Jonathan Starr

Clients still randomly disconnecting from EEC

Recommended Posts

I know this was supposed to be fixed, but it's still happening. It seems to be triggered by major Windows 10 updates. After the Fall update I have a sea of red 'Not Protected!' in my EEC console, maybe 30% of the clients and it's not the same ones each time.

The server log shows [CLIENT_IP]: Emsisoft Anti-Malware client connection failed. Code: 32000. Description: Could not establish connection.

 The client SQLITE log has the following in it: SERVER_HOSTNAME~8082~1~276: Server certificate verification failed. Connection aborted.~~0

Running Disconnect_EAM_from_EEC.bat and then a full or lite deploy package does not solve the issue.

Clicking the Disconnect button in the client GUI and then running a lite deploy package does solve the problem.

 

What does the Disconnect GUI button do differently to the Disconnect_EAM_from_EEC.bat script? I need to be able to script a fix for this rather than running round to each machine.

 

Edit: The script line C:\Program Files\Emsisoft Anti-Malware\CommService.exe" /uninstall /silent EmsiCommService does not uninstall the service on the problematic machines. I'll investigate why not while I wait to hear anything. 

Edit2: I keep accidentally fixing it, which is slowing things down. The problem seems to be an EOSError exception which the Delphi documentation says is an 'operating system error', very helpful! 

 

Share this post


Link to post
Share on other sites

Guess there's an edit timeout then.

A little bit of work later and there is no difference between the manual command and the GUI button, CommService receives the exact same arguments. As EEC and PSEXEC cause the same broken behaviour but running the disconnect script as LOCAL SYSTEM on the target works (but RunAs [domain administrator] does not...) it looks like some interesting permissions/ACL issue.

Share this post


Link to post
Share on other sites

Hi Frank,

Thank you very much for the reply. We don't (currently, anyway) have a local administrator account available on the machines, so I'm trying to work out a way to persuade psexec to run the script as local system.

Invoking psexec from a domain administrator user context with the following options starts the script on the target under LOCAL SYSTEM:

psexec \\MACHINE_IP_OR_HOSTNAME -s -i "C:\TEMP\Disconnect_EAM_from_EEC.bat"

 

It's very interesting that on some machines the service gets removed just fine in a domain administrator context and on some it does not. I have a large stack of Process Monitor logs to look though now, the answers should be in there somewhere I guess. 

I have debug logs from machines that have become disconnected from EEC, would this be enough for your programmers to work out why our machines keep dropping off. Or would you need a diagnostic log that was started before a machine began having communication problems?

Share this post


Link to post
Share on other sites

Hi Jonathan,

i'm not 100% sure that running the disconnect script  under local system is fully supported.

6 Months ago orso we've implemented support for EAM allowing to be installed under the system account.

When that was not implemented yet, we saw similar issues like you have now with running the disconnect script.

it worked for some and didn't work for some.

 

 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.