ESET PRIVATE Scanning Solution – Table of Contents

Basic Troubleshooting

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

This section addresses common deployment and runtime issues for ESET PRIVATE Static Scanning Engine on AWS ECS/EKS. Follow these steps systematically to resolve problems.

Common Issues and Solutions

•Subscription / Activation Failures

oSymptom: Scanner fails to start with license errors; Metering Service calls rejected.

oCheck: Verify active AWS Marketplace subscription and IAM policy attachment (ECSListReceivedLicenses/EKSListReceivedLicenses).

oFix: Re-attach policy to container execution role; confirm license-manager:ListReceivedLicenses permission.

•Image Pull Failures

oSymptom: ECR pull denied or timeout accessing ecscn.azurecr.io.

oCheck: ECR access granted via subscription; outbound HTTPS (TCP 443) allowed to ESET repo.

oFix: Validate Security Group outbound rules; re-deploy after subscription refresh.

•Scan Request Timeouts

oSymptom: Agent → Scanner communication fails (gRPC port 50051).

oCheck: Network path (Agent → Scanner); Security Groups allow TCP 50051 inbound.

oFix: Confirm private subnet connectivity; verify Load Balancer health checks pass.

•Module Update Failures

oSymptom: Scanner unable to start due to missing modules; logs show update download errors.

oCheck: Outbound access to ESET Update Servers (HTTPS 443).

oFix: Add Security Group outbound rule; restart Scanner containers to retry. Monitor Scanner container log.

•Metering Service Errors

oSymptom: Scanner images fail to start (Docker container not running)

oCheck: IAM role permissions for Register Usage calls.

oFix: Attach Metering Service permissions; validate CloudWatch logs. Monitor Scanner container log and ensure the container is running.

Service Recovery

If the service experiences unresolvable failures and the root cause cannot be identified through troubleshooting:

•Recommended Recovery: Redeploy the entire solution—this is the fastest and most reliable mitigation strategy.

•Delete existing ECS tasks/services or EKS deployments.

•Pull latest images from AWS Marketplace ECR.

•Redeploy using new or saved deployment manifests.

Why it works: ESET container images are stateless (no persistent data); full redeployment resets all components to a clean state without data loss.

Expected Recovery Time: Depends on your environment configuration and complexity; the simplest single-instance environments can typically be recovered within 30-60 minutes.

ESET PRIVATE Scanning Engine Issues

For Cloud Scanner-specific issues, refer to the commands below to identify and resolve problems with Docker containers and Scanner functionality:

Command	Description
kubectl get ns	Confirms that the namespace defined in $K8S_NAMESPACE exists before deploying scanner components.
kubectl get serviceaccount -n $K8S_NAMESPACE	Verifies that the service account $K8S_SERVICE_ACCOUNT exists (required by the Deployment).
kubectl get deploy -n $K8S_NAMESPACE	Checks whether the scanner Deployment was created and is in a healthy state.
kubectl get pods -n $K8S_NAMESPACE	Confirms that the scanner pod has started and is not stuck in Pending / ImagePullBackOff / CrashLoopBackOff.
kubectl describe pod <scanner-pod> -n $K8S_NAMESPACE <scanner-pod>	Shows detailed information about scheduling, image pull issues, container args, port binding problems.
kubectl get svc scanner -n $K8S_NAMESPACE	Ensures the scanner Service exists and exposes ports 50051 and 50053.
kubectl describe svc scanner -n $K8S_NAMESPACE	Confirms that the Service selectors match pod labels (app=scanner) and ports map correctly.
kubectl get events -n $K8S_NAMESPACE --sort-by=.lastTimestamp	Shows recent cluster errors: failed scheduling, network issues, permission problems.
kubectl get nodes -o wide	Helps identify CNI or node‑level networking issues preventing scanner ↔ agent communication.
kubectl run tmp --rm -it --image=busybox -- sh	Creates a temporary debug pod for cluster‑internal connectivity and DNS checks.
nslookup scanner.marketplace.svc.cluster.local	From inside the debug pod: verifies DNS resolution of the scanner service.
nc -vz scanner.marketplace.svc.cluster.local 50051	Tests internal TCP connectivity to the scanner’s gRPC port.

˄˅