now. :cool:

    If YES, that at least I have some "workaround", but anyway it is very confusing why it is like that.
     
  13. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    Heh, it is working now.

    So the problem is with this "default" Virus DB installed with NOD32 installation.

    In my case it is Virus DB No 6568 (20111023)

    BR
     
  14. Rubberduck

    Rubberduck Registered Member

    Joined:
    Nov 6, 2012
    Posts:
    8
    So, dear ESET !

    Would be nice if You would re-compile Your latest installer eavbe_nt64_enu with latest virus signature DB, because seems installer with DB 6568 (20111023) doesn't want to update properly.

    BR
     
Thread Status:
Not open for further replies.