ESET Online Help

Search English
Select the category
Select the topic

Agent installation - Linux


We recommend that you use the latest version of OpenSSL 1.1.1. ESET Management Agent also supports OpenSSL 3.x. The minimum supported version of OpenSSL for Linux is openssl-1.0.1e-30. There can be more versions of OpenSSL installed on one system simultaneously. At least one supported version must be present on your system.

oUse the command openssl version to show the current default version.

oYou can list all versions of OpenSSL present on your system. See the filename endings listed using the command sudo find / -iname **

oVerify if your Linux client is compatible using the following command: openssl s_client -connect -tls1_2


ESET PROTECT Server/MDM do not support OpenSSL 3.x. ESET Management Agent supports OpenSSL 3.x.

Install the lshw package on the client/server Linux machine for the ESET Management Agent to report the hardware inventory correctly.


Linux distribution

Terminal command

Debian, Ubuntu

sudo apt-get install -y lshw

Red Hat, CentOS, RHEL

sudo yum install -y lshw


sudo zypper install lshw


For Linux CentOS, we recommend installing the policycoreutils-devel package. Run the command to install the package:

yum install policycoreutils-devel

Server-assisted Agent installation:

oThe server computer must be reachable from the network and have ESET PROTECT Server and ESET PROTECT Web Console installed.

Offline Agent installation:

oThe server computer must be reachable from the network and have ESET PROTECT Server installed.

oA Certificate for the Agent must be present.

oA server Certification Authority public key file must be present.


Follow the steps below to install the ESET Management Agent component on Linux using a Terminal command:


Make sure to meet all the installation prerequisites listed above.

1.Download the Agent installation script:


2.Make the file executable:

chmod +x

3.Run the installation script based on the example below (New lines are split by "\" for copying the whole command to Terminal):


For more details, see Parameters below.

Server-assisted installation:

sudo ./ \
--skip-license \
--hostname= \
--port=2222 \
--webconsole-user=Administrator \
--webconsole-password=aB45$45c \

Offline installation:

sudo ./ \
--skip-license \
--cert-path=/home/admin/Desktop/agent.pfx \
--cert-auth-path=/home/admin/Desktop/CA.der \
--cert-password=N3lluI4#2aCC \
--hostname= \


We recommend that you delete commands containing sensitive data (for example, a password) from the command line history:

1.Run history to see the list of all commands in the history.

2.Run history -d line_number (specify the line number of the command). Alternatively, run history -c to delete the entire command line history.

4.When prompted, press y to accept the certificate. You can ignore any errors about SELinux returned by the installer.

5.After the installation, verify that the ESET Management Agent service is running:

sudo systemctl status eraagent

6.Set the eraagent service to start at boot: sudo systemctl enable eraagent


Installer log

The installer log may be useful for troubleshooting. You can find it in Log files.


Connection to the ESET PROTECT Server is resolved using the parameters --hostname and --port (port is not used when an SRV record is provided). arrow_down_businessPossible connection formats.





Hostname or IP address of ESET PROTECT Server to connect.



ESET PROTECT Server port (default value is 2222).



Local path to the Agent certificate file (more about certificate).

Yes (Offline)


Path to the Server Certificate Authority file (more about authority).

Yes (Offline)


Agent Certificate password.

Yes (Offline)


Certificate Authority password.

Yes (if used)


The installer will not ask the user for license agreement confirmation.



Base64 encoded content of PKCS12 encoded public key certificate plus private key used to set up secure communication channels with Server and Agents. Use only one of the --cert-path or --cert-content options.



Base64 encoded content of DER-encoded Certificate Authority private key certificate used to verify remote peers (Proxy or Server). Use only one of the --cert-auth-path or --cert-auth-content options.



Hostname or IP address used by Web Console to connect to the server (if left empty, the installer will copy the value from 'hostname').



Port used by Web Console to connect to the server (default value is 2223).



Username used by Web Console to connect to the server (the default value is Administrator).


You cannot use a user with two-factor authentication for server-assisted installations.



Password used by Web Console to connect to the server.

Yes (Server-assisted)


HTTP Proxy hostname. Use this parameter to enable using HTTP Proxy (already installed in your network) for replication between ESET Management Agent and ESET PROTECT Server (not for caching of updates).

If a proxy is used


HTTP Proxy port for connecting to the server.

If a proxy is used


Turn on the Product improvement program.



Turn off the Product improvement program.


Connection and certificates

Connection to the ESET PROTECT Server must be provided: --hostname, --port (port is not needed if service record is provided, the default port value is 2222)

Provide this connection information for Server-assisted installation: --webconsole-port, --webconsole-user, --webconsole-password

Provide certificate information for Offline installation: --cert-path, --cert-password. Installation parameters --cert-path and --cert-auth-path require certification files (.pfx and .der) which can be exported from ESET PROTECT Web Console. (Read how to export the .pfx file and the .der file.)

Password type parameters

Password type parameters can be provided as environment variables, files, read from stdin, or as plain text. That is:

--password=env:SECRET_PASSWORD where SECRET_PASSWORD is an environment variable with a password

--password=file:/opt/secret where first line of regular file /opt/secret contains your password

--password=stdin instructs the installer to read the password from standard input

--password="pass:PASSWORD" is equal to --password="PASSWORD" and is mandatory if the actual password is "stdin" (standard input) or a string starting with "env:", "file:" or "pass:"



The certificate passphrase must not contain the following characters: " \ These characters cause a critical error during the initialization of the Agent.

HTTP Proxy connection

If you are using HTTP Proxy for replication between ESET Management Agent and ESET PROTECT Server (not for caching of updates), you can specify the connection parameters in --proxy-hostname and --proxy-port.

EXAMPLE - Offline Agent installation with HTTP Proxy Connection:

./ \

--skip-license \

--cert-path=/home/admin/Desktop/agent.pfx \

--cert-auth-path=/home/admin/Desktop/CA.der \

--cert-password=N3lluI4#2aCC \

--hostname= \

--port=2222 \

--proxy-hostname= \

--proxy-port=3333 \



The communication protocol between Agent and ESET PROTECT Server does not support authentication. Any proxy solution used for forwarding Agent communication to ESET PROTECT Server that requires authentication will not work.

If you choose to use a non-default port for the Web Console or Agent, it may require a firewall adjustment. Otherwise, the installation may fail.

Upgrade and repair installation of Agent on Linux

If you run the Agent installation manually on a system where the Agent is already installed, the following scenarios can occur:

Upgrade - Run a later version of the installer.

oServer-assisted installation - application is upgraded, but it will keep using previous certificates.

oOffline installation - application is upgraded and new certificates are used.

Repair - Run the same version of the installer. You can use this option to migrate the Agent to a different ESET PROTECT Server.

oServer-assisted installation - application is reinstalled and it will get current certificates from the ESET PROTECT Server (defined by hostname parameter).

oOffline installation - application is reinstalled and new certificates are used.

If you are migrating Agent from an earlier Server to a different later ESET PROTECT Server manually and using Server-assisted installation, run the installation command twice. The first will upgrade the Agent, and the second one will get the new certificates so that the Agent can connect to the ESET PROTECT Server.